This blog was provided by Gallagher Affinity, a premier sponsor of the PICPA.
By James Vinocur, JD
While roughly half of all states require businesses to develop and implement written information security programs (as more fully discussed in a previous post on WISPs), all financial institutions, regardless of where they are based, are required by federal law to institute similar procedures to safeguard their customers’ personal information. The Gramm Leach Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, requires financial institutions to develop and implement steps to keep their customers’ personal information private and secure.
It’s important to note, the GLBA does apply to CPA firms.
The GLBA applies to all financial institutions that are “significantly engaged” in providing financial services or products. The GLBA, therefore, applies to CPA firms, regardless of their size or number of clients.
The GLBA has two main directives: the Safeguards Rule and the Financial Privacy Rule. Both rules apply to any “nonpublic personal information” (NPI) that a firm collects and stores. NPI is defined as any “personally identifiable financial information,” unless it’s otherwise publicly available. For CPAs, NPI will typically consists of a client’s name, address, Social Security number, account information, income, account balances and the like, and other information provided by the client to obtain a financial service or product.
The GLBA Safeguards Rule requires financial institutions to establish measures to keep their customers’ NPI secure. The law, therefore, mandates that firms develop and implement a written information security plan (much like state-mandated WISPs) tailored both to the firm’s size as well as the complexity and scope of its services. (Privacy attorneys can assist in drafting such plans to ensure compliance, while simplified template plans can also be found online). Among other requirements, these plans must include the following:
The GLBA Financial Privacy Rule requires financial institutions to, among other obligations, provide initial and annual privacy notices that describe the firm’s NPI collection practice, and whether the firm shares that information with third parties. This rule also requires financial institutions to provide customers with an “opt-out” choice to not share their NPI if the firm engages in such practices.
There are several exceptions to the Privacy Rule for CPAs. Most pertinent is that CPAs are exempt from the notice requirement under the Financial Services Regulatory Relief Act of 2006. Just as important, the opt-out requirement is inapplicable when the firm discloses NPI that a client has authorized as part of the firm “servicing or processing a financial product or service,” or otherwise “with the consent or at the direction” of its client (e.g., to file a tax return under state and federal law). Finally, an accounting firm that does not share NPI with nonaffiliated third parties is exempt from the opt-out notification requirement.
Nevertheless, the AICPA recommends that CPAs maintain such a notice. The Federal Trade Commission (FTC) had made a model privacy form available to help small to midsize firms comply with the GLBA’s privacy notice requirement. This form, which is available for download, also provides a presumptive safe harbor against civil penalties for those entities that take advantage, as long as it is posted clearly, conspicuously, and intact (including on the firm’s website).
In case following the law wasn’t enough of an incentive, GLBA violations can potentially lead to civil and criminal liability. The GLBA contemplates civil penalties that include fines of up to $100,000 per violation, while a company’s directors and officers can be personally liable up to $10,000 per violation. In addition, criminal charges can be brought under Title 18 of the U.S. Code, with a maximum prison term of five years. Note that in 2019 the Government Accountability Office reported that the FTC – which is empowered to enforce the GLBA – did not have the authority to issue civil fines based on harm sustained as a result of privacy and safeguards violations since those harms “can be difficult to measure and can occur years in the future.” To date, the majority of actions taken by the FTC to address violations has resulted in consent agreements or settlements that require the offending entity to develop and implement rigorous privacy and security procedures. In other words, it is both prudent, good business, and legally required to ensure that your business complies with the GLBA.
James Vinocur, JD, is a partner at Goldberg Segalla in New York City, where he specializes in data privacy and cybersecurity issues. Prior to joining Goldberg Segalla, he served as deputy chief of the cybercrimes bureau of the Manhattan District Attorney’s Office. He can be reached at email@example.com.
Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.