This blog was provided by Gallagher Affinity, a premier sponsor of the PICPA.
By James Vinocur, JD
The National Cybersecurity Alliance has indicated that 60% of small businesses go out of business within six months of a cyberattack. For CPA firms, a data breach is especially pernicious because firms will not only have to deal with the direct costs resulting from a breach (e.g., remediation, forensic examination, etc.), but also the indirect costs, including regulatory compliance and, perhaps most importantly, unquantifiable reputational damage. Given that accounting firms are frequently the target of such attacks because of the underlying personal and financial data they store, it is crucial that all firms understand what their obligations are in the immediate aftermath of such a breach. In fact, data breach laws require companies to notify affected customers of such incidents within specified time periods.
It is important to note what qualifies as a data breach under most applicable regulations. Broadly speaking, a breach is the unauthorized access of a computer system storing someone’s unencrypted personal information. More specifically, personal information generally refers to information beyond a person’s mere name and address. Most data breach statutes (and more on why there are many, and not just one, later in this post) consider personal information to be a person’s name and an official identifying number of some kind, such as Social Security number or driver’s license number. It also encompasses a person’s financial account number and the information needed to access such an account, such as the online username and password combination. (This is the case in Pennsylvania.) Furthermore, statutory breach requirements are only triggered when an unauthorized person accesses this information in unencrypted form, which seems to be as good an impetus as any to encrypt all this data. (This is not as hard as it seems: there are many free tools available online). In addition, there isn’t a requirement that the information be stolen; most data breach statutes apply even to the reasonable belief that the data was merely accessed. Finally, in the event that such a breach does occur at your firm, there are statutory obligations that require a firm to notify affected customers as soon as possible after its discovery.
As alluded to above, there is no federal data breach law. The void has been left to the individual states to fill, leading to 50 different data breach laws. Most have similar wording or requirements, but there are important state-specific differences to be aware of in the event of a breach. This can be tricky, however, because the victim of a qualifying data breach will need to notify every affected client based on the rules applicable within the state they reside. In other words, a Pennsylvania CPA firm hit by a breach may have to notify clients who reside in 14 different states, in addition to Pennsylvania, according to the requirements of each of those states (even if they only have one or two clients in each state). Some of the more notable reporting differences between the states include the timeframes in which such notification must be made (as short as 30 days after discovery to the more vague “as soon as practicable”), the entities that must be notified (some states only require that affected clients be notified while others require notification to be made to governmental entities), and the offering of free credit monitoring to affected clients. Pennsylvania’s data breach law, for example, requires notification to be in writing, “without unreasonable delay.” (Notification can also be done by phone or email if there is a prior business relationship, but written notification by mail is the industry standard). If more than 1,000 Pennsylvania residents are affected, the firm must also notify nationwide consumer reporting agencies as well.
In addition to state data breach laws, there are also a few industry-specific federal data breach laws. For instance, the Health Information Technology for Economic and Clinical Health Act (HITCH), which is a part of the Health Insurance Portability and Accountability Act, requires those entities that store protected health information to notify those patients whose data is accessed without authorization. The same is true of the financial services sector, as detailed in the Gramm-Leach-Bliley Act (see my previous post on this act). In the event that federal law applies to a data breach you have sustained, that law usually supersedes the applicable state provision.
Failure to abide by data breach regulations can result in civil penalties and potential civil litigation. State attorneys general have proven to be proactive in recent years, imposing five-to-six figure fines on companies that fail to notify customers either entirely or within the prescribed period. In Pennsylvania, the state attorney general can impose up to $3,000 per violation (each client could be one violation). Affected companies should also prepare themselves for the possibility of a client instituting civil ligation because of such a breach. Typically, these tort suits are predicated upon the company’s failure to have instituted reasonable technical safeguards to safeguard the personal information. The breadth of these laws is another great reason to ensure that your cyberhygiene is up to date.
James Vinocur, JD, is a partner at Goldberg Segalla in New York City, where he specializes in data privacy and cybersecurity issues. Prior to joining Goldberg Segalla, he served as deputy chief of the cybercrimes bureau of the Manhattan District Attorney’s Office. He can be reached at firstname.lastname@example.org.
Get more information on cyber insurance plans offered by PICPA premier sponsor Gallagher Affinity.
Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.