Recent highly publicized incidents of "hacking" of sensitive customer information should cause accountants and other financial professionals to re-evaluate the risks to their own electronically stored client information. That confidential client information includes not only personal identifiers (social security numbers, address, birth date, mobile phone numbers) and other personal information (marital status, names, birthdates and social security numbers of spouse and children, and employment information), but personal financial information (salary and benefits data, bank and brokerage accounts and account numbers, PINs, and mortgage loan indebtedness). Today much of this information is in electronic form and much of it is now stored outside of the control of the accounting firm or financial provider itself but, instead, in multiple remote servers (in "the cloud"). Compounding the risks, a number of professionals and support staff at your firm will typically have rights to access this confidential data, and their access, increasingly, may be through remote computers or mobile devices.
While all of this increases the risks of unauthorized access by sophisticated "hackers," the more likely cause of loss of confidential data will be your own employees or inadequate security procedures. According to the 2013 Verizon Data Breach Investigations Report (DBIR), 76 percent of network intrusions involved access through weak or stolen credentials. Many of these intrusions occur through relatively simple methods: loss or theft of a device, failure to use passwords or secure passwords to protect information on the device or computer, failure to logout at the end of a work-day, or inadvertent disclosure of confidential information through social media sites. Where firm "insiders" were responsible for the data breach, half of those incidents involved former employees taking advantage of old accounts or backdoor access routes that had not been disabled. Thus, one of the easiest ways to reduce the risks to your confidential client data may be to tighten up and enforce the use of security controls (for example, requiring strong password protections and encrypting personal data, periodic changes to passwords, and disabling access to data networks once an employee is terminated). So, even if a laptop or mobile phone is lost, stolen or misplaced, the data on it will not be easily available to an unauthorized person. While these suggestions may seem obvious, a recent study found that 87 percent of small and medium-sized businesses do not have a formal Internet security policy for employees.
A data breach may occur but go undiscovered for significant periods of time. The 2013 Verizon DBIR reports that 66 percent of the breaches took months or even years to discover and 69 percent of data breaches were discovered by external parties, including (embarrassingly enough) the firm’s clients or customers. Regular monitoring of the firm’s network and usage, either by in-house IT personnel or an outside IT security vendor, will reduce the time between a breach and discovery. Once a professional firm becomes aware that a data breach has occurred, it is important to establish how it happened, when it happened, and what information may have been compromised. Generally, this requires a costly and resource intensive effort that may disrupt or even interrupt altogether a firm’s normal business operations. According to insurance industry studies, in 2013 half of all data breaches involved the loss of 1,000 records or less but the average cost of even small breaches approached $250,000.
A significant cost item will involve notification of the clients affected by a data breach. Forty-seven states now have statutes requiring a business to disclose a data breach to its customers in that state and promptly report it to regulators. For example, the New Jersey Identity Theft Prevention Act, N.J.S.A. 56:8-163 requires disclosure to customers and a prompt report to the Attorney General and the State Police of any breach of security of computerized records if "personal information was, or is reasonably believed to have been, accessed by an unauthorized person." A "breach of security" is defined as the "unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information" when access to the information has not been secured by encryption or other methods that render the information unusable or unreadable. N.J.S.A. 56:8-161. New York and Pennsylvania likewise require any business that deals with computerized data that includes private information to disclose to customers in that state any breach of security upon discovery of the breach. Other states, like Arizona, require disclosure only if there is both unauthorized access and misuse of the information.
But the law may not mandate notification in all cases. New Jersey law does not require disclosure to a customer "if the business or public entity establishes that misuse of the information is not reasonably possible. N.J.S.A. 56:8-163(a). Thus, to the extent the unauthorized access is to encrypted data, customer notification may not be required, and even where the data is not encrypted, customer notification may not be required if the firm or business can say misuse of that data is "not reasonably possible." That could well be the case when a stolen laptop computer or smart phone is encrypted, requires a log in code or unique password to access the server or firm database, or when the firm has the ability to remotely disable or "wipe" the data from the stolen device. Best practice would require the Chief Information Officer or an outside IT professional to document the conclusion that misuse is "not reasonably possible," and the New Jersey statute requires that documentation to be retained for five years. The firm should also implement and document appropriate remedial measures designed to prevent a recurrence of the incident. The New Jersey Division of Consumer Affairs has adopted regulations implementing the statutory reporting and recordkeeping provisions. See N.J.A.C. 13:45F.
Even if notification is not required by law, there may be sound business reasons to alert clients and customers in an industry where reputation is critically important. A professional firm will face the threat of major reputational damage from the negative publicity surrounding a significant data breach, and direct client notification will allow the firm to control the communication of such incidents. Apart from damaging publicity, other potential adverse consequences are just as real, including the potential of claims and lawsuits from its clients for the breach, which would only be compounded by a failure to provide notification. The firm should also consider how to address other less direct or immediate consequences, including the potential that the firm would have to disclose the breach in responding to requests for proposals or when competing for engagements; the firm could even be suspended or disqualified from future public sector or government work; that the firm could have difficulty obtaining liability insurance to cover future breaches without high premiums; and that it could face "whistleblower" lawsuits from employees with knowledge of lax or inadequate data security practices or breaches in data security.
Given this parade of horribles, even small professional firms have strong incentives to implement sound risk management practices to control against potential data breaches. Firms should also review their insurance policies carefully to ensure that insurance coverage is available and, if not, consider purchasing "cyber breach" coverage to protect against liabilities in the event of a data breach.