Trusted Professional

Guest Blog: Are You a Tax Pro Without a Security Plan in Place? You May Be Breaking the Law

hacking-3112539_1920

"When Identity Thieves Hack Your Accountant" is the headline of noted cybersecurity blogger Brian Krebs' new blog post.
Once an issue makes Krebs' blog, it usually affects a broad group, in this case a growing number of hacked CPA firms and resulting client identity theft. The issue has received IRS attention in communications to tax pros, but little attention elsewhere. As Krebs' blog posts often lead to wider publicity, this could change.
The Krebs post specifically covers a new criminal gang targeting CPA firms, some techniques used for hacking firms and many details about the specific hack of an unnamed New Jersey CPA, apparently a sole practitioner, whose stolen clients' identities were used to file fraudulent tax returns.
What Krebs and the 62 comments to his post leave out is the requirement, under the federal Gramm-Leach-Bliley (GLB) law, for all CPA firms with tax practices, including sole practitioners, to create, execute and periodically update a comprehensive, written, firm-size-appropriate information security plan--a plan that includes technology, staff education, third-party vendor selection and other information security-control elements. From my anecdotal experience, many CPA firms remain unaware of this now long-standing law, plus regulations under Federal Trade Commission (FTC) jurisdiction, discussed here. In addition, once breached, New York, New Jersey, Connecticut and other states' laws require firms to notify affected clients, law enforcement agencies and sometimes other parties about the breach. There may be other requirements, including paying for expensive client credit monitoring, which can be covered by cyber-insurance.
Without the GLB required information security plan in place, clients may have an open-and-shut case in malpractice suits. I was informed of one CPA firm breach that caused a small firm to fail when a large number of affected clients went to other firms. 
Unlike the legal profession, where statistics about law firm breaches are available, there are no similar CPA profession statistics. Also, while the AICPA has issued detailed professional standards for CPA firms to perform complex client cybersecurity attest engagements, it has not yet mirrored the American Bar Association's ethics rule that holds that reasonable cybersecurity and other technology expertise is part of all practitioners' basic professional competence. Regardless, the need for all CPAs to understand appropriate cybersecurity principles and for those in tax practice to create and implement the GLB required information security plan is clear. A good place to start is IRS Pub. 4557, with checklists and other information that largely track the GLB law and related FTC regulations.
 
Walter Primoff provides cybersecurity and compliance advice to CPA and other firms and serves as a trust and estate fiduciary. He is a past deputy executive director of the NYSSCPA and a former contributing editor of .