CPA Confidentiality–Just How Secure is YOUR Information?

The AICPA’s Code of Professional Conduct explicitly addresses requirement for maintaining confidentiality of client information in the absence of specific consent of the client to disclose such information. Ask any CPA, and they will freely admit that they are required to keep client information confidential. Some go so far as to not even give names of clients for fear that simply revealing the name of a client, which in itself is NOT confidential, could lead to someone connecting the dots with other bits of revealed information. State regulatory bodies impose similar requirements. My question is not really whether or not you should be concerned that your CPA is knowingly revealing confidential client information. Instead, I pose the following question:

What is your CPA and CPA firm doing to ensure your confidential information remains as secure as possible, and is protected against being unknowingly released?

Let’s keep in mind that the average CPA is in possession of all information that is necessary for identity theft. It is the very reason CPAs are so highly targeted by hackers. And it is the very reason you need to be concerned about what security measures your CPA and CPA firm have in place to help protect your data.

A few bullet points will help get your mind rolling in the direction I want you to be thinking:

• Does your CPA maintain paper files? If so, what access restrictions are in place?
• At this point in time, surely your CPA maintains electronic files. Electronic files are prone to theft by hackers but also those with legitimate access to the records.
  • What access controls are in place? It needs to start with a robust firewall. For a physical office, it obviously needs to have restricted access not only to the office as a whole, but individual offices and file rooms.
  • What encryption, if any, is used for your data?
  • Are laptops, tablets, computers, and smart phones encrypted?
  • Does the firm have and manage remote wipe capabilities for its electronic assets in the event of one being lost or stolen?
  • Does the firm have user access controls, such as not allowing shared user names and passwords, etc.? Unique user accounts need to exist.
  • For user access controls, do they only exist at the PC level, or also for each software application that contains confidential and sensitive information?
  • How complicated are the passwords that are being used? Is two-factor authentication used anywhere?
  • Many user accounts and passwords exist for carrying out services. This results in needing to maintain logs of said user credentials. How are these credentials stored? Are they in an encrypted credential management system, or a simple Excel or Word file? Or worse, sticky notes?
  • Backups are likely to exist, locally and in the cloud. Are those backups, which contain your data, encrypted? If so, what form of encryption? How often are the backups expunged, and how?
  • Does your CPA and CPA firm freely e-mail confidential information using simple password-protected files? Or does it use an encrypted e-mail system?
  • Does your CPA and CPA firm use an online file exchange? If so, what form of encryption is used, and what requirements are in place for passwords and data retention?
  • Given we live in a litigious society, litigation holds are often in place. This means e-mails and other data files, though possibly deleted in one place, most likely still reside in the litigation hold. Who has access to the litigation hold? Is it encrypted? Is it on-site or off-site?
  • Sensitive information, such as tax returns or work papers, are often printed in the process of rendering services. What happens to these printed documents, are they just thrown in the trash or are they cross-shredded? If shredded, what is the frequency? I know of firms that shred files once a year. Others shred as soon as the paper files are deemed no longer needed.

Now, keep in mind, I certainly do not expect a CPA firm to reveal all of the details of its security policies and practices–that would simply be stupid. They should, however, be able to provide a high level of assurance that your data is secure and not stumble in answering any questions you have concerning their security protocols, internal controls, etc. I am certainly not going to reveal all measures I utilize, but I am certainly able to tell you the general measures I take. If you ask your CPA about security policies and technology in general, and they stumble in being able to provide answers, or they have sensitive paperwork scattered throughout their office, do not walk away–RUN–because it is most probable that they are not making sufficient effort to protect your information.