Accounting Firm Data and Security Breaches
Virtually every business collects and stores personal information on both employees and clients. But accountants may have more sensitive data in their computers and file cabinets than just about any other service provider, making the protection of that data critical to the survival of their business.
A loss or compromise of client data may expose a CPA to:
- Claims for damages. A client or a third party can bring direct claims to cover costs associated with any damage caused by the breach, and cross-claims in the form of individual or class action lawsuits for indemnification against the firm for damages as a result of the data exposure.
- Compliance costs. According to Ponemon’s 2017 Cost of Data Breach study, the average cost of a compromised record is $141. Some of this is to comply with state notification laws (all states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted security breach notification laws), along with forensic investigation, and credit monitoring services.
- Reputation damage. Accountants depend on absolute trust from their clients. A perception of unprofessionalism can result in clients heading for the exit and an immediate loss of revenue. It can take years to restore client confidence and rebuild a reputation.
- Follow best practices for creating strong passwords for all electronic files. Consider using a password management program to generate and store passwords. The use of stolen login credentials was the top method used in data breaches in 2017, according to Verizon’s 2018 Data Breach Investigative Report. Nearly one-quarter of data breaches in 2017 were due to stolen credentials, the report states.
- Encrypting client data not only makes it harder for others to get their hands on the information, it can put your clients’ minds at ease and increase trust. This is especially important for data stored on mobile devices, which are more prone to theft.
- Install antivirus programs on all computers, including laptops, and keep the software up-to-date. Train employees on how to avoid becoming a victim of malware and phishing scams, and how to protect laptops from theft.
- Back-up with the 3-2-1 rule. Maintain three copies (original and two backups) of all important data and documents. Use at least two different types of storage media (hard drives, thumb drives, cloud servers, paper). Keep one backup offsite, preferably in a cloud-based remote data center.
- Paper records should always be under lock and key. Restrict access to an as-needed basis.
- Get insurance. At a minimum, it is prudent for any small business to have a Business Owner’s Policy. However, because there are unique risks that come with collecting and storing sensitive data, accountants would be wise to consider additional coverages, such as insurance solutions for data breach and data loss protection.