Page 54 - JoFA_Jan_Apr23
P. 54

moditet audis estem simus

         PROFESSIONAL LIABILITY SPOTLIGHT


                          How the FTC Safeguards Rule


                          may affect your CPA firm




                          By Karen Nakamura, CPA



                            ax preparers are likely already familiar with   WHAT DOES THE FTC SAFEGUARDS RULE
         Data breach      TIRS Publication 4557, Safeguarding Taxpayer   REQUIRE?
         costs            Data, and its application to professionals who   The Safeguards Rule specifies certain elements that
         continue to      practice before the IRS or hold a preparer tax   should be included in a covered financial institution’s
         rise             identification number. However, there is another   ISP. Required ISP elements are as follows:
                                                                        Designate a qualified individual to imple-
                                                                    ■
                          rule that tax preparers might not think applies to
        $4.24              them — the Federal Trade Commission’s (FTC’s)   ment and supervise the ISP. This person must
                          Standards for Safeguarding Customer Informa-
                                                                      have the requisite skill and experience to fulfill
        million           tion (the Safeguards Rule). While the Safeguards   the role and may be a partner or employee of the
                                                                      firm or an outside service provider. If a service
                          Rule has been around for decades, CPA firms may
                          not have given it more than a passing thought.   provider is used, the firm remains responsible and
         The average per   However, the latest amendments to the Safeguards   must identify a senior-level person to supervise
         incident cost of a   Rule may require firms to think differently.   the provider.
         data breach — the                                          ■    Conduct a risk assessment to identify and
         highest in IBM   BACKGROUND                                  inventory customer information, where it is
         Cost of a Data   Originally promulgated in 2002 pursuant to the   stored, and foreseeable risks and threats to the
         Breach research   Gramm-Leach-Bliley Act, P.L. 106-102, the Safe-  “security, confidentiality, and integrity of [such]
         history.         guards Rule obligates covered financial institutions   information.” The assessment must be in writing
         Source: IBM Security    to “develop, implement, and maintain” an informa-  and updated periodically as operations change
         Cost of a Data Breach   tion security program (ISP) that includes specific   and as new threats to data security emerge.
         Report 2021.     “administrative, technical, and physical safeguards”   ■    Design and implement the following specific
                          designed to protect customer information. The ISP   safeguards to help control risks related to the
                          must be in writing and “appropriate to the size and   security, confidentiality, and integrity of cus-
                          complexity of the [covered] financial institution, the   tomer information:
                          nature and scope of its activities, and the sensitivity   y   Implement access controls to determine and
                          of any customer information at issue.”        regularly reevaluate whether individuals’ access
                            In December 2021, the FTC amended the Safe-  reflects legitimate business needs.
                          guards Rule to expand its definition of a financial   y   Conduct a data inventory to identify all
                          institution and to provide more concrete guidance   systems, devices, platforms, and personnel
                          regarding specific safeguards that covered financial   that access customer information and under-
                          institutions should have in place to help protect the   stand how information is collected, stored,
                          security of customer information.             and transmitted.
                                                                      y   Encrypt customer information in transit and
                          ARE CPA FIRMS REALLY FINANCIAL                when stored on your system.
                          INSTITUTIONS?                               y   Assess internally developed and third-party
                          The definition of “financial institution” is broader   applications used to store, access, or transmit
                          than one may think. Per the Safeguards Rule “an   customer information.
                          entity is a ‘financial institution’ if its business is   y   Implement multifactor authentication to
                          engaging in an activity that is financial in nature or   require at least two authentication factors for
                          incidental to such financial activities.” Per federal   anyone accessing customer information.
                          regulations referenced in the Safeguards Rule, this   y   Securely dispose of customer information
                          includes any number of financial and investment   when it is no longer necessary for a legitimate
                          advisory activities, including providing tax planning   business need or legal requirement.
                          and preparation services to any person for personal,   y   Build change management protocols into
                          family, or household purposes.                the ISP to anticipate and respond to changes

         4    |   Journal of Accountancy                                                          February 2023
   49   50   51   52   53   54   55   56   57   58   59