Cyber liability exposures and regulations impacting CPA firms have evolved significantly in recent years. While CPA firms have always had the challenge of protecting the confidentiality of client information in accordance with the AICPA Code of Professional Conduct and Sec. 7216, changes have occurred in both the regulatory and legal landscape, as well as to the scope of cyber liability exposures CPA firms face. CPAs need to be familiar with both their professional obligations and the risk management activities necessary to mitigate the risk of a breach of confidential firm and client information, as well as fraud, theft, and other criminal acts of third parties.
REGULATORY AND LEGAL LANDSCAPE
At present, federal regulations on cybersecurity primarily impact the health care and financial services industries. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), PL. 104-191, and the Gramm-Leach-Bliley Act (GLB), PL. 106-102, resulted in the issuance of federal regulations increasing the responsibilities of health care providers and financial institutions to protect confidential information and disclose cybersecurity breaches.
The HIPAA Omnibus Rule, 78 Fed. Reg. 5566 (Jan. 25, 2013), amended prior versions of the HIPAA privacy and security rules. Significantly, it expanded the application of many of the privacy and security obligations applicable to health care providers to their "business associates." The U.S. Department of Health & Human Services Office for Civil Rights (OCR) defines a business associate under HIPAA as, "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." CPA firms that have access to patient billing records in rendering services to health care providers qualify as business associates. Penalties of up to $1.5 million can be imposed by the OCR for each violation of this rule.
The Federal Trade Commission Safeguards Rule, 16 C.F.R. Part 314, requires "financial institutions" to ensure the security and confidentiality of consumer personal information. It imposes specific requirements, including the development and implementation of a written information security plan. CPA firms that prepare tax returns qualify as financial institutions under the definition contained in this rule (16 C.F.R. [section]313.1(b)). In the past year, enforcement actions by the SEC and the FTC...