Privacy and electronic communications.

• Author: McFadden, John

CPAs have long recognized a responsibility not to disclose confidential information received during a professional service engagement without a clients specific consent. This responsibility is embodied in the AICPA's Code of Professional Conduct. State accountancy laws and rules (including the Uniform Accountancy Act), federal and state tax laws, and other regulatory guidelines also impose confidentiality requirements. More recently, at the federal level, the Gramm-Leach-Bliley Act and amendments to the Health Insurance Portability and Accountability Act have addressed the issue of privacy and have imposed, directly or indirectly, additional requirements on the practicing CPA.

Spurred on by a growing e-commerce market place, the use of cyberspace as a medium for the transmission and storage of personal and business information, and acts of identity and credit theft, privacy concerns and privacy initiatives continue to be hot topics.

The AICPA has responded to e-commerce businesses seeking to provide assurance to their customers about online practices and controls with the development and introduction of WebTrust services. More recently, the AICPA has formed an Enterprise-Wide Privacy Task Force to develop comprehensive privacy best practices to help CPAs advise clients on privacy issues, risks and risk management practices. CPAs should follow the deliberations of the Privacy Task Force and watch for its conclusions and recommendations.

CPA Firm Strategies

But what should CPAs be doing in their own firms to protect the privacy of client and firm information? For starters, consider the following:

* Review relevant laws, regulations and professional standards concerning privacy. As referenced above, new laws are being drafted and implemented in many jurisdictions that impose specific responsibilities on businesses to protect the privacy of confidential client information. In some cases professionals may be required to initiate or refrain from a specific action to comply with the law. This must be carefully considered prior to deciding how to proceed in protecting client privacy.

* Develop and implement a written privacy policy for the firm. The policy should define the types of information the firm collects and the security measures it employs to ensure the information is used and retained only as intended by the client, employee, etc. In addition, the policy should specifically describe the firm's policies and practices relating to the use of...