The ability of any organization to collect personal and sensitive information (data) has grown exponentially over the past few years, and the complexity and risks of managing that data have grown at an even greater pace.
A 2007 study by a University of Washington researcher indicated that more incidents of compromised data were reported in 2005 and 2006 than in the previous 25 years combined. The study also indicated that about one-third of incidents were attributable to malicious hacks, whereas more than 60% involve combinations of mismanagement, criminal intent and, occasionally, bad luck. (1)
More recently, one of the top consumer advocacy groups, the Identity Theft Resource Center, reported that data breach incidents increased by 47% from 2007 to 2008.
CPA firms and their clients that collect, manage, and store information face the risk that their data may be lost, misused, or accessed by or disclosed to unauthorized individuals. According to the AICPA, individuals expect their privacy to be respected and their personal information to be protected. With identity theft being reported almost daily, they are no longer willing to overlook a company's failure to protect their privacy. (2)
Businesses should understand and effectively address privacy and information security as a risk management issue. Noncompliance or failure to properly respond to a breach of a customer's personal information may result in the following outcomes:
* Damage to the company's reputation, brand, or business relationships
* Legal liability and industry or regulatory sanctions
* Charges of deceptive business practices
* Customer or employee distrust
General regulations and requirements
If a company collects, uses, shares, or retains individual customer information, it should be aware of the specific laws and regulations that apply to it. Several federal and state laws require that the organization implement "reasonable" privacy and information security practices. Depending on the scope of a company's services, the following laws and regulations may apply.
The Federal Trade Commission (FTC) Act
The FTC Act prohibits deceptive or unfair trade practices. Under the FTC Act businesses must handle information in a way that is consistent with their promises to their customers, as in their privacy statements, and avoid data security practices that create an unreasonable risk of harm to a customer's personal information.
The FTC is the primary agency charged with consumer protection in the United States and enforces company-made privacy promises as well as obligations imposed on companies by privacy and security laws. The FTC also brings actions against companies for failure to comply with federal privacy laws, including the following.
The Gramm-Leach-Bliley Act (GLBA)
Although accounting firms are no longer subject to the notice requirements of GLBA, they must still comply with the Privacy Rule and the Safeguards Rule. Specific requirements for CPA firms may...