Responsible outsourcing: liability from information stored overseas.

• Author: Werner, Randy R.
• Position: Practice management

The buzz surrounding cloud services makes it easy to forget that such services are a form of outsourcing, and that CPAs are responsible for ensuring client information is protected. Cloud services are distinguished by low-cost availability to large numbers of users sharing physical servers--a situation that requires security and controls over the users' confidential and private information. Regulatory oversight has increased in recent years to the extent that organizations must be compliant with the laws in the states where the data resides, where it is received and when it is sent to foreign providers.

A CPA's Disclosure

The profession has long required CPAs to take necessary precautions to be sure that the use of outside services does not result in the release of confidential information, and CAMICO has long recommended that CPAs disclose to clients the use of third-party service providers, including cloud service providers. Such a proactive approach:

* Clarifies the nature of the services being provided;

* Corrects any false expectations clients may have about storage of their personal information;

* Helps forestall negative client reactions in the event something goes wrong with the outsourced services; and

* Helps protect against liability should there be damages relating to the firm's use of a third-party provider.

CAMICO's view is that CPAs should disclose to clients what is being done with their information. Client consent to disclose or use tax return information by tax return preparers is covered under Internal Revenue Code Sec. 7216. Absent a specific exception (as provided in Treas. Reg. Sec. 301.7216-2), prior written consent by a taxpayer is generally required to disclose or use tax return information.

AICPA ethics rules require CPAs to inform clients that the firm may use a third-party service provider before providing the third party with confidential client information. Sample client disclosure language can be found in AICPA guidance to Ethics Ruling No. 112, Use of a Third-Party Service Provider to Assist a Member in Providing Professional Services.

State boards of accountancy may have additional regulations requiring written disclosure and written client consent, especially when outsourcing confidential client information outside the United States.

Due Diligence

If using a cloud service provider, CPAs are responsible for:

* Addressing the security, availability and integrity of the systems used by the provider to process...