What's your fraud IQ? Best practices for protecting personally identifiable information.

Author:Cresswell, Ron

CPAs often collect, view, and store sensitive personal information about their clients and other individuals. Unlike many countries, the United States has no generally applicable federal law that protects this type of data, which is sometimes called personally identifiable information. Other countries have strict data protection laws that govern the collection, handling, and storage of personal information, and the European Union's new General Data Protection Regulation, which went into effect May 25, imposes enhanced data privacy measures on all companies that use personal data of people in EU countries, even if those companies don't have an office in the EU (see "Getting Ready for the EU's Stringent Data Privacy Rule," JofA, Jan. 2018, tinyurl.com/ydxajm7x).

These laws can apply anytime a CPA handles the personal information of citizens of such countries. Legal duties aside, personal information should be protected because it is a common target of identity thieves and other fraudsters. Are you familiar with the best practices for protecting personal information? Take this fraud IQ quiz to find out.

  1. Which of the following is LEAST likely to be considered personal information that is protected by privacy or data protection laws?

    1. An individual's Social Security number.

    2. An individual's birthplace.

    3. An individual's business address.

    4. An individual's credit card number.

  2. In the context of protecting personal information, which of the following is the best description of the principle of least privilege?

    1. Personal information should not be collected unless the company has a specific business need for the information.

    2. Personal information should be kept for only as long as it is needed.

    3. The creation of a data retention policy should be a collaborative effort, incorporating input from employees at all levels of the company.

    4. Access to personal information should be restricted to those employees who need the information to perform their jobs.

  3. Which of the following is NOT a best practice for protecting physical documents that contain personal information?

    1. Shred all documents containing personal information with a strip-cut shredder.

    2. Store documents containing personal information in locked rooms, file cabinets, or desk drawers.

    3. Use access controls to limit access to buildings or areas where personal information is kept.

    4. Prohibit employees from leaving sensitive documents unattended and in plain sight, such as on top of...

To continue reading