Privacy Principles for Accountants

CPA Journal, The, May 2008 by Hildebrand, Mary J, Savare, Matthew

Legal Issues and Business Opportunities

Europe has taken an aggressive stance on protecting individual privacy with its comprehensive European Union Privacy Directive. The United States, however, has, until fairly recently, adopted a more laissez-faire approach. Over the last several years, there has been a dramatic increase in the incidents of identity theft and highprofile data security breaches-many involving accountants, tax preparers, and auditors. For example, in January 2006, some H&R Block clients' Social security numbers appeared on mailing labels. Similarly, Deloitte & Touche, the AICPA, and even the 1RS have also suffered from data breaches. In light of these problems, American consumers and legislators have begun to focus on the privacy of personal information.

Identify theft is the most rapidly growing white-collar crime (Daniel J. Solove, "A Taxonomy of Privacy," University of Pennsylvania Law Review, January 2006). Surveys estimate that approximately 10 million consumers are victimized each year by some type of identify theft. The Federal Trade Commission (FTC) estimates that identity theft cost businesses approximately $50 billion in 2003 (Joel Winston, "Identify Theft and Social security Numbers," E-Commerce Law Report, April 2006). In this environment, protecting consumer privacy is rapidly becoming one of the most significant legal and technological challenges facing businesses. Respecting and safeguarding consumer privacy is not just a legal issue, however. It is also a business issue that can profoundly impact a company's risks, reputation, and bottom line.

Legal and Compliance Issues

Privacy, a vague, abstract concept, means different things to different people. It is one aspect of disparate legal issues such as abortion, wiretapping, airport screening, disclosure of medical or financial information, police searches, and journalism. Solove's article quoted one privacy scholar's lament: "Privacy seems to be about everything, and therefore it appears to be nothing."

This article uses the AICPA's definition of "privacy" as "the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information." Viewed in this context, CPAs need to comply with a host of information privacy laws, regulations, and rules.

Gramm-Leach Bliley Act. The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA; 15 USC sections 6801-6809), and its accompanying FTC regulations govern the collection, use, disclosure, and protection of consumers' "nonpublic personal information." 16 CFR section 313.3(n)(1) defines "nonpublic personal information" as "(i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available." GLBA applies to "financial institutions" that are "significantly engaged" in providing individual clients with "financial products or services" for personal, familial, or household purposes (i.e., nonbusiness purposes). Significant for accountants, the statute covers the preparation of individual tax returns and the provision of nonbusiness tax or financial planning advice. As such, accountants who provide these types of services to individual clients must comply with GLBA.

GLBA imposes two significant requirements upon accountants who are covered by the statute. First, accountants are prohibited from disclosing to a nonaffiliated third party any nonpublic personal information of their clients, such as Social Security numbers, tax return data, and account information (15 USC section 6802). GLBA does permit "financial institutions" to disclose certain information if a client is provided an opt-out notice and a reasonable opportunity to opt out of the disclosure. As noted later herein, IRC section 7216 restricts accountants' use and disclosure of clients' federal tax return information. Furthermore, FTC staff has stated unequivocally of the GLBA's exemption: "The Privacy Rule does not supersede the restrictions in section 7216. The GLB Act and the Agencies' implementing regulations do not authorize a financial institution to disclose nonpublic personal information in a way that is prohibited by some other law. Therefore, you may not avoid the restrictions of section 7216 by providing your customers with an optout notice and a reasonable opportunity to opt out" (FTC, "Frequently Asked Questions for the Privacy Regulation," www.ftc.gov/privacy/glbact/glbfaq.htm#A) Disclosure is permitted, however, to effect or administer a client transaction (e.g., disclosure of a tax return to a tax return processor); to participate in a peer review; to comply with federal, state, or local laws; and to comply with court orders.

Second, FTC regulations require accountants to "develop, implement, and maintain a [written] comprehensive information security program" that outlines the ways in which they protect client information (16 CFR section 314.3). The program must be tailored to the size and complexity of the accountant's practice, the nature and scope of the services, and the sensitivity of client data. As specified by 16 CFR section 314.4, under the security plan accountants must do the following: