Privacy Principles for Accountants

CPA Journal, The, May 2008 by Hildebrand, Mary J, Savare, Matthew

* Designate the employees to coordinate the safeguards;

* Identify and assess risks to customer information;

* Create, monitor, and test a safeguards program that addresses the risks identified during the assessment;

* Select appropriate service providers and require them by contract to implement these safeguards; and

* Evaluate the plan and adjust it as necessary.

Because AICPA Code of Professional Conduct Rule 301 mandates that "[a] member in public practice shall not disclose any confidential client information without the specific consent of the client," the safeguards program should not require accountants to perform many additional tasks. At minimum, accountants should document their existing safeguard plan, designate someone to coordinate it, and require their service providers to comply. Requiring service providers to agree to safeguard client data comports with the recommendations outlined in AICPA Rule 391, which states: "[T]he member should enter into a contractual agreement with the third-party service provider to maintain the confidentiality of the information and be reasonably assured that the third-party service provider has appropriate procedures in place to prevent the unauthorized release of confidential information to others."

With more tax-return preparation work being sent overseas, accountants must recognize that although they can outsource certain job functions, they cannot outsource their legal liability for privacy violations. According to Amy E. Yates ["Sit, Walk, Heel, Stay (or How to Train Your) Outsourcer," SciTech Lawyer, Summer 2006], privacy experts recommend that covered entities such as accountants employ six rules to meet their obligations under data privacy laws and to manage their risks when outsourcing to third parties:

* Enter into a contractual agreement with the third party that delineates that party's specific obligations, rather than simply stating that the party will comply with all applicable laws and regulations.

* Perform a "gap" analysis and determine if the third party's privacy and security policies are adequate.

* Become familiar with the third party's processing practices. For example, is the third party collecting more confidential information than is necessary to complete the required job?

* Perform privacy audits on the potential and existing outsourcers on a periodic basis.

* Establish a strong working relationship with the vendor's chief privacy officer.

* Employ and maintain strong privacy protections in the accounting firm.

Prior to October 13, 2006, GLBA required accountants to provide annual notices to clients regarding their privacy policies. On that date, President Bush signed into law the Financial Services Regulatory Relief Act of 2006, which contained a provision exempting CPAs from this requirement ("President Bush Signs into Law Bill Giving CPAs Exemption from Gramm-Leach-Bliley Annual Notification Requirement," www.aicpa.org /pubs/cpaltr/nov2006/story2_nov06.htm).

Notwithstanding this exemption, the AICPA still strongly recommends that accountants maintain and enforce a privacy policy. The privacy policy does not need to be personalized for each client. Instead, it can be posted to the accountant's website or provided in conjunction with a bill, engagement letter, or newsletter. The policy, which should be clear, conspicuous, and accurate, should describe the following items: