Data Security And CPA Firms: Regulation And Law Changes For 2019 And Beyond

Matt Donovan

RPLU, AVP, Professional Lines Broker

April 11, 2019

CPA firms continue to face challenges in protecting the confidentiality of client data. And while there are no established national cybersecurity standards, the IRS has made it crystal clear that it’s holding CPA firms responsible for safeguarding client information, and those that aren’t taking proactive measures will be in violation of the law. Today, data security has become a necessity for every tax professional — from a partner in a large financial firm to a sole practitioner, and every authorized IRS e-file provider.

Proposed Changes in the Federal Trade Commission Safeguards Rule

On March 5, 2019, the Federal Trade Commission proposed to amend the existing standards for the safeguarding of consumer information (the Safeguards Rule) and the privacy of consumer financial information. Under the Federal Trade Commission Safeguards Rule, financial institutions are to be proactive when it comes to ensuring consumer personal information is kept secure and confidential and outlines specifics regarding the development and implementation of a written information security plan that includes assessing and addressing risks to customer information in all areas of operation. 

Three key areas include:

  • Employee management and training
  • Information systems
  • Detecting and managing system failures

If adopted, the proposed rules will have a significant impact on the operations of covered financial institutions. CPA firms that prepare tax returns qualify as financial institutions under the definition contained in this rule.

Cybersecurity Laws & Regulations

Currently, all 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have passed laws that require financial firms to notify clients of a cybersecurity incident. Colorado and Vermont have cybersecurity regulations affecting investment advisers and broker-dealers. New York has comprehensive cybersecurity regulations affecting banks, insurance companies, and a broad range of other financial service providers. Recently, the state of California has passed legislation that goes into effect in January 2020 regarding the ways companies collect, store, and use customers’ personal data.

An amended version of HIPAA privacy and security rules has recently expanded privacy and security obligations that are appropriate to healthcare providers, to their business associates. These new rules supersede all prior versions of the rules. CPA firms with access to patient billing records in furnishing services to healthcare providers qualify as business associates and as such, must comply with the increasing the responsibilities of healthcare providers and financial institutions to protect confidential information and disclose cybersecurity breaches.

Regarding judicial issues, federal circuit courts are on the fence as to what constitutes sufficient standing to file a lawsuit for a cyberbreach. As it stands, the “threat of harm” rule may eventually become the set standard when it comes to Supreme Court rulings, but that remains to be seen.

Resource Update

Recently, the Department of Commerce’s National Institute of Standards and Technology’s voluntary cybersecurity framework for data breach risk management was updated. In it are best practices that companies can follow to ensure that the risks of a cyberthreat are promptly identified, to implement preventative measures for protecting data, to develop strategies for detecting and responding to a breach, and to restore data in a timely manner.

This article represents a high-level overview of some of the updates and potential provisions regarding cybersecurity regulations that will require CPA firms to reevaluate and develop new policies, procedures, and controls to mitigate cybersecurity risks, as well as to monitor updates and changes in regulations and laws.

For more information, contact Matt Donovan at (678) 502-1278 or

Sources: Government Publishing Office , National Institute of Standards and Technology, U.S. Department of Health & Human Services, Federal Trade Commission,

Looking for a specific solution?