Data Security
Complying with Data Security LawAccountants and Tax Professionals Must Have
Written Policies that Comply with Federal Law
August 9, 2019 -- As a business that collects personal information from your clients (names; addresses; phone numbers; bank and credit card account numbers; income and credit histories; Social Security numbers, etc.), federal law requires that you ensure the security and confidentiality of this information and that you make your policies and method of enforcing these protections available to clients who may request proof.
The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of this type of information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. The Rule is available at ftc.gov.
But safeguarding customer information isn’t just the law. It also makes good business sense. When you show clients that you care about the security of their personal information, you increase their confidence in your company.
The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each company must:
- designate one or more employees to coordinate its information security program;
- identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
- design and implement a safeguards program, and regularly monitor and test it;
- select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
- evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
In addition, companies must consider and address any unique risks raised by their business operations — such as the risks raised when employees access customer data from their homes or other off-site locations, or when customer data is transmitted electronically outside the company network.
As you begin the process of initiating or updating your data security plan, you should consider doing the following:
- Consult your professional liability insurance for any requirements or recommendations they may have for a company security plan. You may also want to check your policy to see if your company can receive discounts on your premiums for having a security plan that complies with your carrier's requirements.
- If you store your client information in a cloud-based system, you should check that provider's for their data security plan and link it to your plan.
If you don't have a security data plan or you think your plan may be outdated, here are some good links and templates to help you form or revise the plan you have:
For detailed information on how your company should secure data, click this link:
https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying#secure
For MTAP's data security resources including IRS data security checklists and templates you can customize to your company's needs, click this link:
https://michigantap.net/practice_information_security.php
Now is the perfect time to insure your company is in full compliance with federal data security law and requirements. Do it before something happens and exposes this oversight.