Over the last 18 months or so, bad actors have shifted their attention from performing tax refund identity theft against single consumers to what they deem as a more lucrative, data-rich opportunity: our profession.
Cyberattacks aimed at accounting firms are a relatively new and very serious threat. Central to this trend is the fact that accounting firms maintain an abundance of personal and financial data, and serve many clients. Accessing a firm’s client base and related data is the ultimate prize for cybercriminals, so hacking attempts are rising rapidly. In fact, the IRS estimates that 3-5 firms per day are breached, their data now in the hands of cyber thieves.
These attempts come in various forms including phishing, spear phishing, paid search phishing, pharming, URL redirections, etc. Unfortunately, these efforts can be successful if firms do not have appropriate security on their network, and/or have inadequate staff training. If a phishing attempt is successful, bad actors can install malware that, in simple terms, can compromise the credentials of firm members, thus gaining complete access to the data that firms have a responsibility to protect.
Understanding the Gramm-Leach-Bliley Act (GLBA)
In 1999, the Federal Trade Commission (FTC) enacted the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999. While sophisticated cyber-attacks on accounting firms were rare at the time, the GLBA was enacted to protect consumers’ private financial information and govern the collection and disclosure of clients’ financial information primarily by financial institutions and others, including by CPAs, accountants and tax preparers.
Today, many accounting firms don’t realize they are required to comply with the GLBA because they associate it only with large banks or financial institutions. However, the GLBA is applicable to accounting firms as well, regardless of size. As such, if firms neglect to properly protect their clients’ data under the GLBA, there is little doubt that at some point the FTC may go after them, especially as cyber-crimes continue to accelerate.
GLBA Compliance for Accounting Firms
According to the FTC, the GLBA Safeguards Rule requires organizations to develop a written information security plan that describes how they protect client information. The plan must be appropriate to the firm’s size and complexity, the nature and scope of its activities, and the sensitivity of the client information it handles.
Among other items, as part of this plan, each organization must:
• Designate one or more employees to coordinate its information security program;
• Identify and assess the risks to client information in each relevant area of the firm’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks.
• Design and implement a safeguards program, and regularly monitor and test it.
• Select service providers that can maintain appropriate safeguards, making sure their contracts require them to maintain these safeguards
• Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
It’s important to note that these requirements are designed to be flexible.
Penalties for Non-Compliance
Because compliance with the GLBA is mandatory, there are severe penalties for non-compliance. These penalties include imprisonment for up to five years, fines or both. An organization can be fined up to $100,000 for each violation, while officers and directors can be fined up to $10,000 for each violation.
Tips for Safeguarding Your Clients’ Data
Regardless of federal requirements, it’s clear that your clients’ data is under attack and you must be diligent in protecting it. To properly do so, it’s important to be aware of cyber threats, like phishing and tax-related identity theft, and how to combat them. In addition, it’s vital to understand what resources the IRS provides for accountants who are looking to better protect their clients personal information.
Also, Thomson Reuters and other software providers are working in partnership with the IRS to safeguard against tax refund identity theft, and most have implemented new requirements and additional security measures that strengthen login credentials for all tax-related software. Some have even implemented multi-factor authentication, which I highly recommend.
As you work to develop a safeguarding strategy for your firm, remember to stay up-to-date on the latest resources available to you, as well as advances in technology that can increase security. By remaining vigilant and informed, you can protect your clients’ privacy, comply with requirements like GLBA, and uphold your firm’s reputation.
It’s Your Turn
Has your firm implemented a safeguard strategy to comply with GLBA? If so, I’d love to hear about it. Share your story in the comments section below.