According to the Identity Theft Resource Center, there was a 40% increase in data breaches from 2015 to 2016. In total, $16 billion was stolen from 15.4 million United States consumers, as reported by Javelin Strategy & Research. Furthermore, in a Deloitte Touche Tohmatsu study, three of four companies surveyed reported a data security breach from outside the company.
As an accounting professional, it is important to be cognizant of the ever-growing threat to data security. Clients entrust you with their personal and financial well-being merely by providing you with their confidential data.
Before the digital data explosion, companies would use elaborate methods to safeguard client information. The preferred mode of data storage was often something as simple as a locked, fireproof file cabinet in a secured room. This method of storage protected a client's data from both fire and theft. Accounting firms of all sizes had written policies mandating the use of these storage systems. It was rare for a thief to breach such systems.
Today, the contents of vast rooms filled with locked, fireproof cabinets can fit on a memory stick the size of a Bic® lighter. A laptop can hold even more data. As a mobile society, we encourage the use of telecommuting, laptops, and cell phones on trains, buses, planes, and a vast array of convenient methods to deliver services to our clients. However, the threat to data loss is not just on a plane, train, or automobile, but also right in our own offices.
So, how can you ensure your clients' data remains secure in this digital age? First and foremost, your firm should have a written data storage policy. The policy should encompass all forms of media upon which client information can be found. It should be as rigidly adhered to as your human resources policies concerning conduct in the workplace. In short, it should be the functional equivalent of a locked, fireproof file cabinet in a secured room.
As you develop your policy, you should consider the most common vulnerabilities and exposures that lead to data breaches.
While not exhaustive, this list of questions will help you create a sound data storage policy:
- Are your laptops locked to a docking station on your desk?
- Is the data on the laptop encrypted?
- Are computers (servers, PCs, and laptops) in a locked, secured room when you leave the office in the evening?
- In the event of fire or theft, is backup digital data in a fireproof safe, either on-site or elsewhere?
- Have you ensured that original client source documents in your possession are only copies and the originals are either stored securely elsewhere or returned to the client?
- Do you maintain a master list of all items entrusted to you and in your possession?
Even the most vigilant professionals may fall prey to a fire or theft loss of sensitive personal client data, so it is important to be prepared. Upon learning of a security breach, one must act immediately. Many commercial and professional liability insurers have staff who can assist with your data breach response.
In collaboration with certain insurers, we have developed a checklist of items that should be addressed in your response to a data breach:
- Immediately inform the client of the breach
- Consult the master list of the items with which your client has entrusted you, and begin the task of reconstructing what was lost or stolen
- Assist your client in contacting financial institutions, credit bureaus, and others to inform them of the potential for identity theft
- Notify your commercial and professional liability insurance carriers of the theft or fire loss
- Review your data security policy, and determine how to close the loophole that led to the breach
The theft of a single laptop containing sensitive client data could place a large percentage of your client base at risk. Are you prepared for the number of claims that might be levied against you and the potential loss of business that might result? As professionals, preparation is the key ingredient to maintaining a healthy practice.
This article is provided for informational purposes only. None of it constitutes legal advice, nor is it intended to create any attorney-client relationship between you and the author. You should not act or rely on this information without seeking the advice of your own attorney.