Although compliance laws exist to protect both employers and employees, they draw possibly the most complaints of any corporate requirement. Compliance is not optional, however, and can even do a lot of good, including preventing cybercrime. Rather than complain, CPA firms should recognize that compliance, correctly implemented and truly followed, provides needed policies and procedures and enhances cyberprotection for the firm and its clients.
Background
Every state has some form of a personal data breach law. New York law places its emphasis on the actual breach of personal information (PI): “The Act requires that State entities and persons or businesses conducting business in New York who own or licenses computerized data which includes private information must disclose any breach of data … whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization” (“The New York State Information Security Breach and Notification Act,” Medical Society of the State of New York fact sheet, http://bit.ly/2kBQpQV).
The implementation of compliance laws in New York originally met a good deal of resistance. Employers are now realizing, however, that compliance means implementing best business practices as they relate to cybersecurity and is thus seen as a win for most companies.
In the aftermath of the highly publicized and questionable accounting procedures that brought down large companies like Enron and WorldCom, federal laws focused on corporate compliance, specifically through the Sarbanes-Oxley Act of 2002. As part of enforcing this act, the United States Sentencing Commission offered companies a chance to mitigate punishment for various infractions by instituting “an effective compliance and ethics program,” creating a framework for compliance that is still in use today.
Written Information Security Programs (WISPs) are integral components of an effective compliance framework; indeed, a WISP is required to be implemented by most, if not all, compliance laws, both federal and state. Although New York’s compliance law only identifies what to do in the event of a breach, a WISP can help avoid the breach by implementing good business practices, such as the use of portals, encrypted email, encrypted hard drives, and proper training of staff. Implementing proper data breach policies through the use of a WISP can help to, as Massachusetts law requires, “(i) ensure the security and confidentiality of [personal information] in a manner consistent with industry standards; (ii) protect against anticipated threats or hazards to the security or integrity of such information; [and] (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud” (201 CMR 17.00). In short, WISPs can help firms protect against cybersecurity breaches, recognize breaches when they do occur, and take necessary action.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to help protect the privacy and security of certain health information. According to the Department of Health and Human Services:
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems. … While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.(http://www.HHS.gov)
HIPAA sets standards designed to contain these risks while still encouraging the adoption of new technologies to improve overall healthcare outcomes. While HIPAA does not specify risk management steps, its requirements are, like cybersecurity requirements, well-suited to being fulfilled through the use of a WISP.
Disaster and Business Continuity Plans
Finally, although government regulations do not require each industry to create a disaster and business continuity plan (CPA firms are only required to have one if they are subject to SEC rules), they are a great way to prepare a business—and employees—for an emergency. Business continuity refers to maintaining business functions or getting those functions back up and running in the event of a major disruption; situations considered can include weather events and other natural disasters, accidental fires or power losses, and even terrorist attacks. Business continuity plans are far more complicated and detailed than WISPs, but having one is a good idea for any business. They detail what employees are to do in the case of a disaster or other event that may have a significant impact on the company. The plan details and assigns such tasks as letting clients know the company is still in operation, informing employees of the situation, responding to communications such as emails and faxes, and telling delivery services where to forward packages and mail. Since disasters rarely come with advance warnings, having this plan in place ensures that employees know what they need to do to, even if they cannot get to the office.
CPA firms in particular have access to just the information that data thieves are looking for.
Of course, while compliance tools like WISPs and business continuity plans are all important pieces of the cyberprotection puzzle, education remains the key. The weakest part of any company’s security is the people in it. Employees, managers, and even the board of directors need to be educated on how to use internal and external networks and what types of emails and attachments to avoid. This may sound easy: can’t hacking be stopped by only opening emails from known senders? Unfortunately, email accounts can be hacked and emails sent without the owner ever being aware. In fact, most hackers no longer bother using brute force attacks to break through a firewall; instead, they trick users into giving them access, either by having the user click on something that opens the network or using personal information about an employee gleaned from social media to create imposter accounts.
Here is an example of this tactic, often referred to as “spear phishing”: at a financial company, a hacker broke into the mail account of an administrator. Thus, when someone emailed the administrator to say they were going to stop by later to drop off a deposit, the hacker, responding as the administrator, said that she was going to be on vacation and asked the person to wire the deposit to a specific bank account instead. This was all done without the administrator’s knowledge; hackers can send emails and then delete the record of them immediately or move them to a mailbox the intended user doesn’t see or can’t access. By the time the company realized what had happened, it was too late to ask the bank to reverse the transaction, and the money—$250,000—was gone for good.
At a cybercrime seminar attended by the author, the presenter, an FBI agent, showed a picture of a house. He asked if anyone recognized the picture, and one of the attendees declared that it was, in fact, his house. The presenter then went through a laundry list of additional information he knew about the homeowner, including the names and ages of his children, his job, his spouse, his pets, and where he went to school. The FBI agent did not get this information using tools available to him at the FBI; he gathered it from the homeowner’s social media accounts. The lesson is, the author hopes, obvious.
Need for Vigilance
All companies, and especially CPA firms, must be vigilant in their cyber-security efforts; CPA firms in particular have access to just the information that data thieves are looking for. CPA firms also understand that compliance is not just a legal requirement; it’s a way to take advantage of best practices when it comes to cyberprotection. Partnering with a provider that can offer both the technical security of a data security center and the necessary training and education will ensure that a CPA firm is positioned for long, trusted client relationships. In this effort, embracing compliance can go a long way toward keeping information safe and thwarting a data breach.
