- A CPA firm’s office is burglarized and several
password-protected desktop computers containing confidential information
are stolen. The accountant files a report with the local police
- A junior accountant is traveling
to a client’s out-of-state office and leaves a password-protected
laptop containing confidential client information at the airport
counter. After working with local airport representatives, the laptop
cannot be found.
- A mail carrier leaves an
individual tax return in a sealed envelope at the door of a client in a
semi-public hallway. It is discovered later by the client, unsealed.
each of these cases, the accounting firm should report the matter to
its professional liability insurance carrier. Recommended follow up from
CNA’s claim and risk control teams include:
the advice of a suitable qualified attorney, review compliance with
applicable federal and state laws and regulations such as the FTC
Financial Privacy and Safeguards Rules, and breach-of-security
notification requirements under state law. Refer to guidance regarding
privacy and data security from the AICPA and governmental bodies such as
the FTC, and the office of the state attorney general in the state of
residency of each of the potentially affected individuals.
the advice of a suitable qualified attorney, draft a notification
letter to all potentially affected clients in accordance with federal
and state law. The notification should be factual, indicating what
happened, what information was potentially exposed and what is being
done to protect the potentially affected individuals. The notification
should also indicate that the incident has been reported to the police,
if applicable. Provide contact information for the police and the report
number, if available.
For guidance on information compromise
and a sample notification letter (Model Letter), please refer to the FTC
guide, Information Compromise and the Risk of Identity Theft: Guidance
for Your Business, available at: .
- All breach related correspondence should be drafted under the advice of a qualified attorney.Recommend
to individual clients that they maintain vigilance regarding their
credit and that they obtain free credit reports to check for identity
theft. Check to determine whether applicable state laws require that
credit monitoring be offered at no expense to the client. To maintain
good client relations, the CPA should consider offering credit
monitoring to the affected client at the firm’s expense, whether this is
required or not. Free credit report information is available at: .
The Social Security Administration and the Office of the Inspector General also offer guidance on identity theft, available at: and
the firm’s attorney (or the attorney appointed by the firm’s carrier)
consult state breach of security notification requirements. Check other
state breach notification laws if some of the potentially affected
clients are located in other states.
In the event of a
privacy breach, coverage available under a particular insurance policy
to respond to claims, provide assistance to the policyholder, and defray
related expenses varies widely. Coverage is subject to the terms,
conditions and exclusions contained in each policy. Consult with the
firm’s insurance agent or broker regarding both existing and available
coverage to evaluate the firm’s insurance requirement before a privacy
For more information on privacy and data
security coverage available to AICPA Professional Liability Insurance
Program policyholders, refer to CNA NetProtect Marketing Brochure.
Resource: AICPA Information Technology Center, Privacy/Data Protection,
By Accountants Professional Liability Risk Control, CNA, 333 South Wabash Avenue, 39S, Chicago, IL 60604.
This information is produced and presented by CNA, which is solely responsible for its content.
purpose of this article is to provide information, rather than advice
or opinion. It is accurate to the best of the author’s knowledge as of
the date of the article. Accordingly, this article should not be viewed
as a substitute for the guidance and recommendations of a retained
professional. In addition, CNA does not endorse any coverages, systems,
processes or protocols addressed herein unless they are produced or
created by CNA.
Any references to non-CNA
websites are provided solely for convenience, and CNA disclaims any
responsibility with respect to such websites.
the extent this article contains any examples, please note that they
are for illustrative purposes only and any similarity to actual
individuals, entities, places or situations is unintentional and purely
coincidental. In addition, any examples are not intended to establish
any standards of care, to serve as legal advice appropriate for any
particular factual situations, or to provide an acknowledgement that any
given factual situation is covered under any CNA insurance policy.
Please remember that only the relevant insurance policy can provide the
actual terms, coverages, amounts, conditions and exclusions for an
insured. All CNA products and services may not be available in all
states and may be subject to change without notice.
Circular 230 Notice: The discussion of U.S. federal tax law and
references to any resources in this material are not intended to: (a) be
used or relied upon by any taxpayer for the purpose of avoiding any
federal tax penalties; (b) promote, market or recommend any products
and/or services except to the extent expressly stated otherwise; or (c)
be considered except in consultation with a qualified independent tax
advisor who can address a taxpayer’s particular circumstances.
Casualty Company, one of the CNA insurance companies, is the
underwriter of the AICPA Professional Liability Insurance Program.
CNA is a registered trademark of CNA Financial Corporation. Copyright © 2011 CNA. All rights reserved.