The latest facts, court rulings, and new regulations
by Stan Sterna, JD
Safeguarding your clients’ nonpublic information from cyber-criminals is a top priority for CPA firms. In fact, the latest data breach statistics from RSA Security show an alarming increase in the number of exposed consumer records across industries:
- 4,149 reported breaches exposing 4.2 billion records
- 53% of all breaches resulted from hacking by outside sources
- 91% of all breaches were electronic, as opposed to stolen hardware
Do clients have standing to sue a CPA firm if they did not suffer damages as a result of a data breach? The federal circuit courts are split.
Two recent decisions illustrate that the federal circuit courts are divided as to whether a mere increased risk of identity theft coupled with a plaintiff’s mitigation costs give the plaintiff sufficient standing to sue.
• The Sixth Circuit court, citing the defendant’s offer for free credit monitoring as evidence, joined the Seventh and Ninth Circuits in holding that a cyber victim's fear of future harm is real and provides sufficient standing to sue. This particular ruling specifically undermines the defense that if no actual cyber fraud or identity theft occurred, the victim has not been damaged and has no standing to sue.1
• However, in another case, the Fourth Circuit held that a plaintiff must allege and show that their personal information was intentionally targeted for theft in a data breach and that there is evidence of the misuse or accessing of that information by data thieves.2
The division among the circuit courts as to standing is not likely to be resolved unless and until the U.S. Supreme Court decides a case on the issue.
New cybersecurity regulation sets the stage for other states to follow
In response to several recent, highly publicized consumer data breaches, the New York State Department of Financial Services enacted 23 NYCRR 500, “Cyber Requirements for Financial Services Companies” which took effect March 1, 2017. These “first-in the-nation” data security regulations establish the steps that covered entities must take in order to secure customer data. The regulations are designed to combat potential cyber events that have a reasonable likelihood of causing material harm to a covered entity’s normal business operations.
Specifically, insurers, banks, money services businesses and regulated vital currency operators doing business in New York with 10 or more employees and $5 million or more in revenues must comply with the new rules. While the regulations will be rolled out over the next two years, some covered entities, such as insurance companies, will be required to comply with elements of the regulations within six months of the effective date. Under the provisions, companies must:
- Conduct a cybersecurity risk assessment, prepare a cybersecurity program subject to annual audit, and establish a written policy tailored to the company's individualized risks that are approved by senior management;
- Appoint a Chief Information Security Officer (CISO) responsible for the cybersecurity program who regularly reports on the integrity, security, policies, procedures, risks and effectiveness of the program and about cybersecurity events;
- Establish multi-factor authentication for remote access of internal servers;
- Encrypt nonpublic information (PII) and regularly dispose of any nonpublic information that is no longer necessary for conducting business (unless required to be retained by law);
- Prepare a written incident response plan that effectively responds to events and immediately provides notice to the Superintendent of the New York Department of Financial Services of any breaches where notice is required to be provided to any government body, self-regulatory agency or any other supervisory body or where there is a “reasonable likelihood” of material harm to the normal operations of the business;
- Implement a written policy addressing security concerns associated with third parties who provide services to the covered entity which contain guidelines for due diligence or contractual protections relating to the provider’s policies for access, encryption, notification of cybersecurity events impacting the covered entity’s nonpublic information and representations addressing the provider’s cybersecurity policies relating to the security of the covered entity’s information systems or nonpublic Information;
- Annually file a statement with the New York Department of Financial Services certifying compliance with the regulations.
What is the impact of this new regulation on CPA firms?
Whether a CPA provides professional services for an entity covered by the New York Department of Financial Services or not, these new rules are important for the following reasons:
- Regulation in one state frequently results in regulation in other states; the New York cybersecurity regulations may serve as a template for other states contemplating cyber security legislation.
- The regulations create a framework for plaintiffs' attorneys to follow when alleging that a company (regardless of whether it is a New York covered entity or not) should have done more to prevent a data breach or that a CPA firm should have detected data security issues while providing professional services.
- CPA firms should consult with their legal counsel to assess the firm's risk of first/third party data security claims and assess vendor data security coverage
- CPA firms should consult with their insurance agent or broker to review their current cyber policy to ascertain the adequacy of coverage.
Talk with your Aon representative about cybersecurity and your firm
When you look at the statistics, recent court cases and new regulations, there’s no disputing that cyber security continues to be a hot issue for everyone who handles confidential client information – with a reach that extends far beyond the State of New York and financial services businesses.
If you haven’t already, be sure to speak with your Aon representative about risk management resources as well as cyber liability endorsements called CPA NetProtectSM and new CPA NetProtect PrimeSM that are available through the AICPA Professional Liability Insurance Program.
1 Galaria v. Nationwide Mutual Insurance Co., Nos. 15-3386/3387 (6th Cir. Sept. 12, 2016) (unpublished)
2 Beck, et. al. v. McDonald, et. al., No. 15-1395, (4th Cir. February 6, 2017)
Stan Sterna, JD is Vice President, Risk Management at Aon Insurance Services. Aon has been the endorsed administrator of the AICPA Professional Liability Insurance Program since 1974. To learn more about the AICPA Program, visit www.cpai.com.
This article is provided for general informational purposes only and is not intended to provide individualized business, risk management or legal advice. You should discuss your individual circumstances thoroughly with your legal and other advisors before taking any action with regard to the subject matter of this article. Only the relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured.