- A CPA firm’s office is burglarized and several password-protected desktop computers containing confidential information are stolen. The accountant files a report with the local police department.
- A junior accountant is traveling to a client’s out-of-state office and leaves a password-protected laptop containing confidential client information at the airport counter. After working with local airport representatives, the laptop cannot be found.
- A mail carrier leaves an individual tax return in a sealed envelope at the door of a client in a semi-public hallway. It is discovered later by the client, unsealed.
In each of these cases, the accounting firm should report the matter to its professional liability insurance carrier. Recommended follow up from CNA’s claim and risk control teams include:
1. With the advice of a suitable qualified attorney, review compliance with applicable federal and state laws and regulations such as the FTC Financial Privacy and Safeguards Rules, and breach-of-security notification requirements under state law. Refer to guidance regarding privacy and data security from the AICPA and governmental bodies such as the FTC, and the office of the state attorney general in the state of residency of each of the potentially affected individuals.
2. With the advice of a suitable qualified attorney, draft a notification letter to all potentially affected clients in accordance with federal and state law. The notification should be factual, indicating what happened, what information was potentially exposed and what is being done to protect the potentially affected individuals. The notification should also indicate that the incident has been reported to the police, if applicable. Provide contact information for the police and the report number, if available.
For guidance on information compromise and a sample notification letter (Model Letter), please refer to the FTC guide, Data Breach Response: A Guide for Business, available at: https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business.
3. All breach related correspondence should be drafted under the advice of a qualified attorney.Recommend to individual clients that they maintain vigilance regarding their credit and that they obtain free credit reports to check for identity theft. Check to determine whether applicable state laws require that credit monitoring be offered at no expense to the client. To maintain good client relations, the CPA should consider offering credit monitoring to the affected client at the firm’s expense, whether this is required or not. Free credit report information is available at: https://www.consumer.ftc.gov/articles/0155-free-credit-reports
The Social Security Administration and the Office of the Inspector General also offer guidance on identity theft, available at: https://www.ssa.gov/pubs/EN-05-10064.pdf
4. Have the firm’s attorney (or the attorney appointed by the firm’s carrier) consult state breach of security notification requirements. Check other state breach notification laws if some of the potentially affected clients are located in other states.
In the event of a privacy breach, coverage available under a particular insurance policy to respond to claims, provide assistance to the policyholder, and defray related expenses varies widely. Coverage is subject to the terms, conditions and exclusions contained in each policy. Consult with the firm’s insurance agent or broker regarding both existing and available coverage to evaluate the firm’s insurance requirement before a privacy breach occurs.
For more information on privacy and data security coverage available to AICPA Professional Liability Insurance Program policyholders, refer to NetProtect information page on cpai.com.
Resource: AICPA Cybersecurity/Information Security, https://www.aicpa.org/interestareas/informationtechnology/resources/information-security-cybersecurity.html
By Accountants Professional Liability Risk Control, CNA, 333 South Wabash Avenue, 39S, Chicago, IL 60604.
This information is produced and presented by CNA, which is solely responsible for its content.
The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.
Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.
To the extent this article contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental. In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situations, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice.
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.
CNA is a registered trademark of CNA Financial Corporation. Copyright © 2011 CNA. All rights reserved.