How Secure Are Your Business Records?

• What are the rules?
• Rule breaches – some examples
• A word about subcontractors
• Tips for proper handling of business records
• Do you need guidance?
• Comments or questions about this article?
• Guides for best practice

All CPAs have ethical and legal obligations with regard to how they handle sensitive and confidential information, whether this information relates to their own business or to their customers or employees.

Accordingly, members need to stay up to speed about threats to data security and implement best practices to ensure that they stay onside of the rules set out by the CPA Code of Professional Conduct (CPA Code) and by various pieces of privacy and regulatory legislation. Otherwise, they face considerable fallout, including:

• Damage to their reputation, brand, or business relationships;
• Legal liability and regulatory sanctions;
• Customer or employee distrust; and
• Accusations of deceptive business practices.

What are the rules?

Rule 208 of the CPA Code (Confidentiality of Information) requires members to maintain the records of present and former clients or employees securely and confidentially. It also requires members to obtain the consent of these individuals when preserving the information and ensure that the information is used appropriately. Rule 208.3 states:

“A registrant shall:

1. take appropriate measures to maintain and protect confidential information of any client, former client, employer or former employer, as the case may be and to ensure that access to such information by another person is limited to those with legitimate purpose to access the information; and
2. obtain the written agreement of any such person to carefully and faithfully preserve the confidentiality of any such information and not to make use of such information other than as shall be required in the performance of appropriate professional services.”

In addition to the rules set out in the CPA Code, members should be aware of the requirements set out in the following legislative acts:

• BC’s Personal Information Protection Act (PIPA) applies to provincially regulated private sector organizations in BC that collect, use, or disclose personal information. PIPA describes how these private sector organizations must handle the personal information of the public and their employees, and establishes rules regarding the collection and disclosure of this information. An organization that contravenes PIPA can be sued by affected individuals for “damages for any actual harm suffered.”¹
• BC’s Freedom of Information and Protection of Privacy Act (FOIPPA) applies to BC public bodies and organizations that provide services to these public bodies. FOIPPA creates rules for the collection, use, disclosure, and storage of personal information in a public body’s custody or control. It also stipulates that certain violations are finable offences.²
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) creates rules for the collection, use, and disclosure of personal information by federally regulated private sector organizations in BC or by BC private sector organizations that have clients in other Canadian jurisdictions.³
• The United States’ Internal Revenue Code makes it a criminal offence for anyone—including preparers and handlers of US tax returns—to “knowingly or recklessly” disclose the confidential information of any US taxpayer.⁴ This law also requires tax return preparers to have “adequate data protection safeguards” in place when sending or receiving returns outside of the United States.

Rule breaches – some examples

In recent years, CPABC has encountered several situations in which CPAs have failed to securely maintain the integrity of their files. The following examples are based on real-life situations, though some details have been altered:

• One firm stored client file boxes in plain view of its front window. Client names were prominently displayed on each box and visible to anyone passing by.
• Another firm routinely transferred physical client files between its head office and its branch offices elsewhere in BC. Although transported in the back of a locked truck, the files were visible to passersby, and—on more than one occasion—they were left unattended overnight.
• Confidential documents destined for shredding were placed in a communal bin that a firm shared with other tenants in the same building. Thus, every tenant had access to the firm’s discarded materials before these materials were shredded.
• Clients of another firm were given unsupervised access to the office of a partner following his death. While the purpose, ostensibly, was to enable clients to retrieve personal material, the firm unwittingly gave each client access to other clients’ files as well.

By compromising the confidentiality and integrity of their clients’ files, the firms involved in these examples breached the CPA Code. Several were sanctioned as a result.

While the above examples all involve physical files, it’s important to note that breaches of confidentiality can also apply to the transmission and storage of electronic data. This is increasingly true in the digital age. Here are a few examples of improper actions:

• Emailing sensitive information that is not encrypted or password-protected;
• Sending information to the wrong recipient;
• Uploading confidential information to a public network or website; and
• Failing to maintain proper cybersecurity measures.

A word about subcontractors

CPAs often use subcontractors to provide services such as payroll and document storage. With their access to large amounts of electronic data pertaining to the CPA’s clients or organization, a subcontractor could create havoc in mere minutes.

Consider this fictionalized nightmare scenario: A forensic accounting and litigation support practice employs a subcontractor to transcribe audio files of various interviews conducted for clients. Among these audio files are interviews with employees who’ve been suspected of misconduct. The subcontractor downloads the audio files from the firm’s private website, transcribes them, and then uploads them (unencrypted and without password protection) to the firm’s public website. The transcripts are subsequently indexed by Google and other search engines, effectively making them available to anyone searching the employees’ names online.

This hypothetical scenario is based on a real-life situation described in the Journal of Accountancy in 2015, in which a company failed to adequately train a subcontractor on the proper use of its technology.⁵ The resulting breach of privacy led to significant sanctions for the company, and the requirement that it report on its security systems to the US Federal Trade Commission for the next 20 years.⁶

Breaches like the one above can happen in any industry. And since CPAs cannot subcontract their legal obligations, how can they ensure that subcontractors adhere to the same high standards of confidentiality and security?

As a minimum, when selecting a subcontractor, CPAs should review and ensure that they understand the subcontractor’s privacy and security policies and procedures. CPAs should also understand how subcontractors screen, train, and monitor their own employees who have access to client data. If these policies or procedures raise concerns, CPAs should consider how best to mitigate against these risks and ensure that subcontractors are adequately trained about the CPA’s policies and procedures, including those related to technology.

Tips for proper handling of business records

The following list offers common-sense control measures that every organization should implement to protect physical and electronic data:

• Access control: For electronic files, it is important that access be controlled using passwords, firewalls, and/or encryption. This is especially true if the information is saved on physical storage devices such as USB drives. Of course, effective protection of electronic files must be supported by an effective approach towards cybersecurity. For physical files, it is important that access be controlled using physical locks and other similar security measures.
• Confidential disposal of documents: Most businesses still deal with paperwork on a daily basis. Any confidential paperwork should be shredded before it leaves the office premises. Or, if using a subcontractor for this service, it is imperative that the firm be judicious in the hiring process (as described in the previous section).
• Secure transportation and delivery of documents: If physical documents must be delivered, CPAs should use a trusted courier or delivery service with its own security and confidentiality policies. If digital documents need to be sent, CPAs should consider using encryption and password protection.
• Training: An employee or subcontractor’s ignorance can pose a significant risk to data security. Employees and subcontractors should be trained on and kept up to speed about the organization’s policies, procedures, and technology.
• Communication with clients: If you’re a practitioner, make sure that your clients are made aware of any third-party software you use to process or store their data. For example, if your software providers track keystrokes or store data outside of Canada, you should inform your clients, as each client has their own privacy concerns and risk tolerance.
• Tone at the top: Employees often adopt similar attitudes to those displayed by their bosses. Therefore, the “tone at the top” must be one that emphasizes the importance of maintaining and promoting strong business and confidentiality controls.

Do you need guidance?

CPABC has professional standards advisors who are here to help you understand the CPA Code. All discussions are confidential, non-binding, and unofficial. Contact the advisors by email.

In complex situations, you may also want to consider obtaining independent legal counsel. The Chartered Professional Accountants Act, CPABC Bylaws, CPABC Bylaw Regulations, and CPABC Code of Professional Conduct can be accessed online.

Comments or questions about this article?

Contact the professional conduct department.

Footnotes

1. PIPA, Part 12, Section 57(1).
2. FOIPPA, Part 6, Section 74.1. Maximum fines are $2,000 for individuals, $25,000 for partnerships or individuals who are service providers, and $500,000 for corporations.
3. Information about PIPEDA is available on the Office of the Privacy Commissioner of Canada website. The site also features a number of resources, including a “Privacy Toolkit” for businesses.
4. Internal Revenue Service, “Section 7216 Frequently Asked Questions”. The maximum penalty is US$1,000 and one year of imprisonment for each violation, which can make for a very severe punishment! For example, a breach that affects 10 years’ worth of returns for 10 taxpayers could equate to 100 violations.
5. Joseph Wolfe, “Due Diligence with CPA Firm Subcontractors,” Journal of Accountancy, June 1, 2015.
6. United States Federal Trade Commission, “Provider of Medical Transcript Services Settles FTC Charges That It Failed to Adequately Protect Consumers’ Personal Information,” (press release), January 31, 2014.

Guides for best practice

The following guides are available on the CPA Canada website to help CPAs assess, develop, and improve their organization’s privacy policies.

• The Canadian Privacy and Data Security Toolkit, published by CPA Canada, is designed to help business professionals and business owners address privacy and data security issues within their organizations.
• Generally Accepted Privacy Principles, published by the American Institute of Certified Public Accountants (AICPA) and CPA Canada, advises members on how to conduct their business.
• The AICPA/CPA Canada Privacy Maturity Model, also published by the AICPA and CPA Canada, can be used to assess your organization’s existing privacy policy against 73 established generally accepted privacy principles.