Data protection and its impact on CPAs

Editor: April Walker, CPA

We live and work in an era in which digital information and its protection are critical. CPAs, their clients, and businesses face an increasing use of technology together with a growing awareness of data breaches and identity theft. This has resulted in a growing sensitivity toward the need to focus on protecting client data. CPAs are expected to make reasonable efforts regarding the safeguarding of their and their client’s data privacy.

This column is not intended to address all the specific risks, responses, and nuances of firm administration. It addresses recent changes in tax standards, IRS summits, and other regulatory changes. Several helpful additional sources are listed below (see “Useful Links for Additional Information and Guidance”). The intent is to bring awareness of the expectations of the profession, the public, and the government and to emphasize the importance of staying abreast of regulations, laws, and evolving privacy standards.

Ethical responsibility is a cornerstone of the CPA profession. A CPA’s duty to protect client information is a well-established professional responsibility. This extends to how data privacy is managed, with CPAs working to maintain the confidentiality and integrity of client information. This ethical duty complements legal requirements. As described in the AICPA Code of Professional Conduct, CPAs are expected to act in the best interest of their clients and uphold public trust.

Tax standards and data privacy

The accounting profession’s transition into the digital realm has expanded the scope of CPAs’ responsibilities. Beyond managing finances, they have increased responsibility for securing and protecting data privacy. This role is continually reshaped by advancements in technology, changes in laws, and evolving cybersecurity threats.

The AICPA has responded to these changes in the recently revised Statements on Standards for Tax Services (SSTSs) effective as of Jan. 1, 2024, emphasizing adaptability in data privacy strategies. These evolving standards reflect a deeper understanding of the dynamic nature of data privacy in the digital age.

Section 1.3. was added to address data protection. This section, instead of adding bright-line rules, uses standards to describe reasonable efforts to safeguard taxpayer data. Therefore, the statement is written broadly to address the differences in firms and constant changes in technology, laws, and threats. Some of this standard’s key elements are:

• Considering applicable laws;
• Evaluating how data is stored;
• Adopting current practices, including the use of digital tools; and
• Considering how data is stored with third parties.

When a CPA firm applies this standard, it should start with its current data privacy policies and procedures and determine whether they are reasonable. Some of the elements it should consider are changes in technology, the types of services it provides, and the firm’s size. It is likely a sole practitioner’s plan will be less complex than that of a 100-member firm. However, it is expected that basic steps will be taken to protect client data, such as using virus-scanning software, a virtual private network (VPN), secure software, passwords, and similar tools and practices.

After addressing these basic steps, the firm should consider what other steps to take. Some of those additional steps may concern how client data is maintained, such as avoiding storing unnecessary data, masking personally identifiable data, and establishing a training program for data privacy measures.

With the increasing sophistication of cyberthreats such as phishing and ransomware attacks, CPAs may also want to consider implementing more robust cybersecurity measures. Advances in technology offer additional options. For example, blockchain technology may provide a secure way to store and manage sensitive data. Artificial intelligence could enhance data analysis and fraud detection effectiveness. Note that these technologies could also cause additional data privacy issues. CPAs will want to balance the use of these tools with the additional security they can provide.

Gramm-Leach-Bliley Act (Safeguards Rule)

The Gramm-Leach-Bliley Act, P.L. 106-102, included the Safeguards Rule, which applies to all tax return preparation firms regardless of size. The Safeguards Rule includes a requirement to use a written information security plan (WISP). The WISP must describe how the business is prepared to protect consumers’ nonpublic personal information. In recent years, the IRS and the Federal Trade Commission have heightened attention to remind preparers of this rule, including adding to the preparer tax identification number (PTIN) application and renewal form a question asking the preparer to verify that they have a WISP.

The IRS provides guidelines on how taxpayer information is to be handled and protected. For instance, IRS Publication 4557, Safeguarding Taxpayer Data, provides a guide for tax professionals on how to secure client data. It outlines administrative, technical, and physical security guidelines that tax preparers must follow. Failure to comply with these regulations can result in penalties, including fines and revocation of the right to practice. There are anecdotal stories that IRS agents are proposing fines during audits of CPAs who do not have a WISP.

IRS Security Summit

In 2015 the IRS started the Security Summit, which is a coalition of the Service, state tax agencies, and the tax industry, including technology companies. The summit’s goal is to combine efforts to put in place safeguards to combat criminal efforts to obtain taxpayer data.

The IRS and the Security Summit partners see tax professionals as central to defense against cybercriminals. Tax professionals are being targeted with scams and efforts to obtain taxpayer information. The schemes are continuing to grow in sophistication and effectiveness. The summit urges tax professionals to develop strong security measures at the office and at home to protect themselves and their clients. A key goal of the summit is awareness. Tax professionals and taxpayers need to be aware of the threats and of the tools and procedures with which to fight them. The IRS expects to continue to hold these summits and other campaigns to keep up with the rapidly evolving threats to data privacy.

The summit also addressed the issue of more people working from home. Some of its recommendations are:

• Using VPNs;
• Using secure browsers to conduct online business and avoiding the use of free public Wi-Fi; and
• Keeping a separate computer for personal use and avoiding using it for business purposes or saving private data on it.

Global data privacy laws

Besides IRS requirements, CPAs face a complex global landscape of data privacy laws. The General Data Protection Regulation in the European Union and state-specific laws such as the California Consumer Privacy Act have set new benchmarks for data privacy, imposing obligations on any entity that handles personal data. These laws affect CPAs who have international clients or operate across jurisdictions, necessitating a comprehensive understanding of a variety of data privacy requirements.

Protecting data, preserving client trust

Data privacy is a changing and important aspect of the CPA profession. A multifaceted approach combining legal compliance, ethical responsibility, technological proficiency, and proactive risk management will aid in addressing these issues. CPAs are expected to take reasonable steps to address these elements and protect sensitive data, maintain client trust, and uphold the profession’s integrity in the face of ever-increasing challenges.

Some key expectations of CPAs are:

• Staying updated on data privacy regulations, IRS guidelines, and cybersecurity threats;
• Maintaining a WISP;
• Developing and enforcing internal policies and controls to manage and protect data; and
• Keeping clients informed about data privacy policies and practices and changes that may affect them.

In this rapidly changing environment, CPAs are well advised to continue to stay abreast of the issues and the available training materials, tools, and practices to comply with their responsibilities as described in standards and other regulations. It is important to keep in mind that none of these efforts guarantee complete data privacy but instead describe what is reasonable to expect from CPAs in conducting their business, which includes a wide range of services and types of firms.

Useful links for additional information and guidance

• IRS Publication 4557, Safeguarding Taxpayer Data
• IRS Publication 5293, Protect Your Clients; Protect Yourself: Data Security Resource Guide for Tax Professionals
• IRS Publication 5708, Creating a Written Information Security Plan for Your Tax & Accounting Practice
• IRS Publication 5709, How to Create a Written Information Security Plan for Data Safety
• Slatten and Marietta, “Complying With the Safeguards Rule for Information Security,” 54-5 The Tax Adviser 50 (May 2023)
• Holets, “Proposed AICPA Tax Standards Address New Concerns,” 234-12 Journal of Accountancy 30 (December 2022)
• SSTS 1.3., Data Protection

Contributors

Conrad Davis, CPA, is a partner with Crowe LLP in Sacramento, Calif., and a member of the AICPA Tax Practice & Procedures Committee. April Walker, CPA, CGMA, is lead manager–Tax Practice & Ethics, Public Accounting, for AICPA & CIMA, together as the Association of International Certified Professional Accountants. For more information about this column, contact thetaxadviser@aicpa.org.