The Gramm-Leach-Bliley Act (“GLBA”) was passed by Congress in 1999 with bi-partisan support. A component of the GLBA, its Safeguards Rule, was first established in 2003, and required organizations defined as “financial institutions” to establish measures to keep their customers’ private information secure. In accordance with GLBA provisions, the Federal Trade Commission (“FTC”) has authority to issue regulations ensuring that financial institutions protect the privacy of consumers’ personal financial information.
In late 2021, the FTC amended the Safeguards Rule to make changes to address current technology. The changes included a more expansive definition of “financial institutions” and added new responsibilities requiring enhanced administrative, technical, and physical safeguards designed to protect customer information. Certain provisions of the updated rule were effective December 9, 2022, and the remaining provisions became effective June 9, 2023. The revised Safeguards Rule specifies safeguards covered organizations must implement as part of their information security program.
Under the guidance, the definition of “financial institutions” has a broad context — which can impact organizations across many industries. For example, nonbanking financial institutions engaging in financial activities or incidental to such financial activities (e.g., CPA firms, tax professionals) that collect Personally Identifying Information (“PII”) need to be aware of changes that build on the original Safeguards Rule framework in key data security areas.
The overarching primary objectives for an information security program under the rules include:
- Ensuring the security and confidentiality of client information.
- Implementing safeguards against anticipated threats to client information.
- Preventing unauthorized access to information systems linked to client information.
Is your firm fully compliant with the revised Safeguards Rule?
The Safeguards Rule applies to organizations of all sizes, with reduced compliance standards for entities maintaining fewer than 5,000 client/customer records. What constitutes client/customer records is somewhat unique for every organization, and that certainly holds true for CPA firms and tax professionals. As the revised Safeguards Rule applies to all PII organizations maintain, for accounting firms this includes the PII maintained for former and current clients, and any ancillary contacts associated with the client that a firm maintains including, but not limited to, the PII of current and former clients’ owners, members, partners, employees, and customers.
The Safeguards Rule applies to organizations of all sizes, with reduced compliance standards for entities maintaining fewer than 5,000 client/customer records.
For example, if a firm prepares K-1s for hundreds of partners of a partnership client, the personally identifiable records would include the PII of each partner. Since there is no business client exception, it would be unwise for most CPA firms to rely on the 5,000 client/customer records exception without performing due diligence to ensure they have adequate systems in place to accurately track the number of personally identifiable records maintained for current and former clients. Under the Safeguards Rule, at any point an organization exceeds 5,000 personally identifiable records, the entity no longer qualifies for the Safeguards Rule’s exception and must comply with all the Rule’s required safeguards.
Information Security Plan
Under the Safeguards Rule, a firm is required to have a written Information Security Plan that outlines the firm’s information security program protecting its client data. Information Security Plans should be individually crafted to be sufficient and appropriate for the firm’s size and complexity, nature and scope of activities, and the sensitivity of its client information.
A CPA firm’s Information Security Plan needs to outline the physical, technical, and administrative safeguards the firm utilizes to protect its confidential client data from potential breaches and cyberattacks.
To comply with the updated Safeguards Rule, a CPA firm’s Information Security Plan needs to outline the physical, technical, and administrative safeguards the firm utilizes to protect its confidential client data from potential breaches and cyberattacks. The plan should appropriately incorporate the following elements:
- Designation of a qualified person responsible for overseeing, implementing, and updating, as needed, the information security program;
- Creation of a written risk assessment that identifies reasonably foreseeable internal and external risks and assesses the sufficiency of any safeguards in place to control those risks;
- The design and implementation of safeguards appropriate to the size and complexity of the organization to control its identified risks. The following are a few examples of safeguards that should be considered, although this list is not meant to be all-inclusive:
- encryption of data in transit and at rest
- firewalls
- password protection
- securing access to file rooms and file cabinets
- implementing and periodically reviewing access controls to client information — limiting access to those with a legitimate business need
- implementing multi-factor authentication;
- The regular monitoring and testing of the effectiveness of established safeguards (i.e., monitor and log activity to detect unauthorized access through continuous monitoring, annual penetration testing, or by other appropriate vulnerability assessments);
- Security awareness training;
- Periodic assessment of third-party service providers;
- Keeping your information security program current;
- A written incident response plan; and
- Periodic reporting to the firm’s governing body (e.g., firm’s Executive Committee, Managing Partner).
CAMICO has created an illustrative Written Information Security Plan template. The template is designed to incorporate and reference established firm policies. It is located on the Members-Only Site in the Cyber/Data Security Resource Center.
A CPA firm’s efforts to comply with the Safeguards Rule is organization-specific and, as such, CAMICO recommends that each firm work with their IT/cyber specialists and legal counsel to modify and tailor this template to ensure the firm’s compliance with the GLBA’s Safeguards Rule and other applicable laws.
Risk management tips
Although the FTC’s deadline for compliance has passed, it is never too late to reassess and update as needed the firm’s efforts to comply with all applicable provisions of the Safeguards Rule. Remember that developing an information security program is not a one-size fits all approach. Every firm will need to ensure that they have the required safeguards in place for their size (based on the number of personally identifiable records maintained), complexity, and the nature and scope of the services they render.
From a risk management perspective, DOCUMENTATION is critical, and the first line of defense if your firm were ever alleged to have not complied with the Safeguards Rule. For example, if your firm is limiting its compliance efforts to the minimum required for firms with less than 5,000 personally identifiable records, be sure to have appropriate documentation of that determination and ensure that you have a mechanism in place to alert you if you ever have 5,000 or more personally identifiable records.
In addition, CAMICO strongly encourages firms to take the time needed to keep the firm’s Information Security Plan relevant and updated to showcase your ongoing efforts to ensure compliance with the spirit and intent of the Safeguards Rule.
Resources
For more risk management guidance and information on cyber and data security issues, access CAMICO’s Cyber/Data Security Resource Center on our Members-Only Site. CAMICO policyholders with questions regarding this communication or with other risk management questions should contact the Loss Prevention department at lp@camico.com, or call our advice hotline at 1.800.652.1772 and ask to speak with a Loss Prevention Specialist.
Additional resources for CPA firms include: