Your 2014 CPA Privacy Checklist Cheat Sheet
The accounting and legal industries handle some of the most sensitive information and on a daily basis. Which makes them prime targets for hackers. To address this risk the AICPA published the CPA Firms Privacy Checklist based on selected Generally Accepted Privacy Principles (GAPP)
The checklist does a good job at explaining what needs to be done, but not how to do it. For your average firm they are going to have no idea where to start. So in this article I went ahead and did all the hard work for you.
Checklist Item #1 “Notice”
This checklist item recommends that firms provides customers with notice about privacy policies, procedures for handling sensitive information and how data is used. The checklist recommends that firms use the standard statements required by GLBA. Here is a model privacy form from the SEC’s Entity Compliance Guide at http://www.sec.gov/divisions/marketreg/tmcompliance/modelprivacyform-secg.htm. You will need your attorney to review and approve the form, but it’s a great starting point.
Checklist Item #2 “Security”
This checklist items covers what firms should do in order to protect personal information from unauthorized access. There are several components to this checklist item:
- Encrypting personal client and employee information: Read this article on how to encrypt data on Windows with a few mouse clicks.
- Strong password: Read this article on how to create strong passwords.
- Protect systems with anti-malware: If you don’t have a commercial anti-malware installed, you can get free anti-malware from Microsoft.
- Encrypt emails: Read this article on how to encrypt emails for free if you don’t already have an email encryption solution.
Checklist Item #3 “Management”
A major component of this checklist item is that employees receive training on the importance of keeping Personal Information secure. The Protecting Personal Information: A Guide for Business at http://www.business.ftc.gov/sites/default/files/pdf/bus69-protecting-personal-information-guide-business_0.pdf (Update: PDF is no longer available) from the FTC is probably the best one I’ve seen that nearly everyone can understand. Not to mention that it’s short, sweet, to the point and free.
Checklist Item #4 “Disclosure to Third Parties”
This item simply guides firms to disclose information to third parties in a fashion that is consistent with the privacy notice in checklist item #1. There’s nothing more to this item, but you may want to require that all employees read and regularly review your firms privacy notice.
Checklist Item #5 “Use and Retention”
An important part of this checklist item is that firms only retain personal information for as long as it’s needed. After that period, the information should be destroyed. Paper records – easy, just shred them. But for electronic records, after you delete them make sure you render them unrecoverable. Here’s an article on just how to prevent deleted files from being recovered on Windows and Mac.
That’s it, I hope this cheat sheet gives you a good head start on protecting your employee and customer personal information. Until next week,
–Kevin Lam