Your 2014 CPA Privacy Checklist Cheat Sheet

May 02, 2014
Kevin Lam

Icon-Small-50@2xThe accounting and legal industries handle some of the most sensitive information and on a daily basis.  Which makes them prime targets for hackers. To address this risk the AICPA published the CPA Firms Privacy Checklist based on selected Generally Accepted Privacy Principles (GAPP)

The checklist does a good job at explaining what needs to be done, but not how to do it. For your average firm they are going to have no idea where to start.  So in this article I went ahead and did all the hard work for you.

Checklist Item #1 “Notice”

This checklist item recommends that firms provides customers with notice about privacy policies, procedures for handling sensitive information and how data is used.  The checklist recommends that firms use the standard statements required by GLBA.  Here is a model privacy form from the SEC’s Entity Compliance Guide at You will need your attorney to review and approve the form, but it’s a great starting point.

Checklist Item #2 “Security”

This checklist items covers what firms should do in order to protect personal information from unauthorized access.  There are several components to this checklist item:

Checklist Item #3 “Management”

A major component of this checklist item is that employees receive training on the importance of keeping Personal Information secure. The  Protecting Personal Information: A Guide for Business at (Update: PDF is no longer available) from the FTC is probably the best one I’ve seen that nearly everyone can understand. Not to mention that it’s short, sweet, to the point and free.

Checklist Item #4 “Disclosure to Third Parties”

This item simply guides firms to disclose information to third parties in a fashion that is consistent with the privacy notice in checklist item #1.  There’s nothing more to this item, but you may want to require that all employees read and regularly review your firms privacy notice.

Checklist Item #5 “Use and Retention”

An important part of this checklist item is that firms only retain personal information for as long as it’s needed. After that period, the information should be destroyed. Paper records – easy, just shred them. But for electronic records, after you delete them make sure you render them unrecoverable. Here’s an article on just how to prevent deleted files from being recovered on Windows and Mac.

That’s it, I hope this cheat sheet gives you a good head start on protecting your employee and customer personal information.  Until next week,

Kevin Lam signature

–Kevin Lam