COUNSELOR’S CORNER THE SURGE IN NEW STATE DATA PRIVACY LAWS HAS LEFT MANY service providers concerned about potential regulatory enforcement and fines in the event that data they control is subject to a breach event. As a result, the security of personal data and resulting liability in the event of a data breach is quickly becoming a major component of many commercial contracts as service providers face potential liability for cyberattacks that compromise thirdparty and customer data. This is an especially pressing concern given the increasing frequency and complexity of cyberattacks in the private sector. CPA firms can be compelling targets for cybercriminals due to their extensive collection of clients’ personal information, such as Social Security numbers, addresses, phone numbers, and financial information. The compromise of personal information and the resulting lawsuits, legal fees, and settlements or fines may result in exorbitant damages that could threaten the commercial existence of a firm. CPA firms can distinguish themselves from competitors by staying up to date with requirements under relevant data privacy laws and regulations and maintaining strong privacy and cybersecurity systems. As financial institutions that are “significantly engaged” in providing financial services or products, CPAs are subject to the Gramm-Leach-Bliley Act (GLBA) and are required to establish measures to keep clients’ nonpublic personal information secure.i Failure to comply with the requirements of the GLBA can have serious consequences, with a financial institution that violates the GLBA facing fines of up to $100,000 per violation.ii i https://www.aicpa.org/professional-insights/article/cpa-cyber-obligations-and-breach-response ii https://digitalguardian.com/blog/what-glba-compliance-understanding-data-protection-requirements-gramm-leach-bliley-act iii The Colorado Privacy Act and the Connecticut Data Privacy Act become effective on July 1, 2023, and the Utah Consumer Privacy Act becomes effective on December 31, 2023. In addition, recent developments in state data privacy laws may make some information held by CPAs subject to further legal obligations. The GLBA preempts state laws only to the extent that a state law is “inconsistent” with the requirements of the GLBA. If a state law provides greater protection for consumers than the GLBA, it is not “inconsistent” with the GLBA and the state law will also apply. The California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA), the only two state data privacy laws currently in effect, apply in conjunction with the GLBA, but do contain some exemptions applicable to CPAs. The CCPA includes a partial exemption for information collected by financial institutions where the information is “subject to” the GLBA. Information subject to the GLBA is exempt from the requirements of the CCPA, other than the private right of action for consumers related to a data breach. However, information collected by a financial institution that is not “subject to” the GLBA remains subject to all CCPA requirements. The VCDPA contains a full exemption for financial institutions and their affiliates that are subject to the GLBA. The three additional state privacy laws coming into effect later in 2023 also contain exemptions for financial institutions subject to the GLBA.iii Service providers have three key opportunities to protect their clients’ data: internal operating procedures, security requirements for clients, and insurance coverage. TIPS FOR PROTECTING CLIENT DATA & MINIMIZING LIABILITY FOR CYBERATTACKS BY MAUREEN FULTON & MIKAELA WITHERSPOON, KOLEY JESSEN 20 Nebraska CPA
RkJQdWJsaXNoZXIy ODQxMjUw