Internal Operating Procedures Adopting formal operating procedures for managing security risks is highly advisable, and may even be contractually required in some instances. CPA firms should consider developing centralized guidance containing all data security-related actions that must be taken pursuant to agreements with customers and with their own vendors, including specific firewall requirements or user authentication systems. These requirements should be reviewed prior to any changes to the firm’s IT and security systems to ensure any update does not inadvertently put the provider in breach of an agreement. This document should also summarize the substantive contractual requirements related to a data breach, such as the time for notice to the other party and any indemnification obligations for the firm. A similar approach should be taken with regard to keeping track of all duties imposed by federal, state, and local laws and regulations, as well as relevant case law developments that have an impact on those duties. CPAs should also keep a record of internal plans regarding data breaches, making sure to build out contingency plans for various types of breaches. These plans should involve any legal or public relations response that the firm may need to undertake. Consulting with legal counsel is highly recommended in developing these plans, as such plans must take account of rapid changes in privacy and data security law and should be developed with an eye towards potential future litigation. Imposing Security Requirements on the Customer CPA firms should seek to impose security requirements on the customer when the services will require the firm to access the customer’s system, or when the customer will have some access to the firm’s own system. For example, a firm might obligate customers to shore up the security of their technology ecosystems by mandating maintenance of firewalls or network access protocols. This language should be carefully constructed to prevent developments in technology and cyber threats from rendering it obsolete. One way to accomplish this is to reference accepted industry cybersecurity standards, such as the U.S. Department of Commerce NIST framework. If service providers decide to include these kind of requirements in their contracts, they would be well advised to treat and contractually require their customers to treat them as strictly confidential. Knowledge of a service provider’s security protocols can be useful to malicious actors attempting to breach the service provider’s system or service. Insurance Coverage CPA firms should ensure they have proper insurance coverage for data breach liability. Many commercial general liability insurance policies contain exclusions for cyberattacks and related issues. Some insurers will not cover data breach liability, while others will only do so if an insured purchases the correct endorsement. Firms should seek out cyber coverage that will pay the costs of investigating potential breaches, providing affected parties with notice of breaches, and paying employees for additional time and effort required to respond to breaches. Such coverage may also pay for the costs of data restoration, blackmail or extortion, loss of business income, and legal fees that arise out of data breaches. Protecting clients’ data is not only a legal obligation but is also critical for maintaining trust and credibility, making robust data security measures essential. Utilizing these three key opportunities to safeguard your clients’ personal information and ensuring data security can help you minimize liability of cyberattacks. Maureen Fulton is chairman of Koley Jessen’s Data Privacy and Security practice. She advises businesses on developing comprehensive privacy and data security programs and provides guidance to companies as they navigate through state, federal, and international privacy laws and regulations. Fulton has supported numerous clients in preparing for and responding to data breach incidents and also has extensive experience in performing data privacy and security due diligence for buyers and sellers in merger and acquisition transactions. She can be reached at maureen.fulton@koleyjessen.com. Mikaela Witherspoon is a staff attorney with Koley Jessen. She counsels clients on various data privacy matters, including compliance with privacy laws such as the EU’s GDPR and California’s CCPA. With her knowledge of the interplay of intellectual property, data privacy, and commercial law, Witherspoon also drafts and reviews data transfer, data license, and software license agreements, as well as other technology-related contracts that protect clients’ rights and intellectual property, while also minimizing liability and ensuring compliance with privacy and data protection regulations. She can be reached at mikaela.witherspoon@koleyjessen.com. IPE 1031 | 888.226.0400 | WWW.IPE1031.COM | INFO@IPE1031.COM EXPERTISE From a Respected Industry Leader THE PREMIER SPECIALIST FOR SECTION 1031 EXCHANGES SECTION 1031 EXCHANGE 21 www.nescpa.org
RkJQdWJsaXNoZXIy ODQxMjUw