A breach of client data: Risks to CPA firms
You walk into your office on a Saturday morning during tax season to find a staff member waiting for you with sweaty palms and a look of terror on her face. She takes a while to get the words out, but you soon learn that she backed up some client files to an unencrypted flash drive and dropped it in her purse before going to a “happy hour” the night before. Upon returning to her table from the restroom, she discovered her purse was nowhere to be found. She had been preparing payroll tax returns for several clients with multistate locations, and the flash drive contained payroll data such as names, Social Security numbers, addresses, salaries, and wages.
You have a lot of questions. What other data were on the flash drive? Which records were exposed? What information should be shared with your staff? How should they respond to related inquiries? How and when should the firm break the news to affected clients? Other questions may not immediately come to mind but are still very important. Is the clock ticking on state law requirements to notify affected businesses and individuals? Does state law require you to offer credit monitoring services to affected individuals?