As the use of technology in business continues to accelerate, so too does the risk that comes with it. This is especially true for organizations that deal with sensitive data and information, such as accounting and finance professionals. As such, CPAs need to understand GLBA IT security and compliance and what they can do to protect sensitive data and information.

This article explores the scope of IT security and compliance for CPAs, summarizes the major dangers and risks of non-compliance, and outlines the steps you can take to protect your client’s sensitive data and information.

What Is The Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act (GLBA) is a U.S. law dealing with financial institutions and the rules regarding their operations. The law was first passed in 1999 but is comparatively not often discussed by technology professionals.

GLBA, at the highest level, regulates financial institutions and the data they collect. It also governs the security standards that financial firms must maintain to protect customer data (called non-public information, or NPI) and account details. All financial firms must comply with GLBA, regardless of the type of business they conduct.

Do CPAs Have To Be GLBA Complaint?

The GLBA applies to all types of businesses, including CPAs, dealing with sensitive data, including banking and accounting information. GLBA compliance should be one of the first regulatory frameworks that a new financial firm works towards. Whether you’re a single CPA working alone or have a firm of 20 CPAs working together, GLBA applies.

GLBA IT Security Requirements

The GLBA requires financial institutions to take affirmative steps to prevent the unauthorized collection, use, or disclosure of NPI. The requirements for this are found under the Privacy Rule and the Safeguards Rule.

The Privacy Rule obligates financial institutions to provide consumers and customers with a degree of privacy protection. A consumer is anyone who obtains any kind of product or service from a financial institution, while a customer is only someone who establishes an ongoing connection with one.

A financial institution must provide privacy notices to consumers. This means they need to give the notice when establishing a consumer relationship and on an annual basis going forward. The GLBA requires that if you are using a piece of NPI, then it needs to be explained how that information is used and shared as well as how it’s protected from unauthorized access or disclosure; for there not to be any confusion about this topic, instructions for opting out must also be included.

GLBA’s Safeguards Rule is far more technical. It imposes strict rules on how financial institutions must protect the consumer information they have. It requires that they have to take reasonable steps to protect that information from unauthorized access, use, or disclosure. The rule also obligates them to establish a written information security program. In other words, there’s a lot of paperwork involved when it comes to safeguarding your NPI.

The Safeguards Rule requires that all financial institutions have a written information security program in place. They put in place appropriate administrative, technical, and physical safeguards surrounding their customer data confidentiality, integrity, and availability. This means that you need to be able to show how you’re protecting your customers’ data and that you need to be able to show how you’re doing it in case a regulatory body or court comes knocking on your door asking for attestation.

The Safeguards Rule also requires financial institutions to ensure that their staff understands the privacy requirements for NPI under the Privacy Rule and make sure they understand their roles and responsibilities in terms of protecting that information.

As a CPA concerned with GLBA IT security compliance, the Safeguard Rules usually mean implementing a strong information security program that includes things like:

• Strong authentication methods (such as two-factor authentication)
• Strong encryption at rest and in transit
• Access control measures (such as least privilege)
• Monitoring of transactions and review of audit trails (to detect any suspicious activity)

Legal Risks of Non-Compliance

When CPAs don’t adhere to GLBA IT security requirements, they increase the risk of a data breach and fines. Fines increase based on the breached type of data and the overall size of the breach. Suppose hackers were able to steal sensitive data from a firm and use it for malicious purposes. In that case, the firm could incur legal fees and damages from its customers, even if your services agreement has liability waivers. Fines can also increase depending on the size of the company and the consequences of violating GLBA.

Furthermore, many insurers will not cover a breach caused by a lack of security compliance with GLBA. Also, suppose the federal, state, and local regulatory bodies audit your financial firm. In that case, you could face legal penalties for failing to comply with GLBA IT requirements, including up to five years of prison and revocation of your licenses.

In summary, failing to comply with GLBA puts your firm at risk of fines and negative publicity. While many CPAs have already adopted new policies and procedures to protect their clients’ data and meet their obligations under GLBA, it never hurts to review your practices and make sure you’re doing everything to keep your clients’ personal information secure.

Using an MSP to Achieve Compliance

An MSP can help you meet GLBA compliance. MSPs are also known as managed services providers and are used to help companies with IT management, monitoring, and optimization.

An MSP can help you implement a breach notification policy, enhance your compliance program, and improve the overall security of your business. MSPs can also help you implement security best practices such as implementing a firewall, ensuring patch management, and using an intrusion detection system.

Conclusion

Ultimately, CPAs must understand the risks of not complying with GLBA and take precautions to protect sensitive data. While many challenges are associated with GLBA compliance, they don’t have to be insurmountable. The key is to understand the risks and work with an MSP to help you successfully meet GLBA compliance.