Protect your data … or pay the price
We took a closer look recently at the Federal Trade Commission's "Red Flag Rule," which requires many businesses to enact plans to, in the FTC's words, "detect the warning signs –- or 'red flags' –- of identity theft in their day-to-day operations."
- UPDATE: The FTC has delayed the enforcement deadline for its "Red Flags Rule" until June 1, 2010. Get details here.
When it comes to privacy protection, though, that's just the beginning.
I recorded a podcast recently with Marilyn Prosch, an associate professor in the Department of Information Systems Management at Arizona State University, She has written articles and done research on privacy, electronic commerce, information security, accounting information systems ... in short, she knows her stuff, and she offered some insight into the privacy issues that are impacting CPAs and their clients these days.
At CPA firms: High-profile examples of data breeches -- employees of large firms who lose laptops that contain sensitive data, for example -- drive home the importance of privacy protection at CPA firms. "CPAs are supposed to be their clients' trusted advisors," Prosch said. "They really need to go the extra mile and do whatever it takes to secure the data that they put on their own personal computers and laptops about their clients."
In corporate America: Data breeches do more than expose flaws in a company's internal controls; they also hit CFOs and other finance executives where they hurt -- right on the bottom line. According to Prosch, a breech costs a company an average of $200 per record. If hundreds or thousands of records are compromised, we start talking about real money. And we haven't even brought the regulators into the picture yet. If the FTC decides to sanction a company because of a data breech, that company could face a security audit every two years for the next 20 years. "Having to throw resources out to do damage control in a data breech is something that no CFO wants to go through," Prosch said. "Plus, it's a signal that the company just doesn't have good controls."
In cloud computing: "The vendors in the cloud need to provide some assurances to their clients that their systems are secure and that they will process their data," Prosch said. "We're going to see a lot of cloud computing vendors getting (privacy) audits so that the rest of the business community can make their customers feel comfortable."
On social networks: Loose-lipped employees and malicious code embedded in third-party applications can make social networking a risky endeavor for businesses. That's where a clear set of policies and procedures come into play. "First, you have to decide what your business can achieve by allowing social networking to go on," Prosch said. "In many cases, it may be a great fit. If so, you need to have some guidelines about what employees can and can't do on these social networks as it relates to the business."
Prosch also offered her thoughts on the Red Flag Rule and what it means for CPAs. Listen to our conversation in its entirety.
- Subscribe to our podcast here, or search for "CPA Spotlight" in iTunes.
Want to learn more?
Here are a few other resources that offer expanded looks at security and privacy:
- Security for Accountants: New Legal Requirements and Practical Solutions, Nov. 5 at the Columbia Center
- 2009 MACPA Technology Conference, Dec. 7 at the Sheraton Columbia Hotel
- FTC "Red Flag Rule" resources
- AICPA "Red Flag Rule" guidance
- "Preventing identity theft throughout the data life cycle," a JofA article written by Prosch
- "Outsourcing and privacy: 10 critical questions top management should ask," a Statement article written by Prosch