Keeping Client Data Private When Using Subcontractors

The legal and professional responsibilities of CPA firms to keep client data private also extends to subcontractors, and relying on good faith is not the answer.

Allowing subcontractors access to confidential client information “can create havoc in minutes,” writes CNA’s Joseph Wolfe in an article in the June issue of the Journal of Accountancy. Subcontractors can include payroll providers, administrative help or outsourced tax return assistance during busy season.

“Typically, unauthorized disclosure of confidential client data by a subcontractor relates to the activities of its employees rather than a rogue act by an unknown third-party hacker,” the article reads. “Subcontractors with inadequate controls over access to data present elevated risk to CPA firms. A breach may arise from unintentional and careless mistakes, as well as from intentional acts by subcontractor employees.”

Wolfe, a risk control director, recommends appropriate risk mitigation strategies related to the subcontractor’s screening, training and monitoring polices for its employees, as well as its privacy and security policies. He also advises entering into a written contract that addresses not only the privacy and security policies, but also indemnification, data breach protocol and insurance coverage. An attorney should review it.

In concluding the article, Wolfe says CPA firms also should look within. “Now is an excellent time to review and update the firm’s processes to protect confidential client data, train employees and understand how insurance coverage may apply in the event of a data breach.” Read the entire article.