Breaches that expose the data of hundreds of thousands and even millions of consumers are becoming regular headlines, with cybercrime on the rapid rise and efforts to plug the leaks struggling to keep pace.
Similarly at risk, however, is employee data, which can include home addresses, social security numbers or phone number, among other sensitive information. While most data protection laws in the U.S. are focused on customers, a notable recent Pennsylvania Supreme Court
Like the health care industry, the financial services sector is heavily
What’s at risk?
Unfortunately, many businesses don’t think about cybersecurity until it becomes a problem. Officers and board members sometimes just assume their IT departments have taken care of it with a firewall and antivirus software. A recent
Businesses in financial services are particularly appealing to hackers because they handle inherently sensitive and valuable information. For accountants, this often includes banking and personal wealth account information, and a bad actor who can access a client’s information can likely reach an employee’s just as easily.
Even outside of a firm, accountants are ideal access points for cybercriminals. Someone who works in the accounting department of a business could be just the backdoor a hacker needs to cause havoc. It’s as simple as someone innocently opening what turns out to be a phishing email — the most common doorway for scammers — and a piece of malware can spread through an entire system.
What laws apply?
Cybersecurity law is still evolving, especially in the U.S., where at least
Most domestic laws concern the business-consumer relationship, with nothing much to say about protecting employees. That could change as cybersecurity statutes develop, and courts are beginning to recognize that businesses have a duty to provide “reasonable care” for employee data, as the justices did in the UPMC case. And while it’s a broad term mostly used in a legal sense, reasonable care can generally be satisfied by using the
A firm basing its cybersecurity policy and procedures on those guidelines would likely be considered to be meeting a standard of reasonable care, at least partly protecting itself from potential litigation in the event of a breach.
What can employers do now?
Larger corporations can normally weather the financial impact from a data breach, and they have the resources to limit them, thanks to internal departments dedicated to cybersecurity. But small and medium-sized firms can be truly harmed by breaches and the resulting blows to their finances and reputation.
Many independent accounting firms fall into the latter category. They may be large enough to have a significant amount of useful data on their network, but not big enough to pay their own IT staff or have the resources available to train employees. Doing nothing, however, is unacceptable, and while relying on third-party vendors may offer a cheap and quick solution, often they are just using a one-size-fits-all firewall, password-protected accounts and that’s it.
As data protection for customers and employees becomes a priority, firms must be proactive and pay close attention to their own cybersecurity policies and procedures. At a base level, they should be taking an audit of what sensitive information is on their network — this is something accountants certainly already do well. Beyond that, employees should be trained on the signs of phishing scams or malware in their email, as well as proper password management. Additionally, legal counsel can help leaders craft a policy that addresses the cybersecurity laws that apply in their respective states and other wider regulations such as GDPR.
Failure to properly address any of these issues could have severe consequences to not only customers and employees — but the firm itself. Fortunately, with proper planning and information, cyberattacks don’t have to be inevitable.
