Let’s say you are a business owner, CPA or EA. Your business has been prospering for many years. You’re sitting back in your chair, wrapping up your day’s work, and sending off one last email. You grin with satisfaction, knowing that soon you will be able to leave your office and spend some quality time with your family, pursue your favorite pastime, or simply relax. Your email suddenly doesn’t work. The tax return PDF you were looking at a minute ago and were ready to send won’t open. None of your files will open. Nothing works. Your entire business is dead in the water.
Your IT person says a ransomware attack hit you, and it’s too late to stop it. The hackers demand you pay an exorbitant fee and trust them to return everything to normal. They eventually start cashing in on your clients’ tax returns, one by one. You are forced to take out a pen and paper and a printed contact list, if you are fortunate to have one, and you start calling every single client. Feeling ill with shame, you tell them the terrible news and that they should report the theft of their Social Security Number and personal information to the Social Security Office, the IRS, their identity theft protection service, or whoever can help them now. You suffered a data breach and a ransomware cyberattack.
Since 2016 approximately 4,000 of these types of ransomware attacks have been happening every day in the U.S. You have been making that gamble every day, and you just lost. Now, the only thing ringing in your ears is what Benjamin Franklin said: “An ounce of prevention is worth more than a pound of cure.” But it’s too late.
In March 2020, the NYSHIELD Act came into effect for New York State businesses and for all companies nationwide that have customer information of residents of New York State. There are no exceptions.
The new law is a case in point that all businesses, everywhere, need to be aware of cybersecurity best practices, both in their internal operations and their interactions with other companies. In 2020, amid the global COVID-19 crisis, the idea that “ignorance is bliss” in cybersecurity and compliance is now passé.
The NYSHIELD Act requires you to:
- Report data breaches to your clients and other agencies;
- Conduct a thorough and accurate risk assessment of your internal and external risks;
- Create and implement security policies and procedures to reduce those risks; and
- Provide ongoing training, review and monitoring of your security environment.
New York State can issue fines of up to $200,000 in the event of a breach for failure to comply.
Across the country your documentation may need to meet compliance laws that apply to financial institutions, such as the Federal Trade Commission’s Safeguards Rule, IRS security requirements, the New York Department of Financial Services Cybersecurity Rule, possibly the Health Insurance Portability and Accountability Act, and more.
Besides the health care industry, nobody has as much sensitive-nonpublic information as tax professionals, CPAs, EAs, wealth and investment advisors, and other financial institutions. These businesses come in all shapes and sizes, from single practitioners to dozens of employees or more.
The risks don’t change. Each owner, regardless of their business’s size, needs to know what their risks are. They need a plan to reduce these risks and protect against reasonably anticipated threats. If a team of elite hackers chose to target a business persistently, they could get almost anyone. Still, nobody wants to be the low-hanging fruit for the myriad experienced or amateur hackers or even automated threats that scour the internet 24/7/365, looking for targets. Even a petty thief can steal a laptop with a password and find someone who can get in if it’s not secured.
Even with robust security, you may need to prove to the government that you have assessed and managed your risks and have the appropriate policies and procedures. Otherwise, you risk more severe consequences.