cybersecurity exemptions for orgs with less than 5,000 clients

you may be off the hook, but not out of the woods.

by donny shimamoto

management consulting company aon described an exemption for some of the ftc requirements for firms that handle the personal identifiable information (pii) of less than 5,000 consumers.[i]

the safeguards rule provides an exception from certain requirements if the covered financial institution maintains customer information concerning fewer than 5,000 consumers. a consumer is defined in section 314.2(b)(1) of the safeguards rule as “an individual who obtains or has obtained a financial product or service from the financial institution that is used primarily for personal, family, or household purposes, or that individual’s legal representative.”

more: how hacker-proof is your firm? | unleashing the power of technology: transforming accountants into trusted advisors | future firm growth requires a mindshift | ai, ocr, nlp & cpas: oh my! | accounting nerds, unlock your super powers | early adopters gain an edge in audit | dustin wheeler: for serious cas success, hire tech teams | csr for cpas: the missing ingredient | donny shimamoto explains how ‘agile’ applies to cpa firms | staff retention for remote workers | why the future is in risk advisory | ready for non-cpa “cpa” firms?
exclusively for pro members. log in here or 2022世界杯足球排名 today.

essentially if you handle less than 5,000 social security numbers, then it would appear that you can take advantage of this exemption. aon went on to report that if you fall under this exemption, then you do not need to address the following requirements:

risk assessment;
testing and monitoring of safeguards;
staff training;
creating a written response plan; and
reporting to the institution’s governing body.

in addition, aon said that only the following safeguards are required of firms that fall under this exemption:

encryption of data in transit and at rest,
multifactor authentication, and
secure disposal of information.

many of you are probably relieved to hear of this exemption, and i am glad that you don’t have to meet all of the requirements as well. they are particularly onerous for sole practitioners and very small firms because they don’t have economies of scale.

however, keep in mind that these requirements are the minimum required level of compliance. i still recommend that all tax practitioners:

do a simplified risk assessment to ensure you understand your risk posture and potential exposures.
do phishing training and testing of themselves and their staff to increase awareness and better prevent a cybersecurity incident.
create at least an outline of an incident response plan so that you have an idea of what to do should a cybersecurity incident occur.

these three controls do not cost much to implement and can help to show that you still fulfilled your professional obligation to protect clients’ data in the event of a cybersecurity incident.

[i] https://www.cpai.com/education-resources/my-firm/data-security-risk-management/how-the-ftc-safeguards-rule-may-affect-your-cpa-firm, february 2023

posted on august 21, 2023

donny shimamoto

about the author

donny c. shimamoto, cpa.citp, cgma, is the founder and managing director of intraprisetechknowlogies llc, a specialized cpa firm dedicated to helping small businesses and middle market organizations leverage strategic technologies, proactively manage their business and technical risks, and enable balanced organizational growth and development. donny also works with larger organizations as a trusted business advisor, facilitating organizational strategic planning and execution, it governance and planning, enterprise architecture, information architecture and assurance, business process improvement, and business intelligence initiatives.

click here for more by donny shimamoto

as the founder of the center for accounting transformation, shimamoto is leading a movement to change the world for the better by empowering and equipping accountants with the leading-edge tools and techniques.

donny was the first certified information technology professional (cpa.citp) in the state of hawaii and is one of only four in the state. the citp credential is a specialty designation of the american institute of certified public accountants (aicpa), that identifies certified public accountants (cpas) with the unique ability to bridge between business and technology; meeting the strict requirements for a cpa license as well as additional training and experience in technology strategic planning, it architecture, business process enablement, system development and acquisition, it audit and control, and it governance.

the immediate past chairman of the aicpa’s imta executive committee, donny has been both influential and critical in several aicpa initiatives including the development of an it competency model for cpas, and redesign of the citp credential. donny previously co-chaired the aicpa’s business intelligence working group, researching and creating practice aids in the area of evidence-based management, application & data integration, and information assurance. donny has also been involved in the authoring of guidance published by the aicpa on it considerations for risk-based auditing and enterprise business intelligence. as a subject matter expert, donny is often an invited speaker at national and international webinars and a familiar key-note speaker at national-level conferences.

donny obtained invaluable knowledge and exposure to a wide range of industries and sectors (retail, hospitality, state government, defense, and higher education) while earning his cpa license as a member of pricewaterhousecoopers llp's business assurance services, operational & systems risk management services, and management consulting services lines of business. with itk he has expanded his industry expertise to include not-for-profit (social services, foundations, and membership organizations), professional services, small businesses, technology, and mobile professionals.

click here for more by donny shimamoto