protect your clients–and your firm–by being proactive.
by donny shimamoto, cpa, citp, cgma
in the last few years, we’re starting to see state legislatures and attorney generals recognizing that tax practitioners are trying to protect their clients. they are formalizing this recognition with changes to regulations or laws to include “safe harbor” provisions that limit or eliminate the fines and penalties for tax practitioners who take proactive action to manage their cybersecurity risks.
more: how hacker-proof is your firm? | unleashing the power of technology: transforming accountants into trusted advisors | future firm growth requires a mindshift | ai, ocr, nlp & cpas: oh my! | accounting nerds, unlock your super powers | early adopters gain an edge in audit | dustin wheeler: for serious cas success, hire tech teams | csr for cpas: the missing ingredient | donny shimamoto explains how ‘agile’ applies to cpa firms | staff retention for remote workers | why the future is in risk advisory | ready for non-cpa “cpa” firms?
exclusively for pro members. log in here or 2022世界杯足球排名 today.
as of december 2022, the following states have some type of safe harbor provision in place:
in contrast, states like california and colorado are taking the opposite approach and penalizing organizations that have data breaches.[iv]
keep in mind that your compliance requirement is not dependent upon where your firm is based but rather the jurisdiction(s) that your clients reside in. so even if your firm is based in nevada, if you are preparing a return for someone that resides in california, you need to comply with california’s requirements.
the bottom line is that it’s actually in your best interest to comply with the various requirements to reduce your potential cost of dealing with a breach. because of the varying jurisdictional requirements, i usually recommend that firms take the approach of just following the most stringent requirements, which pretty much means that you’ll minimize your risks of a breach and minimize your costs should a data breach actually occur.
tax practitioner cybersecurity requirements
in response to continually evolving cybersecurity threats, many government agencies and state legislatures are increasing the requirements that tax practitioners must follow to protect taxpayer information. as discussed in the previous section, these requirements vary by state and you need to comply with the states’ requirements for the states in which your clients reside, not just where your firm is located.
in addition, the irs and ftc have both provided guidance on what they expect organizations who handle taxpayer information to do to protect that information. since these are universally applicable to small firms and, for the most part, also encompass state-level expectations (except for more stringent states like california), it’s important to know and understand both irs and ftc requirements.
[i] https://www.dataprotectionreport.com/2021/07/connecticut-enacts-cybersecurity-breach-safe-harbor/, july 2021
[ii] https://codes.ohio.gov/ohio-revised-code/section-1354.02, nov 2018
[iii] https://www.shrm.org/resourcesandtools/legal-and-compliance/state-and-local-updates/pages/utah-creates-safe-harbor-for-companies-facing-data-breach-litigation.aspx, april 2021
[iv] https://techbeacon.com/security/why-safe-harbor-best-way-forward-data-protection