indirect costs often have a much greater impact—especially for smaller firms.
by donny shimamoto
cybersecurity for accountants
generally, when there is unauthorized access to personally identifiable information (pii), a data breach is considered to have happened. originally pii was only defined as:
more: how hacker-proof is your firm? | unleashing the power of technology: transforming accountants into trusted advisors | future firm growth requires a mindshift | ai, ocr, nlp & cpas: oh my! | accounting nerds, unlock your super powers | early adopters gain an edge in audit | dustin wheeler: for serious cas success, hire tech teams | csr for cpas: the missing ingredient | donny shimamoto explains how ‘agile’ applies to cpa firms | staff retention for remote workers | why the future is in risk advisory | ready for non-cpa “cpa” firms?
exclusively for pro members. log in here or 2022世界杯足球排名 today.
- a first name or initial and last name, along with:
- social security number (ssn)
- driver’s license number
- credit or debit card number
- financial account number with access code (e.g., a bank account number and pin)
- personal health information (also known as phi)
however, due to the increasing sensitivity of the public to privacy concerns and resulting legislative actions, the following is also often considered to be part of pii: [i]
- taxpayer id number (e.g., state taxpayer identification numbers)
- irs identity protection pin
- passport number, military id number, or other government id number
- health insurance policy information
- biometric information
- online account credentials
tax practitioners often have access to their clients’ tax information, bank account numbers and sometimes other personal information—especially if you are doing full financial planning for your clients. so be sure that you understand which of the data you have must be protected and reported on if you have a suspected or actual data breach. yes, these requirements apply even if you only have a suspected data breach.
protect your treasure trove.
as quickly as the irs detects the latest schemes, fraudsters come up with other attack vectors. many are funded by rogue nation-states, so they have more resources available to them than we do. however, this doesn’t mean that you can just give up and let them run rampant. doing so leaves you vulnerable to litigation in the event of a data breach and possible business disruption from ransomware.
the bottom line is that the fraudsters have figured out that your firm has a treasure trove of taxpayer information. additionally, they’ve realized that small tax firms aren’t as sophisticated and often don’t have strong cybersecurity measures in place. you must take steps to protect your firm and your clients.
dealing with a data breach includes both direct costs and indirect costs. direct costs include those costs that you incur to investigate the data breach, minimize the consequences of the data breach, and assist victims (your clients) to protect themselves from potential fraud.
sometimes, when i present at conferences about the cost of the data breach, the question comes up: “well, i have cyber-liability insurance. won’t that just cover everything? do i need to worry about these costs?” the answer is yes. you still need to worry about these costs. the reason for this is that cyber-liability insurance will often cover the direct costs, but they don’t cover the indirect costs.
indirect costs often have a much greater impact—especially for smaller firms. these include lost time of your staff and yourself in dealing with notifying customers and their resulting inquiries, time spent working with investigators and authorities, time responding to regulators and others who are ensuring the appropriateness of your response to the data breach, and also the potential loss of current and prospective clients. these indirect activities and costs can often be much more disruptive for small firms because firms are already stretched thin in staffing, and now you have to deal with the data breach plus continue normal operations. this is even worse if the data breach is discovered during busy season.
what does a data breach cost?
what does it cost to deal with a data breach? according to the 2022 cost of a data breach report from ibm, it’s $164 per record[i].
figure 2 – average per record cost of a data breach
the chart above shows you the average cost per record that was involved in a data breach in the u.s. this cost has increased significantly in the last couple of years (over the pandemic), so it is even more important that you take proactive action to prevent a data breach from occurring.
you can use this number to estimate your cost of dealing with a data breach. to estimate the impact of a data breach on your firm, count the following:
- how many clients’ pii do you have? remember that this is not just the number of returns you prepare but also includes each taxpayer on the return. so, a joint return for a married couple with two kids would be four records.
- how many vendors’ or business partners’ pii do you have? originally, this segment would only have been at risk if they were a sole proprietor and you had their ssn. however, with the expanding definition of pii to include business tax identification numbers, you need to include business entities in this count, too.
- how many employees’ pii do you have? while employees are much less likely to sue you in the event of a data breach, you still may be subject to fines and penalties from regulatory agencies if you fail to protect employees’ pii, so include them in the count, too.
multiply the sum of the above by $164.
keep in mind, though, that the average cost above includes a wide range of organization sizes, so for small and mid-sized firms, i often recommend multiplying the number by two or three. this is because you simply won’t have the economies of scale that the larger organizations will have in dealing with these data breaches.
how does that number sound to you? being proactive now can save you a lot more down the road.