Privacy Issues Facing CPAs Presentation Outline William C ...

Privacy Issues Facing CPAs Presentation Outline William C ...

Client Privacy in the New IT Environment Including the Challenges of Cloud Computing Texas CPA Tax Institute Nov. 12, 13, 2012 William C. Nantz, CPA, CFF, CGMA, RTRP, MBA, JD The Nantz Law Firm 2828 Bammel Lane, Suite 810 Houston, Texas 77098 713.542.5477 [email protected] William C. Nantz, CPA, CFF, MBA, JD This addresses issues related to privacy because of expanded use of computers and digital processing of accounting and tax data in the

Cloud and elsewhere. Privacy Issues are important due to expanded use of computers and the related digital footprint. IRS requires electronic filing of most returns. The tax return preparer must protect taxpayer information regardless of its location. Confusion CPAs in Texas generally do not have to prepare a Privacy Policy for most clients. This is not true for Tax Return Preparers. The Gramm-Leach-Bliley Act ("GLBA"), Texas law, the Texas State Board of Public Accountancy Rules and the Texas

Public Accountancy Act exempt a CPA firm from providing a Privacy Policy when performing typical tax or accounting work. CPA firms are only exempt from providing a Privacy Policy to each client but not from other provisions of the law. The confusion this creates is that a CPA firm must still protect and properly dispose of a client's personal identifying information. Also, a CPA firm preparing taxes will have to give certain disclosures to its clients. Privacy Policy Issues CPA license holders and their partners, members, officers, shareholders, or employees are exempted from the requirement to adopt a privacy policy for clients who qualify for the Accountant-Client privilege outlined in the Texas Public Accountancy Act Section 901.457. The trigger permitting avoidance of the privacy policy requirements is a clients

qualification for the Accountant-Client privilege. The Accountant-Client privilege in Texas is based upon an agreement to provide professional accounting services between a CPA and his client. If the CPA collects the client's social security information for purposes outside of an agreement to provide professional accounting services, such as for insurance sales or stockbroker purposes, the exemption probably does not apply and the CPA should adopt a privacy code and make the privacy policy available to the client. If a license holder fails to renew his license, the Accountant-Client privilege will no longer be applicable and the unlicensed CPA would be required to adopt a privacy code and make the privacy policy available to the client. Privacy Policy Issue Some CPAs will need a Privacy Policy.

Examples: Recruiting Firms need a privacy policy even if owned by CPAs because there is no professional accounting services being performed upon behalf of a job candidate. Payroll Services are not exempt because there is no accounting relationship with the clients employee. These are just some examples where a CPA firm may need a privacy policy. Where to find Personal Information Personal Computers Tax Returns Paper files including work papers Digital Fax Machines Copiers

Digital files stored in The Cloud. The IRS is pushing for universal electronic filing for everything it receives from tax return prepares and filing from The Cloud creates numerous security issues. Digital Footprints Copiers: E Personal Computers & how to destroy a Hard Drive:

M Cloud Computing Cloud computing is a computing resource deployment and procurement model that enables an organization to obtain its computing resources and applications from any location via an Internet connection. Depending on the cloud solution model an organization adopts, all or part of the organizations hardware, software, and data might no longer reside on its own technology infrastructure. Instead, all of these resources may reside in a technology center shared with other organizations and managed by a third-party vendor. Cloud Computing

Many cloud service providers (CSPs)are relatively young companies, or the cloud computing business line is a new one for a well-established company. Hence, the projected longevity and profitability of cloud services are unknown. Some CSPs are curtailing their cloud service offerings because they are not profitable. Some CSPs might eventually go through a consolidation period. As a result, CSP customers might face operational disruptions or incur the time and expense of researching and adopting an alternative solution, such as converting back to in-house hosted solutions. Plans for such need to be included in any Cloud Based Computing plan. Personal Information Collection of sensitive personal identifying

information may go beyond the information collected from clients and may include information collected regarding employees, potential employees, information collected about a clients employees or customers, and any other situation where sensitive personal identifying information is collected. CPAs are not exemption from the state and federal requirements to safeguard and properly dispose of the sensitive personal identifying information they collect, even if the information is stored in The Cloud. What is Personal Identifying Information? Texas law defines sensitive personal identifying information as an individual's first name or initial and last name used in combination with one or more of the following personal identifying information:

a. date of birth; b. social security number or other government-issued identification number; c. mother's maiden name; d. unique biometric data, including the individual's fingerprint, voice data, or retina or iris image; e. unique electronic identification number, address, or routing code; f. telecommunication access device as defined by Section 32.51, Penal Code, including debit or credit card information; or g. financial institution account number or any other financial information. What is Personal Identifying Information? The U.S. Dept. of Commerce defines personal identifying information as:

Name, such as full name, maiden name, mothers maiden name, or alias; Personal identification number, such as social security number (SSN), passport number, drivers, license number, taxpayer identification number, patient identification number, and financial account or credit card; Address information, such as street address or email address; Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well defined group of people Telephone numbers, including mobile, business, and personal numbers; Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry) Information identifying personally owned property, such as vehicle registration number or title number and related information Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment

information, medical information, education information, financial information). IRS Definition of Personal Identifying Information Safeguarding taxpayer information is a top priority for the Internal Revenue Service. Taxpayer information is any information furnished in any form or manner (e.g. on paper, verbally, electronically, in person, over the telephone, by mail, etc.) by or on behalf of a taxpayer for preparation of their return. It includes but is not limited to a

taxpayers name, address, identification number, income, receipts, deductions, exemptions, and tax liability. Agencies Enforcing Privacy Rules Federal Trade Commission (FTC)

FTC Investigation: Fears that modern copy machines may store images on their hard drives indefinitely has prompted the Federal Trade Commission to take action. ogy/98423-ftc-examining-digital-copier-privac y IRS Texas State Board of Public Accountancy Texas Attorney General/District Attorney Penalties for Reveling Personal Information IRS: Internal Revenue Code provides for a fine of up to $1,000.00 and up to one-year in jail per

improper disclosure of tax related information under I.R.C. Section 7216. Each occurrence treated separately. FTC under the GLBA makes it a felony to knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, State law or local law. Penalties for Reveling Personal Information Texas State Boar of Public Accountancy: up to a $100,000 fine for violation of a. Public Accountancy Act, Sec. 901.457.

ACCOUNTANT-CLIENT PRIVILEGE or b.Texas State Board RULE 501.75 Confidential Client Communications. AICPA/TSBPA Position The AICPA has adopted Generally Accepted Privacy Principals (GAPP) and recommends that a CPA firm publish it Privacy Policy. At this point in time it is not mandatory for AICPA members or other CPAs to publish a privacy policy, it is only recommended that the policy be published. The Texas State Board generally follows AICPA rules as outlined in RULE 501.62, Other Professional Standards$ext.T acPage?sl=R&app=9&p_dir=&p_rloc=&p_tloc =&p_ploc=&pg=1&p_tac=&ti=22&pt=22&ch TSBPA Position RULE 501.75 Confidential Client Communications: Except by permission of the client or the authorized representatives of the client, a person or any partner, officer, shareholder, or employee of a person shall not voluntarily disclose information communicated to him by the client relating to, and in connection with, professional accounting services or professional accounting work rendered to the client by the person.$ext.TacP

age?sl=R&app=9&p_dir=&p_rloc=&p_tloc=&p_pl oc=&pg=1&p_tac=&ti=22&pt=22&ch=501&rl=7 5 TSBPA Position Sec. 901.457. Accountant-Client Privilege: A license holder or a partner, member, officer, shareholder, or employee of a license holder may not voluntarily disclose information communicated to the license holder or a partner, member, shareholder, or employee of the license holder by a client in connection with services provided to the client by the license holder or a partner, member, shareholder, or employee of the license holder, except with the permission of the client or the clients representative.

AICPA Privacy Checklist The AICPA at the present time is not requiring its members to follow this checklist and states This checklist provides CPA firms with practical illustrations of selected Generally Accepted Privacy Principles (GAPP) in order to maintain privacy best practices within their organizations. nTechnology/Resources/Privacy/PrivacyServic es/DownloadableDocuments/CPA_Firms_Priva IRS Position

The Internal Revenue Service also requires CPAs to follow I.R.C. 7216. The AICPA takes the position that: IRC Section 7216 prohibits anyone who is involved in the preparation of tax returns from knowingly or recklessly disclosing or using the tax-related information provided other than in connection with the preparation of such returns. Anyone who violates this provision may be subject to a fine or even imprisonment. The Internal Revenue Code provides for a fine of up to $1,000.00 and up to one-year in jail per improper disclosure of tax related information under I.R.C.

Section 7216. Cloud Adds New Parties to the Privacy Party FTC Privacy of Consumer Financial Information Rule (16 CFR Part 313) This Rule (otherwise known as the Financial Privacy Rule) aims to protect the privacy of the consumer by requiring financial institutions, as defined, which includes professional tax preparers, data processors, affiliates, and service providers to give their customers privacy notices that explain the financial institutions information collection and sharing practices. In turn, customers have the right to limit some sharing of their information.

IRS Position The IRS also requires tax return prepares to follow privacy rules found in IRC Section 6713 Disclosure or Use of Information by Preparers of Returns. Title 26: Internal Revenue Code (IRC) 6713 This provision imposes monetary penalties on the unauthorized disclosures or uses of taxpayer information by any person engaged in the business of preparing or providing services in connection with the preparation of tax returns. If a return preparer discloses any information furnished to him, or in connection with, the preparation of any such return or uses any such information for any other purpose than to prepare, or assisting in the preparing the return, he or she will be fined $250 per disclosure up to an annual amount of $10,000.

IRS Position The Internal Revenue Service takes the following position regarding protection of personal identifying information when preparing a Form 5500: Do not enter social security numbers in response to questions asking for an employer identification number (EIN). Because of privacy concerns, the inclusion of a social security number on the Form 5500 or on a schedule or attachment that is open to public inspection may result in the rejection of the filing. If you discover a filing disclosed on the EFAST2 website that contains a social security number, immediately call the EFAST2 Help Line at 1-866-GO-EFAST (1-866-4633278). The inclusion of personal identifying information in a public

forum is to be avoided. Cloud Computing Considerations Monitor, evaluate, and adjust your security program as your business or circumstances change. The entities handling personal tax information of your clients will be required to provide privacy safeguards and you may be held liable if the safeguards are not performed properly. Encryption is a best business practice for both transmission of taxpayer information as well as storage of personal information. Securely remove all taxpayer information when disposing of computers, diskettes, magnetic tapes, hard drives, or any other electronic media that contain taxpayer information. The FTC Disposal Rule has information on how to dispose of

sensitive data. This includes taxpayer information stored in The Cloud. Conclusion Personal information cannot be disclosed improperly regardless of a CPA's exemption from the requirement to have a Privacy Policy. Social Security or Tax Identification Numbers provided to a CPA firm are considered personal information and personal information may also be collected individuals or other entities doing business with the CPA firm or even from third-parties on a client's behalf. Personal information may only be disclosed as directed by a client or as otherwise permitted or required by court order, appropriate taxing authority, SEC or grand jury subpoena, legal process, law, or regulation. Further, Client personal information may be disclosed for the purposes of professional peer-review or Public Company Accounting Oversight Board inspection.

A CPA must maintain personal information in a confidential manner and use commercially reasonable safeguards to prevent unauthorized access to personal information. Conclusion Disposal of confidential information needs to follow Business & Commerce Code Section 35.48 Retention and Disposal of Business Records to an Outside Party, and needs to include the appropriate disposal of the hard drives of individual computers. When computers are destroyed, the hard drives need to be removed and destroyed separately. Client personal information will be disposed of by either shredding or obliteration of the personal information. A CPA may also contract with an individual or other entity engaged in the business of disposing of records, which

will dispose of Client personal information by either shredding or obliteration. Resources Safeguarding Client Information: Safeguarding Client Information, Quick Reference: Enterprise Risk for Cloud Computing: AICPA Privacy Checklist: ces/DownloadableDocuments/CPA_Firms_Privacy_Checklist.pdf Intel Planning Guide, Cloud Security: curity-planning-guide2.pdf This PP and the documents listed above can also be located at Under Additional Resources William C. Nantz, CPA, CFF, CGMA, RTRP, MBA, JD, "Bill" is an attorney with the Nantz Law Firm and Board approved to teach the Ethics Course meeting the criteria set forth in Board Rule 511.58 and required in order to apply for the Uniform CPA Exam in Texas at Houston Community College. This powerpoint is published as general information only and should not be construed as legal advice. This article is not intended to be applied to any particular situation as such application requires knowledge and analysis of the specific facts involved. The Nantz Law Firm is not a CPA firm, but William C. Nantz, CPA is a CPA firm licensed by the Texas State Board of Public Accountancy. Bill may be contacted at 713.542.5477, [email protected] or [email protected]

Recently Viewed Presentations

  • E A B C D 1. In what

    E A B C D 1. In what

    E In what county do we live. If you missed the Test you are taking it during RTI today! A B C D
  • Healthy People 2020 - NACCHO

    Healthy People 2020 - NACCHO

    All SDOHs are local: collaborating to assure healthy habitats for humans. Barbara Laymon, MPH. National Association of County and City Health Officials. Introduction. ... Ingham County (Lansing, MI) Health Department.
  • COMESA Competition Commission Consumer Protection Highlights

    COMESA Competition Commission Consumer Protection Highlights

    The need for effective and enhanced cross border collaboration among the participating consumer protection and competition agencies as well as criminal authorities for enforcement cooperation on consumer protection matters. That all participating countries are affected by numerous consumer violations across...
  • Medication List Tool Changes Objectives: 1. State the

    Medication List Tool Changes Objectives: 1. State the

    Why Change? Safety - There is not one source of truth for home medications. Numerous members of the team collect medication lists yet these lists are not shared and there is lack of confidence in the list.
  • Sociología Funcionalista y Comunicología

    Sociología Funcionalista y Comunicología

    La obra de los psicólogos Kurt Lewin y Carl Hovland, con sus aportaciones sobre el líder de opinión y el proceso de persuasión, antes y después de la 2a. Guerra mundial. Difusionismo, en los 60s, Evertt Rogers. Agenda setting, en...
  • DNA and DNA Replication

    DNA and DNA Replication

    DNA Replication "Unzip DNA twisted ladder" (HELICASE) Break H bonds between bases. DNA Replication. Match correct nucleotides according to base pair rules (DNA POLYMERASE) There are free floating nucleotides in nucleus. Remember: A-T, G-C. DNA Replication.
  • Building the waterfowl future together - DNR

    Building the waterfowl future together - DNR

    Arial Calibri Arial Black Arial Bold 59 Building the Future Of Waterfowl Together PowerPoint Presentation Steering Committee PowerPoint Presentation Improve Waterfowl Populations and Wetland Habitat Understand and Increase Waterfowl Hunting Heritage Engage the Public in Michigan's Waterfowl Legacy 2012-2013 is...
  • Introduction


    "CERN's EDH enables staff. to . focus on CORE activities . by. minimizing . the overhead . of. business processes" > 270'000 documents in 2010 > 14'000 users from many countries. Used by all CERN personnel. We have seen Purchase...