The Gramm-Leach-Bliley Act (GLBA), which was first released in 1999, requires Accounting Firms to implement specified security plans to protect client data. The consequence of not doing so could result in a Federal Trade Commission (FTC) investigation.

Due to a rapidly increasing amount of data breaches within Accounting Firms, the IRS has recently taken a particular interest in the protections of clients of Tax Practitioners. As the sophistication of hackers strengthened, the IRS saw a need for awareness of responsibilities within the tax community, and released a campaign called Protect Your Clients; Protect Yourself in 2020 focused on shining a light on the responsibilities of Accounting Firms to protect their clients from identity theft. As a result, the goal was for firms to also benefit as they are prompted to tighten their business practices and secure themselves against costly data breaches.

Through the Protect Your Clients; Protect Yourself campaign, the IRS stresses the importance of implementing two-factor authentication, utilizing anti-phishing security tools, and protecting email accounts with strong and ever-changing passwords. In the 2019, when CPAs were renewing their PTIN’s, they were asked to check a box acknowledging that they accepted responsibility for the protections of their clients against a data breach and that they had a plan in place.

The requirement to develop a security plan has proven to be a time-consuming task for many accounting firms. With the ever-changing nature of technology and cyber-security best practices, firms should consider partnering with an IT Firm who is experienced in implementing a comprehensive plan to protect the data of Accounting Firms.

Download the following GLBA security plan template, provided by the AICPA, and review it with your technology partner to ensure your firm is prepared: https://future.aicpa.org/resources/download/gramm-leach-bliley-act-information-security-plan-template

Learn more about Cybersecurity for Accounting Firms: How to Protect Your Clients’ Financial Identities.