The impact of new data privacy laws on CPAs
And how it likely affects your work
October 2019 Footnote
Editor's note: Updated October 1, 2019
CPAs have long been subject to professional requirements for confidentiality and privacy. In recent years, these long-standing confidentiality requirements have been supplemented by data privacy laws.
While these new data privacy regulations apply to nearly all businesses and professionals, they are particularly relevant to CPAs because of the large amount of sensitive data that CPAs maintain for their clients. These data privacy regulations are rapidly changing and, therefore, it is important for CPAs to constantly stay up to date regarding changes and developments.
Where we’re at
Section 18 of the Uniform Accountancy Act and (with some variation) similar language in all 50 state accountancy acts and board rules contain confidentiality requirements. Under these regulations, CPAs must refrain from voluntarily disclosing confidential client information. However, state laws allow some exceptions for peer review, and to comply with subpoenas, board investigations and similar events. The AICPA Code of Conduct similarly prohibits disclosures of confidential client information without specific consent.
In the last decade, there has been a push toward stronger data privacy laws in the United States, as well as around the world. In the United States, the practical impact of this has been the passage of data breach laws in all 50 states, as well as strict data protection guidelines in several states. In the European Union, the 2018 enactment of the General Data Protection Regulation has had far-reaching and significant impacts, not just in Europe, but around the world. Countries elsewhere have followed suit, enacting strict data protection laws. Many of these foreign laws can even apply to U.S.-based companies and CPA firms, if these firms have even minimal contacts within the state or country that has enacted the law.
Minnesota, in particular, has enacted data privacy laws in the past decade and has seen the introduction of a number of data privacy-related bills during recent legislative sessions. This year, there were unsuccessful attempts in Minnesota to legislate student data and biometric data issues.
Follow whose lead?
The data privacy legal landscape in the United States is centered primarily on state law requirements. There are some federal data laws that may be relevant to CPAs, including laws protecting health information, children and preventing unwanted emails and calls. But, most regulation on this issue is occurring at the state level.
In practice, these state laws generally apply in any situation where a resident of the state’s data is collected, meaning that most CPAs will need to consider the laws of multiple states. Because these laws vary by state, if a large firm is affected by a data breach that impacts customers based in all 50 states, then dozens of states’ breach requirement laws might apply.
With the variation noted, the 50 states’ data breach laws generally set the following requirements if a CPA firm’s records are breached, with an unauthorized party gaining access:
- The firm may need to provide notice to affected data subjects, with that notice taking a specific form.
- Notice to government officials may be required — often within the office of the attorney general.
- Affected parties may be awarded compensation.
- Fines may be imposed.
- Remedial steps may be required to prevent future breaches.
These requirements all vary widely by state.
Beyond these data breach requirements, there are additional state laws to consider. For any firm that includes a California resident as a client, California data privacy laws may apply. These are by far the strictest such laws in the United States, and include amendments enacted in 2018 that could affect larger CPA firms and businesses employing CPAs. Other states are beginning to follow suit and enact laws similar to the California law in terms of scale and impact.
Beyond the U.S.
Outside the United States, the strictest data privacy law in the world, the European Union General Data Protection Regulation, should also be considered. It was drafted to impact any business or firm that processes the personal data of a European Union citizen or resident — even if that business or firm has no presence in the EU.
The EU General Data Protection Regulation (GDPR) sets many requirements for affected CPA firms, including:
- Lengthy contractual, procedural and legal requirements for transferring any EU citizen or resident personal data out of the EU.
- Periodic assessment requirements for firms making large-scale changes to their businesses.
- A number of legal consequences in the event of a data breach, including sizable fine amounts and remedial consequences.
Enforcement of laws
In most European Union countries, enforcement is only just beginning, with some jurisdictions beginning aggressive enforcement efforts. Investigations of dozens — or at this point potential hundreds — of companies is now underway. There have been fines issued against violators totaling in the tens of millions of dollars. Many U.S.-headquartered companies (albeit with substantial EU presences) have been targeted for enforcement. Additionally, there has been at least one incident involving GDPR implementation in U.S. courts.
A shareholder of a large U.S. company filed a class action lawsuit in U.S. courts alleging that the company was not adequately prepared for GDPR compliance. Given this situation, it appears that the GDPR may be an important legal development for CPA firms, even those based entirely in the United States.
It is also worth noting that other countries, including recently in Brazil and Thailand, have started enacting data privacy laws that are closely modeled on the GDPR. Aside from impacting CPA firms that do business directly with these countries, these laws are also drafted to protect the data of any citizen or resident of the country, regardless of the location of the firm processing their data.
Monitor the changes
These new laws have several practical impacts. First, firms are having to keep pace with rapid legal developments. Just in the last six months, there have been changes to data breach laws in Arkansas, Illinois, Maryland, New Jersey, New York, Oregon, Texas, Utah and Washington. Second, more technical expertise is required to maintain compliance with industry standards, laws and to ensure best practices in data security and data protection. Third, firms are having to cope with a legal environment where the litigation and enforcement risks are significantly larger than they have been in the past.
It is important for firms to maintain the necessary legal and technical support to adequately address this ever-changing and complex issue.
Brenner Allen, J.D. is a partner with Allen & Pinnix, P.A. She is licensed in Texas, Washington D.C. and the State of Washington. She is also a Certified Information Privacy Professional (CIPP/US and CIPP/EU). Allen & Pinnix serves as the National Association of State Boards of Accountancy external legal counsel, and in support of that role, Brenner is NASBA’s data protection officer. Allen has authored articles and chapters on various topics, including the European Union General Data Privacy Regulation, competition law, intellectual property law and comparative commercial law reform.
Stay updated on data privacy
This resources page will be continually updated with the latest on this ever-changing important topic.