In the wake of the Equifax computer breach—in which key personal information of 145 million Americans was stolen—it may be correct to assume that anyone with a credit history is affected. In the words of noted cybersecurity expert Brian Krebs, “Assume you’re compromised, and take steps accordingly” (“Fear Not: You, Too, Are a Cybercrime Victim,” KrebsonSecurity.com, Oct. 17, 2017, http://bit.ly/2A67XLX). For professionals, there are broader cybersecurity concerns, as CPA firms of all sizes have recently been hacked, from local firms whose stolen client Social Security numbers were used to divert clients’ IRS tax refunds to firms that have been subject to ransomware extortion.
The purpose of this article is to provide non–technology experts relevant information about the Equifax breach and specific steps CPAs take, and to help CPAs understand basic cybersecurity issues and related federal legal and professional ethics rules.
What Caused the Breach?
The Equifax breach was a major failure of computer systems’ internal control, with both underlying causes and Equifax-specific factors (Wayne Rash, “Equifax Hackers Enjoyed Leisurely Tour Inside Your Credit History,” eWeek, Sept. 22, 2017, http://bit.ly/2zJdmdv). The underlying causes include the following:
- The evolution of computer information technology (IT) infra-structure from a centralized, tightly controlled, mainframe-only computer environment with no public Internet links to a decentralized, often globally outsourced one, with a myriad of Internet-connected devices all over the world.
- A related shift in IT culture in many companies from one stressing internal control and extensive system testing to a culture of “innovation” with a “get software out quickly and fix the bugs later” mentality, which can pressure the most senior IT executives to put cost savings ahead of security.
- The Internet’s inherent lack of security as a system that was originally designed to be accessed by trusted users in academic, corporate, and government research centers and only later used for commercial purposes, resulting in constant security patches over the initial framework.
The publicized and known specific cause of the Equifax breach was a failure to install a well-publicized security patch to an “Apache Struts” vulnerability. An earlier 2017 Equifax breach involved an IT systems administrator using an insecure password that did not comply with best practices, or even Equifax’s own policies.
Why Is This Breach Different?
Over the past decade, over 3 billion people’s personal information has been hacked from email providers like Yahoo or retailers like Target. The Equifax breach, however, is the first in which the “big four” personal security identifiers—name, address, birth date and Social Security number—were stolen from so many at once. These are the security authentication foundations for many commercial and other purposes (Robert Lemos, “Identity Verification Becomes Trickier in Wake of Equifax Breach,” eWeek, Sept. 11, 2017, http://bit.ly/2yMVLOu).
Possession of these identifiers may increase two forms of identity theft: new account fraud and account takeover. In new account fraud, a criminal uses the identifiers and possibly other information to open new credit accounts in a person’s name; the target does not find out until his credit rating is wrecked after the bills go unpaid. The aggravation, costs, and time spent on the resulting credit repair can be significant. In account takeover, the criminal uses the four identifiers to impersonate someone for various purposes, including creating fraudulent transactions. To CPA firms, one of the more familiar frauds of this type is the filing of phony income tax returns to steal tax refunds. In some cases, local CPA firm computers have been breached, enabling thieves to successfully perpetrate this type of fraud.
Recently, account takeover has been used to steal cell phone numbers, which can compromise multifactor authentication (MFA), an important cybersecurity best practice (Nathaniel Popper, “Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency,” New York Times, Aug. 21, 2017, http://nyti.ms/2jws7dq). MFA requires providing authenticating information in a manner different than the initial authentication; for example, some websites will, after the user has inputted her password, send a second verification code via text message that must also be inputted to log in. Another MFA method requires that the initiator make a call from a predetermined phone number; unfortunately, such a phone number can be imitated, and the security of the MFA rendered ineffective.
Weak MFA approaches could lull CPAs into a false sense of security. Many accounting software programs rely on two-factor authentication for sign-in or to reset forgotten passwords, and an increasing number of these programs enable the electronic transfer of funds from bank and investment accounts. With this type of account takeover on the rise, it may be wise to revisit the use of cellphone text messages for MFA, as well as explore more secure approaches.
In previous major breaches, the public attitude has generally been to accept the risk as the price of convenience. The Equifax breach, however, has taken public frustration over weak cyber-security to unprecedented levels (Ron Lieber, “Why the Equifax Breach Stings So Bad,” New York Times, Sept. 22, 2017, http://nyti.ms/2jvZvkT). The breach is beginning to instill general fear that the cybersecurity underpinning electronic commerce cannot be trusted.
Since the beginning of e-commerce, there has been a tug of war between the desire for fast and frictionless transactions and the need for extra, inconvenient security steps. The Equifax breach may swing the pendulum towards security. The sections below address the protective steps that should be taken by CPA firms and their clients to create an appropriate level of cybersecurity.
What Individuals Can Do Now
The exact actions for individuals to take in the wake of the Equifax breach remain uncertain. This is because much of the advice relies on resources accessed through the Equifax website, which as of this writing is seen by many experts as unreliable. In noted cybersecurity blogger Brian Krebs’ words, the Equifax “site seems hopelessly broken” (“The Equifax Breach: What You Should Know,” KrebsonSecurity.com, Sept. 11, 2017, http://bit.ly/2zXVgEQ) Also, at this point, no one knows who actually breached the site and what the pilfered information will be used for (Maurie Backman, “Will the Equifax Data Breach Impact Your Social Security Benefits?” Motley Fool, Sept. 14, 2017, http://bit.ly/2mwN21n).
As the four stolen identifiers remain the bedrock of much commercial security, the danger could last for years, so the best advice is to eschew temporary steps and freeze credit at all four—not three, as often reported—credit reporting agencies: Equifax, Experian, Inova, and Transunion. A credit freeze will generally stop new account fraud, as it puts a hold on the release of any credit scores or other information from the credit reporting agencies to credit card companies, auto dealers, or other vendors necessary to complete a transaction. The process of initiating a credit freeze is highly automated, and after the Equifax breach, it is generally recommended to do this by phone rather than through websites, especially the Equifax site. A comprehensive explanation about credit freezes can be found in Brian Krebs’s blog post, “How I Learned to Stop Worrying and Embrace the Security Freeze” (June 15, 2015, http://bit.ly/2A4vAHl).
Another approach for individuals is identity theft insurance, which can be purchased separately, but more often is added to homeowner’s or renter’s insurance. It does not pay for actual losses from identity theft, but it can cover many of the high costs of repairing credit. New York State’s brochure, A Consumer Guide to Identity Theft (http://on.ny.gov/2ATTuTg) has good information about identity theft insurance; an insurance broker can help with the coverage, exclusions, and other details about specific companies’ policies, which can greatly differ. The New York guide, along with the Social Security Administration’s post–Equifax breach blog post, “Protecting Your Social Security” (Jim Borland, Sept. 15, 2017, http://bit.ly/2mwq5ez), includes many other worthwhile and practical steps to protect firms and individual clients.
The Equifax breach is also a warning to CPA firms and business clients on the need to review and maintain cybersecurity over client and customer information. The basic framework of elements necessary to accomplish this is discussed in the Federal Trade Commission (FTC) regulations included in the sidebar. The specific hardware and software applications, human resource policies, required expertise level of technology consultants, and other steps applicable to a specific business will be based on such factors as the company’s industry, size, IT systems infrastructure, and sensitivity of information stored in its systems.
How CPAs Can Help Clients
While the Equifax breach is reported to affect 50% of American adults, that number is probably closer to 100% of a CPA firm’s clients, almost all with Equifax credit histories. Many individuals are likely worried about the impact that the Equifax breach could have on them, having seen dozens of media reports about it, often combining accurate and misleading information. As the trusted professionals, CPAs can give individual clients the information they need to both protect themselves and put them at ease.
A model letter that for individual clients will accompany this article online; the information within it can also be included in websites, e-mail newsletters, and other social media. The letter includes optional language inviting clients to free educational sessions led by an appropriate cybersecurity expert.
After reports of recent CPA firm security breaches, it may be important to be able to assure clients that the firm’s IT systems, and those of outsourced service providers, are protected from cyberintrusion.
How to Protect the Firm
Local CPA firms are target-rich environments for hackers; they know firms’ systems contain the client information necessary for new account and account takeover fraud, and possibly other private or confidential information. They also know that even a sole practitioner with a few hundred individual and business clients can represent 1,000 or more identities to steal. Local firm breaches have led to costly theft of client identities for the filing of phony tax returns, and CPA firms have also been subject to ransomware extortion, where a criminal encrypts a firm’s information, locking out legitimate users until a ransom has been paid (often in anonymous Bitcoin). A successful cyberintrusion can have disastrous results on both the firm’s reputation and client relationships, in addition to being incredibly expensive. Regardless of the firm’s level of technology expertise, it is vital to learn enough about basic cybersecurity principles to understand the commitment necessary to secure individual clients’ confidential information. These principles are conceptual cousins of the financial internal control principles that have been ingrained in all CPAs since the profession’s beginnings.
Fortunately, there are good resources available. These include the AICPA’s Cybersecurity Resource Center and A CPA’s Introduction to Cybersecurity (http://bit.ly/2ATeTMn) as well as IRS Publication 4557, Safeguarding Taxpayer Data—A Guide for Your Business (http://bit.ly/2fQs84K), which clearly overviews the elements needed to protect client data, with checklists and best practices to help build the necessary safeguards framework. Two more excellent resources are the Center for Internet Security’s highly regarded Top 20 CIS Controls (http://bit.ly/2hxpNPe) and the National Institute of Standards and Technology’s Baldrige Cybersecurity Excellence Builder (http://bit.ly/2ATgGRx). The latter’s basic questions are highly relevant to businesses of all sizes, while some are more applicable to larger companies.
An additional important protection is cyberinsurance coverage for various CPA firm cyber risks (Daniel Hudson and Joseph Brunsman, “What CPAs Need to Know about Cyber Insurance,” CPA Journal, March 2017, http://bit.ly/2A2EOUs). For firms faced with a cybersecurity incident, the Thomson Reuters piece “Your Firm’s Been Hacked: Here’s What to Do Immediately” (Jon Baron, May 31, 2016, http://tmsnrt.rs/2yO83WU) provides excellent advice about what to do, along with how to protect a firm from cyberintrusion.
What Are a Firm’s Legal and Ethical Responsibilities?
The 1999 Gramm-Leach-Bliley Act (GLBA) includes provisions requiring financial institutions to broadly safeguard customer/client information. Unbeknownst to many CPAs, tax return preparers are included in GLBA’s expansive definition of “financial institutions,” who for this purpose are regulated by the FTC. While CPAs and tax lawyers are exempt from GLBA’s privacy notice requirements, they remain subject to the rules for protecting client information. The Safeguards Rule (see Sidebar) requires tax preparers to develop, implement, and maintain a comprehensive written information security plan that describes their firm’s program to protect client information appropriate to the firm’s size and complexity, the nature and scope of its activities, and the sensitivity of related client information. Just before the Equifax breach became public, the FTC stepped up tax practice–related enforcement; in August 2017, it entered into an enforcement agreement with the non-CPA tax return preparation firm Taxslayer for failure to follow multiple elements of the Safeguards Rule, noting that further lapses would result in harsh penalties.
New York State’s Department of Financial Services (DFS) has comprehensive new rules that went into effect this year and go beyond the Safeguards Rule’s requirements, with exemptions for small companies (http://on.ny.gov/2hvjbkz). The law specifically requires entities to have a Chief Information Officer who submits detailed cybersecurity reports to the board of directors, taking this role beyond the traditional confines of IT departments and giving boards specific fiduciary notice. In addition, MFA is specifically required. The law also includes expanded reporting requirements when breaches do occur.
Because of New York’s position in financial services, the law’s impact is likely to be felt beyond the state. Specifically in response to Equifax, the DFS now has the credit reporting agencies under its regulatory jurisdiction. In addition, New York and most other states require firms that suffer a breach and have confidential client information stolen to notify clients, specified government agencies (including law enforcement), and, in some cases, the credit reporting agencies.
Internal Revenue Code (IRC) section 7216 and AICPA Code of Professional Conduct Rule 1.700.001 have specific client confidentiality requirements that complement the broader Safeguards Rule (Mary L. Blatch, “AICPA’s Revised Confidentiality Rule, Sec. 7216, and the Tax Professional,” Tax Adviser, Feb. 1, 2015, http://bit.ly/2mwBRFN). In general, individuals’ permission is required before disclosure of their confidential information to third parties, with the IRS imposing stringent rules on the form of that permission. Under the Code of Professional Conduct, when tax professionals outsource return preparation services to third-party companies, they must either disclose that fact to clients or have a contract with the outsourced service provider that includes client confidentiality–related provisions. In addition, the Safeguards Rule requires CPAs to oversee the provider’s handling of client information.
While a growing number of CPA firms provide specialized cybersecurity services under AICPA professional standards, lawyers are ahead of the CPA profession in this area of professional ethics. In May 2017, the American Bar Association (ABA) issued Formal Opinion 477, “Securing Communication of Protected Client Information” (May 4, 2017, http://bit.ly/2zL2bBg), which is both stronger and more specifically tied to cybersecurity than CPA ethics rules. Within a lawyer’s “duty of competence,” an attorney “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Lawyers should “understand the nature of the (cybersecurity) threat; understand how client confidential information is transmitted and where it is stored; understand and use reasonable electronic security measures; determine how electronic communications about client matters should be protected; train lawyers and nonlawyer assistants in technology and information security; and conduct due diligence on vendors providing communication technology.” Expanding on the AICPA’s rule concerning outsourced vendors, the ABA rule states that lawyers should consider such due diligence and “Duty of Supervision” factors as: “reference checks and vendor credentials; vendor’s security policies and protocols; vendor’s hiring practices; the use of confidentiality agreements; and the availability and accessibility of a legal forum for legal relief for violations of the vendor agreement.”
After the Equifax breach, the importance of compliance with these laws and professional conduct rules continues to increase. If a CPA firm breach does occur and the firm is sued, material compliance failures may make it difficult and expensive for the firm to defend itself.
Where to Learn More about Cybersecurity
Readers wanting to learn more about cybersecurity technical standards and practices can look to key resources used by professionals in the area. These include:
- The Center for Internet Security (http://www.cisecurity.org), involved in cybersecurity best practices, continuous cyberthreat monitoring, and maintaining related communities of cybersecurity experts
- The SANS Institute (http://www.sans.org), which provides extensive cybersecurity training
- The Global Information Assurance Certification (http://www.giac.org/certifications), which provides cybersecurity professionals with highly regarded cybersecurity credentials
- The U.S. Department of Commerce’s National Institute of Standards and Technology (http://www.nist.gov), whose “Standards and Best Practices” section lists several cybersecurity resources.
In addition, leading blogs and websites in this area are http://www.krebsonsecurity.com, maintained by former Washington Post journalist Brian Krebs; http://www.security-watch.pcmag.com, PC Magazine‘s security section; http://www.csoonline.com, with news articles, security product reviews, and other resources; and http://www.infosecurity-magazine.com, with a smorgasbord of cybersecurity topics.
Some CPA firms, typically those with larger clients and the necessary cybersecurity expertise and credentials, offer cybersecurity-related services under AICPA professional attestation standards. The AICPA’s Cybersecurity Resource Center has a subsection discussing these services (http://bit.ly/2zL2bBg). Reviewing the standards can give CPAs in firms of all sizes a better understanding of the technical complexities involved in this area.
Resources for Further Reading
“A Flaw in the Design,” Part 1 of the excellent 2015 Washington Post series, “Net of Insecurity”, on why the Internet lacked security from the outset: http://wapo.st/2inVP11
The FTC’s regulatory Standards for Safeguarding Customer Information, requiring tax return preparers to maintain a written program that addresses firm-size-appropriate administrative, technical and physical safeguards over client data: http://bit.ly/2im2Ijm
The FTC’s advisory publication, “Financial Institutions and Customer Information: Complying with the Safeguards Rule”: http://bit.ly/2zI1p8l
“The Equifax Breach: What You Should Know,” by Brian Krebs: https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/
“The Security Setting You Must Always Turn On,” by William Rothman, Wall Street Journal, Sept. 17, 2017: http://on.wsj.com/2hyslwL
The New York Attorney General’s summary of the state’s Information Security Breach and Notification Act: https://ag.ny.gov/internet/data-breach
NIST’s Framework for Improving Critical Infrastructure Cybersecurity, used by professionals to help organizations manage cybersecurity: http://bit.ly/2zId9rr
The AICPA’s Description Criteria for Management’s Description of the Entity’s Cybersecurity Risk Management Program, an example of its cyber-security professional attestation standards: http://bit.ly/2zMB9XP
Restoring a Sense of Caution
Since the birth of the Internet, fostering the growth of friction-free e-commerce has generally outweighed the imposition of security that might impede it. The Equifax breach has created a greater sense of public awareness and concern, and could be the catalyst that finally leads corporate boards and public policymakers to pressure the IT “innovation culture” pendulum to swing back to one more concerned with cybersecurity, with less emphasis on speed and low cost.
In the meantime, it is important for CPAs to at least learn the cybersecurity basics and commit to reasonably protecting their clients and firms. This is both the ethical and legally required thing to do.