November 14, 2019

How CPAs Can Protect Client Data with Third-Party Vendors

November 14, 2019

Dustin Hall

An Ignite Blog by: Dustin Hall
Director, CPACharge


As an accounting professional, you’re likely all too familiar with the rise of cyber-attacks targeting our industry. Hackers know that CPAs have access to their clients’ most personal financial data, which makes them prime targets for these attacks. As such, data-security should be a top priority for CPAs and accounting firms across the country.

The IRS has strongly encouraged tax and accounting professionals to re-evaluate their security efforts to help prevent breaches and protect their businesses. IRS Commissioner Chuck Rettig noted, “The IRS, the states and the private sector tax industry have taken major steps to protect taxpayers and their data. But a major risk remains, regardless of whether you are the sole tax practitioner in your office or part of a multi-partner accounting firm.”

Common recommendations include creating a data security plan and keeping anti-virus software up to date. While these are important measures to take, you can also significantly boost your cybersecurity efforts by enlisting the services of third-party vendors.

Shifting your clients' data offsite
If you’re running a small or even medium-sized CPA firm, there’s a good chance you don’t have a dedicated IT team in-house keeping an eye on your data security systems and staying up to date on the latest defensive measures.

Because of this, you can stand to benefit greatly by moving some of your clients’ data offsite and into a cloud storage service with more advanced data encryption. “Cloud solutions can provide better and up-to-date encryption, patching, and upgrades so accounting firms have the latest tools to protect them from hackers and security breaches,” said Justin Hectus in an article from AccountingToday.

Of course, it's imperative that you do your homework before signing on with any particular cloud storage vendor. You want to ensure that the provider has a good track record of risk management and will be a reliable partner in protecting your data. Look for features like two-factor authentication and automatic data encryption when files are uploaded to the service.

Limiting your firm's liability
Using a third-party vendor to protect your data can also shift some of the liability for protecting that data off of your firm and into the hands of a service that is well-versed in data security. For instance, your firm may still be writing client payment data on paper, or even in documents contained on your computers. It should go without saying that this practice presents a serious security risk, and the blame will be placed entirely on your firm if any data should fall into the wrong hands.

Thankfully, there are online payment solutions that are well-versed in the best data security practices and can shoulder some of the security burden. Thanks to technologies like payment portals, your clients never have to physically provide you with their payment information. The payment solution instead facilitates the entire payment process and stores your clients’ payment data themselves, giving your firm one less piece of sensitive information to protect.

It’s important to note that third-party vendors won't completely absolve you of any responsibility when it comes to data security, nor will they singlehandedly defend you and your clients. Rather, they represent an extra layer of protection for your pre-existing data security measures. By adding more tools to your arsenal, you’ll only serve to better equip your firm to protect sensitive data.

Want to learn more ways you can bolster your cybersecurity? Download the CPACharge e-book "Building a Secure Practice: A guide for CPAs."

What cybersecurity risks are keeping you up at night?

What steps have you taken to protect your organization against cybersecurity risks? 

The Ignite blog is an official publication of the Kansas Society of CPAs. Copyright 2019.