01 Jan

CPAs: Comply with Data Security Rules or Risk Your License

Acounting Photo



Trust – it’s not exactly rampant in the New York Metro area. That’s why the American Institute of Certified Public Accountants (AICPA) created a Confidential Client Information Rule, which requires that CPAs take preventive actions and put in place safeguards to protecting their clients’ sensitive financial data. Failure to do so can make you and your firm liable for steep financial damages and reputational disaster. In addition, any CPA who does not take AICPA’s directive seriously and suffers a data breach risks their professional license.


According to the AICPA Code of Professional Conduct (AICPA Code) Rule 1.700.001, Confidential Client Information Rule, “…a member in public practice shall not disclose any confidential client information without the client's specific consent. In the case of an unauthorized data breach, in determining whether there has been a violation of the Rule, consideration might be given to whether the member had processes and procedures in place to ensure that client data were secure and that these processes were kept current, communicated to the firm's professionals, and enforced.”

In addition, Sec. 7126 states that unauthorized data disclosure can trigger criminal penalties, making the offending CPA “… guilty of a misdemeanor, and, upon conviction thereof, shall be fined not more than $1,000, or imprisoned not more than 1 year, or both together with the costs of prosecution.” Such an unauthorized disclosure the section explains does not have to be intentional. The same penalties can apply if the unauthorized disclosure occurs because of a CPA’s “reckless” behavior, such as not protecting the confidentiality of client information with safeguards to minimize the risk of unauthorized access.

Potentially suffering financial losses and reputational damage is just the first level of reaction to unauthorized access to confidential client data. Security breaches can risk CPAs’ licenses to practice their livelihood. AICPA members must demonstrate that they implemented safeguards to eliminate or reduce significant threats to data confidentiality to an acceptable level.


CPAs can demonstrate their compliance with AICPA mandates by having proof of:

  • Periodic security risk assessments.
  • Audit trails to track asset use.
  • Operational defensive infrastructures.
  • Written policies and procedures regarding data security.
  • Written incident response plan.
  • Cyber security training for all personnel.


With that data security infrastructure in place, CPAs must also: (1) periodically review the list of individuals and third parties who access your information systems; and (2) notify the state if a security event (or breach) occurs.


Keeping your clients’ data safe requires a comprehensive security approach to minimize the risk of unauthorized access to clients’ confidential information. Following that guidance is not only a prudent business strategy, it safeguards a CPA’s most valuable asset: their professional license.

CHIPS Technology Group fortifies the modern workplace by providing the full stack of IT services to organizations in the New York Metro Area. Our process-driven, security-first approach to delivering technology services continues to evolve to meet the increasing needs of our clients.

Share this