Protecting client data is key — but don’t forget employee data

Breaches that expose the data of hundreds of thousands and even millions of consumers are becoming regular headlines, with cybercrime on the rapid rise and efforts to plug the leaks struggling to keep pace.

Similarly at risk, however, is employee data, which can include home addresses, social security numbers or phone number, among other sensitive information. While most data protection laws in the U.S. are focused on customers, a notable recent Pennsylvania Supreme Court ruling recognized a common law duty that employers have to provide reasonable care with employees’ personal information. The ruling came amid a class-action lawsuit by employees of the University of Pittsburgh Medical Center — the state’s largest private employer — after hackers gained access to the personal information of 62,000 former and current workers.

Like the health care industry, the financial services sector is heavily targeted by cybercriminals. For years, firms have focused on cybersecurity at the customer level, but not enough companies focus on the wider picture. Lax protection for employee data can not only put workers at risk, but it may give hackers a convenient backdoor into all data on a server.

What’s at risk?

Unfortunately, many businesses don’t think about cybersecurity until it becomes a problem. Officers and board members sometimes just assume their IT departments have taken care of it with a firewall and antivirus software. A recent national survey showed just 38 percent of CEOs and 23 percent of board members were “highly engaged” in cybersecurity at their businesses. This is despite heavy financial risks, with the cost of all data breaches in 2017 estimated at nearly $2 billion. With cybersecurity now being as important as or even more imperative than a business’s physical security, leaders must take this area seriously and prepare their business accordingly.

Businesses in financial services are particularly appealing to hackers because they handle inherently sensitive and valuable information. For accountants, this often includes banking and personal wealth account information, and a bad actor who can access a client’s information can likely reach an employee’s just as easily.

Even outside of a firm, accountants are ideal access points for cybercriminals. Someone who works in the accounting department of a business could be just the backdoor a hacker needs to cause havoc. It’s as simple as someone innocently opening what turns out to be a phishing email — the most common doorway for scammers — and a piece of malware can spread through an entire system.

What laws apply?

Cybersecurity law is still evolving, especially in the U.S., where at least 22 states now have laws in place that address aspects of data security beyond simply alerting the public when breaches occur. California even passed a law recently that is drawing comparisons to the European Union’s comprehensive General Data Protection Regulation, which has greatly affected U.S. businesses.

Most domestic laws concern the business-consumer relationship, with nothing much to say about protecting employees. That could change as cybersecurity statutes develop, and courts are beginning to recognize that businesses have a duty to provide “reasonable care” for employee data, as the justices did in the UPMC case. And while it’s a broad term mostly used in a legal sense, reasonable care can generally be satisfied by using the cybersecurity framework provided by the National Institute of Standards and Technology (NIST).

A firm basing its cybersecurity policy and procedures on those guidelines would likely be considered to be meeting a standard of reasonable care, at least partly protecting itself from potential litigation in the event of a breach.

What can employers do now?

Larger corporations can normally weather the financial impact from a data breach, and they have the resources to limit them, thanks to internal departments dedicated to cybersecurity. But small and medium-sized firms can be truly harmed by breaches and the resulting blows to their finances and reputation.

Many independent accounting firms fall into the latter category. They may be large enough to have a significant amount of useful data on their network, but not big enough to pay their own IT staff or have the resources available to train employees. Doing nothing, however, is unacceptable, and while relying on third-party vendors may offer a cheap and quick solution, often they are just using a one-size-fits-all firewall, password-protected accounts and that’s it.

As data protection for customers and employees becomes a priority, firms must be proactive and pay close attention to their own cybersecurity policies and procedures. At a base level, they should be taking an audit of what sensitive information is on their network — this is something accountants certainly already do well. Beyond that, employees should be trained on the signs of phishing scams or malware in their email, as well as proper password management. Additionally, legal counsel can help leaders craft a policy that addresses the cybersecurity laws that apply in their respective states and other wider regulations such as GDPR.

Failure to properly address any of these issues could have severe consequences to not only customers and employees — but the firm itself. Fortunately, with proper planning and information, cyberattacks don’t have to be inevitable.


Michael Monyok


For reprint and licensing requests for this article, click here.