By Robin L. Wakefield

Accountants use the Internet for a variety of activities, including e-mail, tax research, information searches, consulting activities, CPE, and payroll services. Internet technologies substantially increase the vulnerability of computer systems, however, and may compromise the confidentiality of information stored therein. The lack of the most basic IT security measures unwittingly creates potential liability risks.

Security experts predict major liability lawsuits for companies whose computer systems exhibit security lapses. Examples of security breaches include denial of service attacks, public disclosure of confidential information, the spread of computer viruses, and financial loss. Margaret Jane Radin, a professor of law, science, and technology at Stanford University, agrees that firms which do not exercise due diligence to minimize their exposure to security gaps will become the target of tort claims. Such claims may be decided based on negligence, and damages may be assessed if the losses were foreseeable and preventable by exercising due care. Radin suggests that legal liability may depend on what preventive measures are in place. A suitable defense might involve state-of-the-art security technologies.

Transitioning applications (e.g., payroll processing) to the Internet has become a major trend. Both paperless audits and online tax preparation services should become commonplace in the immediate future. Most firms, however, will get serious about information security issues only after a major breach occurs. Informal research indicates that the profession may be at high risk for both security breaches and liability lawsuits. A poll of 50 CPA firms in a large southern metropolitan area found that although 94% have Internet access, only 20% of the firms had a firewall—the most basic of security measures—in place.

Firms without formal IT departments should implement security measures to reduce their liability risks.

Because technology tools continually evolve to meet the challenges of network security, IT security professionals advise implementing security policies that remain constant even as software changes. Security policies should include guidelines to manage both internal and external threats. A firm’s written security policies, along with internal audits of compliance, should provide a basis of due care for the CPA firm.

For example, installing a firewall is often the first line of defense for any networked entity, regardless of size. Written policies should dictate how the firewall is managed, when it is updated, and who is contacted when the firewall is breached. Regular internal audits evaluating the effectiveness of the firewall and adherence to the firewall policy demonstrate due diligence and due care. Additional policies may involve antiviral software with installation and update on a continuous, predetermined basis. Because information threats are internal as well as external, other information security policies should answer the following questions:

Firewalls and anti-viral software, two practical and realistic approaches for reducing a company’s vulnerability, can be purchased at minimal expense and installed by software vendors. Firewalls can deter but cannot completely prevent the intrusion of outsiders into a computer system. They are only one part of the total security system that firms should implement. The chances of falling prey to Internet vandalism are rising.

Although no current laws specifically regulate the information security practices of CPA firms, past experience shows that deficiencies will ultimately be remedied in the courtroom. Assessing an entity’s technological vulnerabilities is the first step in building a proactive security structure. Developing company-wide policies to protect confidential information is both doable and affordable. Information security measures protect confidentiality, minimize liability exposure, and provide a justifiable basis for due care.