CPA FIRM PRIVACY STATEMENT

Although CPA firms are no longer subject to the notice requirements of GLBA, the AICPA’s Generally Accepted Privacy Principles (GAPP) and good business practice recommends that the CPA publish their Privacy Statement. The privacy statement may use the standard statements required by GLBA.

EMPLOYEE INFORMATION

As an employer, you have personal information about your employees such as:

• Social Security Number

• Bank Account Information

• Medical Information

•Benefit Information

This information should be kept secure and restricted to only those individuals with a business reason to have access.

COMPUTER SECURITY

All computers should be password protected. Each user should sign-in with a unique ID and password. Passwords should be a minimum of eight characters made up of numbers, letters and characters. Passwords should be changed on a regular basis and at least every 60 days. Laptop files containing personal client or employee information should be encrypted, and protected with passwords similar in complexity to those used to secure the computer device on which they reside. Some hard drive manufacturers are now manufacturing hard drives that feature built in encryption.

SERVERS

In addition to their regular user ID, Server Administrator(s) should have a separate and unique administrative ID and password for use only when performing system administration activities. System default IDs and passwords should be changed immediately. The administrative password should be longer than the regular user passwords, with a minimum of 12 digits.

COMPUTERS CONNECTED TO INTERNET

Various security practices should be utilized for computers connected to the Internet. These practices include firewalls, up-to-date anti-virus software, current software security patches and spyware.

WIRELESS TRANSMISSIONS

Many firms have a wireless access point in their offices, either for their use or their clients. When installing the access point, it should be password-protected so that someone close by can not log into the network and access the firm data. If the office already has a hard-wired network, then if possible, the access point should be outside the network so no-one can hack into the servers.

REMOTE ACCESS

Develop policies for employees who telecommute. For example, consider whether or how employees should be allowed to keep or access client data at home. Also, require employees who use personal computers to store or access client data to use protections against viruses, spyware and other unauthorized intrusions.

EMPLOYEE TRAINING

All employees should be educated on the importance of keeping Personal Information secure in and out of the office.

Personal Information about your clients is disclosed to third parties only for purposes described in the notice and for which the client has provided implicit or explicit consent.

FILE RETENTION/DESTRUCTION POLICY

All firms should establish a policy on how long to retain client information. At the end of the retention period, the information should be either returned to the client or properly destroyed. For paper information, it should be shredded. For electronic data, ensure client information is deleted and written over to make it unrecoverable.