If I said, “that depends,” would you not read the rest of the article. How about if I say, “it depends on where you and your client are located.” There…that’s better. It is worth your time to investigate the active laws in your country, a list of some will be at the bottom of this article.
Responsibility is quickly becoming a bigger issue because cyber attacks and hacking are now a big business. In the United States alone cyber criminals made off with 7 billion dollars in 2021, according to the FBI, and that’s only the money from crimes that were reported.
So what does all that mean to you? First of all, cyber attacks aren’t going anywhere. Lawmakers know this and are acting to expand the laws, regulations, and responsibilities of businesses that hold Personal Private Information, (PPI). As an accountant or bookkeeper, you hold PPI as defined by almost any governing body in the western world.
Key points about Personal Private Information include the following.
Organizations are responsible for all personal information in their custody.
· Personal information can only be collected, used, or disclosed by an organization with the express knowledge and consent of the individual, there are limited exceptions to this requirement.
· Personal information must be protected from theft, unauthorized access, or disclosure by adequate safeguards.
· An organization’s privacy policies and practices must be readily available to individuals upon request.
Back to my original question, are you responsible for Protecting your clients from a cyber attack? Most definitely yes! There is no way to shift that responsibility to your vendor, whether it’s Quick Books Online or Xero. They both fall under the “shared responsibility” model.
Put in simple terms, they are responsible for the platform, you are responsible for the information on the platform. To ensure that these vendors can’t be held liable for a cyber attack, they provide tools that you and your customer can use to protect against an attack. The first tool is that a password is required, and the second is using Multi-Factor Authentication.
Some users of cloud accounting find these tools to be a bother to use but without using them, they are opening up to harm with no recourse. As more cyber security tools and habits become available, learning to use them as part of your business practice may become mandatory if it’s not already.
If you don’t already have internal policies to govern online behavior and then I have some good news for you, we’ve got a great starter kit for you and it’s free. https://wowzerbackupandrestore.com/policies/ Now here’s that list of local laws, if I missed your country, sorry there are just so many.
Europe: General Data Protection Regulation (GDPR) find it here: https://gdpr-info.eu/
United States: Federal Trade Commission’s Safeguards Rule in conjunction with the Gramm-Bliley Act: https://www.ftc.gov/legal-library/browse/rules/safeguards-rule
United Kingdom: UK General Data Protection Regulation (UK GDPR): https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
Australia: Australian Privacy Act: https://www.oaic.gov.au/privacy/australian-privacy-principles
Canada: Bill C-26 Act Respecting Cyber Security and PIPEDA: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/ and https://www.parl.ca/DocumentViewer/en/44-1/bill/C-26/first-reading
New Zealand: Privacy Act 2020: https://www.dataguidance.com/notes/new-zealand-data-protection-overview
There are over 150 countries with strict data protection laws, be sure to know what yours are.
All of the above contain language like this: “A private or public business entity must take reasonable steps to protect the personal information it holds from misuse, interference, and loss, and from unauthorized access, modification or disclosure.” And almost all of them contain very high fines for failing to protect Personal Private Information.
In writing this, I didn’t intend to create a ton of work for you. If you don’t have a staff security team, there are plenty of consultants who can ensure your firm is up to speed, don’t wait until you or your customer becomes a victim. Do what you can to protect your business and theirs.
About WOWzer Technologies
WOWzer Technologies Inc. is focused on automation and security for accountants and bookkeepers. It was founded by 20+ year CPA Vince Schembri, who experienced a catastrophic data failure in 2014. Vowing to never have this experience again or let it happen to other accountants, he and his co-founder Mark Kennedy built a Backup and Restoration application for Xero Cloud accountants and bookkeepers.
Made for accountants and bookkeepers made by accountants, we know the pain points and are passionately building automation tools to overcome them.