Given the seemingly constant attempts at “hacking” sensitive customer data, accountants and other financial professionals should review their obligations to provide notice in the event of a breach of their electronically stored client information. There is not yet a federal law mandating notice, although there have been several attempts to enact a uniform federal standard.  The result is a patchwork of 47 state statutes with different requirements on the disclosure of a data breach to customers and reporting of the breach to state authorities. 

The New Jersey Identity Theft Prevention Act, N.J.S.A. 56:8-163, is illustrative. It requires disclosure to customers within New Jersey and a prompt report to the Attorney General and the State Police of any breach of security of computerized records if “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.” A “breach of security” is defined as the “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information” when access to the information has not been secured by encryption or other methods that render the information unusable or unreadable. N.J.S.A. 56:8-161. New York and Pennsylvania likewise require any business that deals with electronic private information to disclose to customers in that state any breach upon discovery of the breach. Other states, like Arizona, require disclosure only if there is both unauthorized access and misuse of the information.

But state law does not mandate notification in all cases. The New Jersey law does not require disclosure to a customer “if the business or public entity establishes that misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years.” N.J.S.A. 56:8-163(a). Thus, to the extent the unauthorized access is to encrypted or password protected data, customer notification may not be required. And even where the data is not encrypted, customer notification may not be required if the firm or business can say misuse of that data is “not reasonably possible.” That could well be the case when a stolen laptop computer or smart phone is requires a log in code or unique password to access the server or firm database, or when the firm has the ability to remotely disable or “wipe” the data from the stolen device. Best practice would require the Chief Information Officer or an outside IT professional to provide written support for the conclusion that misuse is “not reasonably possible.” The firm should also implement and document appropriate remedial measures designed to prevent a recurrence of the incident. Violation of the breach notification law is an unlawful practice under the New Jersey Consumer Fraud Act, but there is no private right of action under the statute allowing for individual lawsuits. The New Jersey Division of Consumer Affairs has adopted regulations implementing the reporting and recordkeeping provisions of the Identify Theft Protection Act.  See N.J.A.C. 13:45F.

Even if notification is not required by the breach notification law, there may be other reasons to alert clients. For example, certified public accountants are under an ethical obligation not to disclose confidential information about their clients obtained during the course of performing professional services. N.J.A.C. § 13:29-3.7; AICPA Code of Professional Conduct, Rule 1.700.001. Arguably, these standards would require notice to clients of any loss of confidential client information even if the incident were not reportable under the Identity Theft Protection Act and, even if not required under ethical rules, there may be sound business reasons to provide notice to clients. A professional firm could suffer major reputational damage from the negative publicity surrounding a significant data breach, and direct client notification will allow the firm to control the communication of such incidents. Apart from damaging publicity, other potential adverse consequences are just as real, including the potential of claims and lawsuits from its clients for the breach, which would only be compounded by a failure to provide notification. The firm should also consider how to address other less direct or immediate consequences, including the potential that the firm would have to disclose the breach in responding to requests for proposals or when competing for engagements, that the firm could even be suspended or disqualified from future public sector work, that the firm could have difficulty obtaining liability insurance to cover future breaches without high premiums, and that it could face lawsuits from its clients or “whistle-blower” lawsuits from employees based on inadequate data security practices.

Given the potential exposures, as a sound risk management practice, even small professional firms should be familiar with notification requirements in the event of a data breach.