Accounting Firms Need a Defensible Data Breach Response Plan

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cpapracticeadvisor.com/news/11297155/accounting-firms-need-a-defensible-data-breach-response-plan

Accounting firms are repositories of personal information and have become
targets for criminal hackers. They are like an auto accident waiting to
happen.

When you have a serious automobile accident, you have to report the
accident to the local policing authorities. The police could make a
determination as to who is at fault and citations and fines could be
issued. Of course, you want to report the accident to your insurance
carrier to protect yourself from ligation and you want to repair your
vehicle. At some point, a determination is made as to who was at fault and
who has the greatest liability; attorneys on both sides are always involved.

You will be asked for your current insurance card, your up-to-date license
and registration. Your inspection sticker will be examined. You will have
to show that all your records are up to date and in compliance with your
state laws and regulations.

What happens when you have a Cybersecurity data breach? Once you have
recognized your accounting firm has experienced a breach, under the
Notification laws in 47 states you have to notify state authorities, in
most cases at least two agencies and in some cases, three. If your firm
conducts business in multiple states, perhaps even more. You will need to
contact an attorney who specializes in the Privacy area to guide you thru
the maze of requirements and defend your firm. You will have a definite and
specific time limit to accomplish the state regulatory notification
requirements, and prepare to notify all employees, clients or other
affected parties. This is usually 60 days. Once you have notified the state
or states you will probably notify your insurance carrier because of the
potential ligation, losses and damages your enterprise could be subjected
to. At this point reputation management becomes a serious issue.

The accident/breach has happened and you have reported it so be prepared
for a potential visit or audit by the regulators to ascertain
responsibility, and to determine if there have been any violations of state
laws.

What compliance documents do you have in place? Privacy Policies? Breach
Notification Policies? Do you have a Written Information Security Program
(WISP) in place and operating? Where do you keep your proof of employee
training, or a comprehensive Defensible Breach Plan, etc.?

In the case of your automobile, there is a long history of defensible ways
to manage and limit firm or personal exposure: Insurance
(liability/collision), proper maintenance, state inspection up to date,
registration and license up to date, driving classes and more.

What are you doing in the Cybersecurity arena to develop a defensible
breach approach to manage and limit your potential exposure?

Reports are showing that the number of breaches effecting accounting firms
and small enterprises are rising dramatically while the number of breaches
effecting very large firms and enterprises are dropping. Large firms and
enterprises have the manpower, expertise, money, and resources to develop
cyber policies and defensible breach procedures. Small accounting firms and
enterprises do not, so the criminal hackers are going where entry is
easiest and most profitable for them, easy entry because controls are not
in place.

What you have done in regards to your firm’s systems and what you are doing
concerning the incident could be looked at very carefully. The actions your
firm takes because of a breach could be closely examined. Your firm needs
to be prepared for this eventuality. Like disaster recovery plans that are
becoming more popular for firm as a result of climate emergencies,
Defensible Breach Response Plans and WISP Plans are necessary for the
reality of regulatory and/or litigation scrutiny.

Criminal hackers, when breaking into firm’s systems, will often leave proof
they were in your computer system and show they have had or can have
complete access to personal information as well as sensitive
data/intellectual properties. In today’s environment, your firm could
expect a federal or state regulatory agency visit and there could be a
class action suit or some type of litigation as a result… as has happened
repeatedly in recent months.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.