Academic journal article Journal of Accountancy

How to Profit by Safeguarding Privacy: CPAs Can Help Businesses Boost Customer Relations and, at the Same Time, Meet Regulatory Requirements

Academic journal article Journal of Accountancy

How to Profit by Safeguarding Privacy: CPAs Can Help Businesses Boost Customer Relations and, at the Same Time, Meet Regulatory Requirements

Article excerpt

EXECUTIVE SUMMARY

* PROTECTING THE PRIVACY of personal information is no longer optional for organizations that collect, use and distribute it. Federal law now requires entities to take responsibility for safeguarding the data they gather from customers and patients.

* ORGANIZATIONS THAT ACCEPT AND FULFILL their privacy-related obligations will find it easier to develop close business relationships with consumers who prefer them to competitors that don't make privacy a priority.

* THE COMPLEXITY OF PRIVACY COMPLIANCE and the allure of turning a regulatory burden into a competitive advantage combine to create a consulting opportunity for CPAs who know the regulations and can help companies satisfy them and, thus, attract and retain customers.

* CPAs LEADING A COMPLIANCE PROJECT, whether as employees or consultants, should adopt a systematic approach that identifies and resolves deficiencies in the organization's privacy policies and practices.

* TO DO THIS EFFECTIVELY, CPAs should follow a four-phase plan in which they assess the entity's current compliance level, design a remedial strategy, implement the plan and then monitor its ongoing effectiveness.

* CPAs SHOULD FAMILIARIZE THEMSELVES with the provisions of major federal privacy legislation, including the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act of 1999 and the Children's Online Privacy Protection Act of 1998.

Protecting the privacy of confidential information is quickly becoming a measure of success in the business world--because companies improve their reputation when they take care to safeguard the personal data people entrust to them. These organizations also attract customer loyalty, and that gives them an edge over competitors who don't make privacy a priority. This article shows CPAs in industry or in public practice how they can help businesses achieve their privacy compliance goals. It also summarizes provisions of the major federal privacy laws (see "Privacy Protection Is Mandatory," page 49).

THE CPA AS PRIVACY STRATEGIST

Some businesses may not see privacy compliance as a way to develop a positive corporate image. But CPAs can stress to them that solid policies are good business practices, says Everett C. Johnson, CPA, partner at Deloitte & Touche LLP in Wilton, Connecticut, and chairman of the AICPA enterprise-wide privacy task force. "Privacy matters to people who provide an organization with personal information about themselves," he adds, "and businesses need to demonstrate their respect for the confidentiality of the data that customers entrust to them."

To succeed in these engagements, CPAs must be well versed in privacy law and be able to evaluate an entity's compliance level (see "Resources for Privacy Consultants," page 52). To help an organization become privacy compliant, a CPA must understand how it gathers, uses, stores and discloses customer/client data.

A FOUR-PHASE APPROACH

CPAs should assemble a versatile team to design a plan to identify data protection deficiencies, create a strategy and implement and monitor the plan for compliance. Team members should represent various parts of the organization including legal, internal auditing, risk management, finance, information security, human resources and operations. The group will assess the company's practices and should report to an executive in charge of privacy compliance. These are the team's responsibilities:

Phase 1: Perform an initial assessment of privacy policies and procedures.

To determine whether the entity follows formal methods to protect data, the team will

* Document the type and location of all customer/client data--inside and outside the organization--and all systems that collect, process, use or distribute personal information.

* Verify compliance deadlines.

* Review and record existing information security and management policies and procedures. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.