Legal Issues and Business Opportunities
Europe has taken an aggressive stance on protecting individual privacy with its comprehensive European Union Privacy Directive. The United States, however, has, until fairly recently, adopted a more laissez-faire approach. Over the last several years, there has been a dramatic increase in the incidents of identity theft and highprofile data security breaches-many involving accountants, tax preparers, and auditors. For example, in January 2006, some H&R Block clients' Social security numbers appeared on mailing labels. Similarly, Deloitte & Touche, the AICPA, and even the 1RS have also suffered from data breaches. In light of these problems, American consumers and legislators have begun to focus on the privacy of personal information.
Identify theft is the most rapidly growing white-collar crime (Daniel J. Solove, "A Taxonomy of Privacy," University of Pennsylvania Law Review, January 2006). Surveys estimate that approximately 10 million consumers are victimized each year by some type of identify theft. The Federal Trade Commission (FTC) estimates that identity theft cost businesses approximately $50 billion in 2003 (Joel Winston, "Identify Theft and Social security Numbers," E-Commerce Law Report, April 2006). In this environment, protecting consumer privacy is rapidly becoming one of the most significant legal and technological challenges facing businesses. Respecting and safeguarding consumer privacy is not just a legal issue, however. It is also a business issue that can profoundly impact a company's risks, reputation, and bottom line.
Legal and Compliance Issues
Privacy, a vague, abstract concept, means different things to different people. It is one aspect of disparate legal issues such as abortion, wiretapping, airport screening, disclosure of medical or financial information, police searches, and journalism. Solove's article quoted one privacy scholar's lament: "Privacy seems to be about everything, and therefore it appears to be nothing."
This article uses the AICPA's definition of "privacy" as "the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information." Viewed in this context, CPAs need to comply with a host of information privacy laws, regulations, and rules.
Gramm-Leach Bliley Act. The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA; 15 USC sections 6801-6809), and its accompanying FTC regulations govern the collection, use, disclosure, and protection of consumers' "nonpublic personal information." 16 CFR section 313.3(n)(1) defines "nonpublic personal information" as "(i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available." GLBA applies to "financial institutions" that are "significantly engaged" in providing individual clients with "financial products or services" for personal, familial, or household purposes (i.e., nonbusiness purposes). Significant for accountants, the statute covers the preparation of individual tax returns and the provision of nonbusiness tax or financial planning advice. As such, accountants who provide these types of services to individual clients must comply with GLBA.
GLBA imposes two significant requirements upon accountants who are covered by the statute. First, accountants are prohibited from disclosing to a nonaffiliated third party any nonpublic personal information of their clients, such as Social Security numbers, tax return data, and account information (15 USC section 6802). GLBA does permit "financial institutions" to disclose certain information if a client is provided an opt-out notice and a reasonable opportunity to opt out of the disclosure. …