The CPA's Responsibility for Client Information
Cashell, James D., Fuerman, Ross D., The CPA Journal
Because of potential professional and monetary hazards, CPAs must be astute in their handling of client information. Although the general rule is to never reveal information without a client's consent, there are exceptions.
To mitigate problems with client information, CPAs need to understand the professional and legal issues involved and should know when it is prudent to consult legal counsel. Mere compliance with the AICPA professional standards is insufficient to ensure legal compliance. While courts have, for the most part, relied upon generally accepted auditing standards to establish a CPA's standard of care, they do not recognize such standards as law. At times, the courts have held CPAs to a higher standard. At other times they have deemed that failure to comply with professional standards is only evidence of negligence and does not, by itself, constitute negligence.
The Responsibility to Maintain Information Confidentiality
The CPA's professional responsibility for client information is primarily defined in Sec. ET-301 of the AICPA Professional Standards. The rule states that a member in public practice shall not disclose any confidential client information without the specific consent of the client. It also extends the obligation to maintain the confidentiality of information to other CPAs not directly involved with the client who obtain such information through practice reviews or sanctioned disciplinary hearings. The rule does provide certain exceptions that facilitate compliance with other professional and legal obligations.
The duty to maintain information confidentiality is a legal as well as a professional obligation. With some exceptions, the accountant-client relationship is one of confidentiality, and the failure to maintain a client's confidence could lead to a malpractice action against the accountant. Such was the case in Green v. Savin where the Court permitted punitive damages against an accountant for the unauthorized disclosure of information to the client's wife about his medical practice. The information was later used by the wife in a divorce proceeding.
Even where the intent has been to warn others of pending financial harm, the courts have held that CPAs must not divulge client information. In Wagenheim v. Alexander Grant & Co. (AG), for example, the court ruled AG improperly divulged confidential information about their client, Consolidata Data Services, Inc. (CDS), to other clients. CDS, an audit client of AG, performed payroll services for several of AG's other clients. Upon discovery that CDS was having financial difficulty, AG warned their other clients to stop doing business with CDS. AG argued the other clients would suffer financial damage without the warning. In ruling against AG, the court stated there was no proof that CDS was "irretrievably" insolvent and, therefore, AG had no legal right to alert third parties of CD's financial problems. In its discussion, however, the court indicated that AG's actions might have been justified if CDS either intended fraud by not disclosing its insolvency or did not intend to fulfill its contractual obligations with AG's clients.
General knowledge and expertise obtained through a client engagement is not considered confidential information. This is noted in ET-391.030, which states that knowledge and expertise gained from an engagement that results in a special competence in a particular field can be shared with others without violating the client's confidentiality provided the specific details of the engagement are not disclosed. This ruling has legal support as well, as noted in Agra Enterprises v. Brunozzi. In this case, Agra claimed the accountant violated information confidentiality by using the knowledge and expertise he developed, while employed by Agra, to set up a competing business. The court ruled that the accountant, in using only his general expertise gained through his employment and publicly available information to start his business, did not violate confidential information laws because such information was not confidential. …