New Rules for Accountants Placing Data at Risk?

Most businesses who handle highly sensitive information are now sensitized to ensure their vendor and business partner agreements have appropriate protections for confidentiality and security.  In particular, given the lax privacy, security, and other laws in many jurisdictions abroad, businesses generally include contractual prohibitions on sending their most sensitive data outside the United States without their prior written authorization.  This is to ensure they know where their data is at all times and, if appropriate, can conduct additional due diligence regarding the facilities and countries to which the data may be sent. 

In recognition of the foregoing, some state Board’s of Accountancy have issued new regulations making clear to accountants that they must obtain their customer’s prior authorization before transmitting customer information outside the United States.  For example, the California Board of Accountancy California Code of Regulations, Title 16, Section 54.1, provides as follows:   “In the event that confidential client information may be disclosed to persons or entities outside the United States of America in connection with the services provided, the licensee shall inform the client in writing and obtain the client's written permission for the disclosure.”

One would think this is a good thing.  In fact, some accounting firms are using this new “protection” to grant themselves unbridled rights to send customer data anywhere they choose – even without the express written permission contemplated by the regulations.  These firms have turned the new regulation on its head by dropping form language into every single service description, statement of work, and other similar document requiring the customer to acknowledge that the accountant has affiliates and contractors in other countries and that the customer agrees its highly sensitive information may be sent to any or all of those countries, in the accountant’s sole discretion.

The foregoing approach undermines the entire idea of the new regulations.  Customer’s must understand exactly where their data will reside and have the opportunity to conduct whatever additional due diligence is necessary to (i) either become comfortable with where their data will be used or (ii) reject the request to use the offshore affiliate and/or contractor. 

Businesses must be aware of these changing regulations and ensure requests by accountants for broad, unchecked rights to offshore data are rejected.  Businesses should continue to control the destiny of their data.