3 Principles of Protecting Client Information and Confidentiality for Accounting Firms

Over 20 years ago, accounting firms began to recruit more lawyers to expand the range of services they could offer such as tax, estate and business planning and employee benefits consulting. This shift occurred years before accounting firms began to handle the amount of data they handle now. With this expansion, came the complex responsibility to protect that data from theft or breach.

To make sure clients can expect a reasonable amount of confidentiality and security from the lawyers they work with – and the accounting firms that employ them – the American Bar Association updated its Model Rules of Professional Conduct in 2012 to include “technology amendments.” These amendments provide advisory rules for working with client data -- even when working with it in a second, non-practicing career or as a consultant -- and form a solid basis of confidentiality for any firm working with client data.

Does your accounting firm employ or work with lawyers? Then you’ll want to be sure you’re protecting your client data with the following informal technology-related advice from the American Bar Association.

Principle  No. 1: Threat Awareness

First, it’s important for lawyers and the accounting firms that work with them to understand they can be popular targets for hacking and data loss. An informal opinion of American Bar Association commented on the Model Rules of Professional Conduct to say hackers target lawyers because:

  1. They obtain, store and use highly sensitive information about their clients, while at times utilizing safeguards to shield information that may be inferior to those deployed by the client, and
  2. The information in their possession is more likely to be of
    interest to a hacker and likely less voluminous than that held by the client

These two critical observations explain why the ABA worked to add “technology amendments” to the Model Rules in 2012 – and why your team needs to do whatever it takes to secure your client’s data. This is particularly important if you work with proprietary information in sensitive industries, such as mergers and acquisitions, industrial designs, healthcare, banking, defense and education.

Principle No. 2: Provider Competence

According to the first “technology amendment” of the Model Rules, Rule 1.1 requires a lawyer – and in this case, an accounting firm that employs a lawyer – to be competent. This means a lawyer should, “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”

The first step in keeping abreast of changes in the law is understanding how confidential information you house is transmitted, and where it is stored, so that you know which changes affect your firm. Understanding these details makes you better prepared to manage the risk of inadvertent or unauthorized disclosure of your client information and allows you to carefully assess every potential access point. Even better, partner with a data storage and security expert who can alert your firm to changes in security protocols (such as the recent GDPR deadline) and make sure your client’s data is as secure and unreachable as possible.

Principle No. 3: Client Confidentiality

Rule 1.6 of the ABA’s “technology amendment” establishes a lawyer and firm’s duty to make a reasonable effort to maintain client information as confidential and prevent inadvertent or unauthorized access. However, a further informal opinion clarifies that in some cases special security precautions should be taken, particularly when required by agreement with a client or when the nature of the information requires a higher level of security.

Do you handle sensitive client information, such as banking and personal identification information? What is the likelihood of disclosure if you don’t deploy additional safeguards? And, what is the cost and difficulty of implementing those safeguards? These are questions you’ll need to ask your data protection partner to make sure you’re housing your client data in a sufficiently secure environment.  

Not sure how to get started with abiding by the ABA’s Model Rules of Professional Conduct? Find a data protection partner who can help you make sense of these requirements and ensure that your client data is protected with up-to-date, constantly evolving security protocols.