Cybersecurity Awareness Month sees state cybersecurity measures affecting CPA firms

October is National Cybersecurity Awareness Month, and CPA firms throughout the nation are seeing stepped-up activity on cyber-related issues by state lawmakers. Protecting consumer data and sensitive information is a rising priority across the country. During the 2018 legislative sessions, nine states passed legislation related to cybersecurity. And some of these bills directly affect CPA firms.

For example, the Colorado legislature passed the Protections for Consumer Data Privacy Act that amended notification requirements for a data breach. Under the new law, entities that maintain, own or license digital personal information about a Colorado resident must conduct a “prompt investigation” when they become aware that a security breach may have occurred. Should the investigation conclude that a breach occurred, the entity must notify all affected Colorado residents within at 30 days.

The Louisiana legislature passed a bill to require any person conducting business in the state that owns or licenses computerized data that includes personal information to “maintain reasonable security procedures and practices.” Previously, the law required that businesses notify those affected by a data breach “in the most expedient time possible and without unreasonable delay.” The bill amended this language to clarify that this time period cannot exceed 60 days from the discovery of the breach.

As CPA firms store lots of personal information related to their clients, this type of legislation directly affects them. The AICPA’s State Regulation and Legislation Team will continue to track cybersecurity legislation to determine its impact on CPA firms.

Visit the AICPA’s Cybersecurity Resource Center for more information.