Data Breach Notification Requirements Changing for CPA Firms

State legislatures across the country are looking at ways to protect consumer data – and some proposals would directly impact CPA firms.

For example, the New York State Assembly recently introduced legislation to update the notification requirements that CPA firms must follow when a data breach occurs. The bill would require firms to notify New York state agencies when biometric data, email addresses or user names are breached in combination with passwords or security question answers. 

Significantly, the New York proposal would apply these requirements not just to firms conducting business in New York, but also to any entity that stores a New York resident’s private information. This means that out-of-state firms with clients in New York would be subject to the new rules. Additionally, the bill would allow the New York Attorney General to sue an entity that fails to provide reasonable data security. 

In Virginia, the House of Delegates introduced a bill that would require CPA firms to disclose a breach of personal information to the Attorney General and any affected Virginia resident within 30 days. The notification requirement would be triggered when unencrypted or unredacted personal information is accessed and acquired by an unauthorized person. 

CPAs should be aware that some state legislatures are advancing this type of legislation and should be mindful of the legislative and regulatory environment in all states in which they practice. 

The AICPA’s State Regulation and Legislation Team will continue to track cybersecurity legislation – particularly related to data breaches – to determine its impact on CPA firms. To help mitigate cyber breaches, the AICPA also provides guidance in its Cybersecurity Resource Center to help CPA firms assess risks related to client and customer information.