CPA firms' data security threatened in state legislatures

March 27, 2019

woman working at computer monitors

Several state legislatures are proposing legislation to impose new and more invasive data tracking requirements for vendors contracting with government agencies. These new requirements will increase costs and compromise data security for all vendors, including CPA firms.  

The AICPA’s State Regulation and Legislation Team has identified this type of legislation in fifteen state legislatures so far.

For example, Kansas’ Secure Transparent Overview Process for Reducing Abuse, Underutilization and Deficit Act (STOP FRAUD Act) would have required contractors to, “use software to verify that hours billed for work under the contract that are performed on a computer are legitimate. The contract must specify that the agency will not pay for hours worked on a computer unless those hours are verifiable by the software or by data collected by the software.”

CPA firms would be required to use the software that allows the third party to collect data, track keystrokes and mouse movements and take screen shots every three minutes to ensure that all billed hours match up with the work identified through the computer evidence.

While this legislation attempts to enforce contractor productivity and cost efficiency, the AICPA believes it presents unnecessary risks and unintended consequences. It would transfer the ownership of sensitive data to a third party and increase the data security risk. The legislation would increase costs across the board for CPA firms, including the cost to implement the new software. The legislation also ties work payment to computer usage, only counting billable time to work being done on the computer. It does not consider any work, meeting or other activity that is not computer-based for contract payment.   Moreover, the legislation is part of a national campaign supported by one of the software’s developers, Transparent Business.

While bills in Arkansas, Kansas, Maryland, Mississippi, South Dakota and Virginia died or have been withdrawn, the AICPA expects even more states to introduce similar legislation this year.

CPAs should be aware that state legislatures are advancing this type of legislation and should be mindful of the legislative and regulatory environment in all states in which they practice. If you have questions about this type of legislation in your state, we encourage you to reach out to your state CPA society.