You’ve seen two kinds of headlines after cyber incidents: (1) lawsuits and (2) regulatory enforcement. The recent $60,000 fine against Wojeski (Attorney General James Announces Settlement with Accounting Firm for Failing to Protect New Yorkers’ Personal Data) shows you can be penalized for program failures—even without a blockbuster breach.
Lawsuits vs. enforcement—what’s the difference?
Lawsuits are private parties saying, “you harmed me, pay me.” Alternatively, enforcement actions come from regulators (FTC, SEC, state attorneys general) under specific statutes and rules meant to deter future misconduct—with penalties paid to the government, not victims. They’re often handled by administrative law judges and can be reviewed by courts. And yes, you can face both at once.
Why CPA/tax practices must follow the FTC Safeguards Rule
If you provide tax prep or similar services to individuals, you may be treated as a “financial institution” under the Safeguards Rule. That means you must “develop, implement, and maintain” a written security program with administrative, technical, and physical safeguards matched to your size and risks.
What “good” looks like (plain English):
- Appoint a responsible owner (“qualified individual”) to run security.
- Do a written risk assessment and data inventory.
- Require MFA and use encryption for sensitive data.
- Oversee vendors (including your IT/MSP) with security clauses and periodic checks.
- Train people and test controls; have a written incident response plan.
- Develop a written incident response plan to guide the response and recovery following a security event.
AICPA ethics add teeth on confidentiality and outsourcing
CPA firms must protect confidential client information. Before sharing data with an outside IT provider, either bind them contractually to confidentiality with reasonable safeguards or obtain the client’s specific consent.
CPAs also must plan and supervise third-party providers to ensure work is competent and meets professional standards, which is another reason to demand reports from your MSP.
How to lower your cyber liability (the practical checklist)
- Make your MSP co-owner of compliance tasks (risk assessment, MFA, logging, backups) and have them prove it with reports.
- Roll out one policy per week with training + user attestations; by ~90 days you’ll have a solid, legally defensible baseline.
- Document everything: policies, training acknowledgments, system logs—because if it’s not documented, it didn’t happen.
- Consider third-party assessments to validate controls; they become powerful evidence if regulators or plaintiffs come knocking.
Bottom line: Enforcement actions and lawsuits are different hammers, but both swing at weak programs and weak proof. Build the program, keep the receipts, and work with your MSP to make your security and compliance real.
