Cloud computing, social media, and confidentiality.
One of the first allegations to make the headlines this year was that the IRS obtained taxpayer e-mails directly from Internet Service Providers (ISP) without first obtaining search warrants. The issue came to light in April 2013, when the American Civil Liberties Union (ACLU) reported that documents obtained under a Freedom of Information Act request suggested that it was the IRS's position that it did not need a warrant before reading taxpayer e-mails during criminal investigations. The IRS's position was that taxpayers "do not have a reasonable expectation of privacy" with regard to their e-mails. In May 2013, the IRS released a new policy (IRS Policy Statement 4-120) regarding how requests for e-mails from ISPs should be handled. Under this policy, the IRS will obtain a search warrant in all cases when seeking the content of e-mail communications stored by an ISP. The new policy also indicates that the IRS will not seek e-mails during civil administrative proceedings.
The most recent, and undoubtedly most prominent, story involving individuals' right to privacy involves a former government contractor, Edward Snowden, who leaked documents revealing that the NSA had collected the phone records of millions of Americans as part of an antiterrorism effort. The documents also revealed that an NSA program called Prism forced major Internet companies to turn over the detailed contents of communications, such as e-mails, video chats, pictures, and more.
This discussion will address the current laws that attempt to protect private communications and other electronic information generated by CPAs. As trusted advisors, CPAs are in a position to access and electronically store confidential client information of a sensitive nature. Two recent trends in technology where privacy laws have not kept up with technological innovation--cloud computing and social media--are also explored. Both of these technologies have expanded due to increased Internet bandwidth, expanded use of wireless technologies, and other technological advancements. The ubiquitous use of the Internet, wireless access, and technology advancements has created new risks to the privacy of information of both a personal and business nature. The ensuing sections will address some of the issues that are important to CPAs with regard to these recent issues and provide some practical suggestions for CPAs and their clients.
Cloud Computing and Social Media
Cloud computing is a relatively new phenomenon changing the landscape of business and technology in significant and far-reaching ways. Cloud computing is a colloquial expression used to describe a broad range of computing resources. Typically it involves a number of computers connected through the Internet to central servers that store, record, and process information in real time.
Cloud computing is so far-reaching that almost everyone connected to the Internet has used it at some point. For example, popular web-based e-mail services, such as Gmail and Yahoo, meet the definition of cloud computing. Users connect to Google central servers in real time, via the Internet, and information is stored, recorded, and processed on them. The extent of cloud computing extends far beyond the simple example of e-mail to include a variety of services, such as data storage, backup services, server hosting, and myriad other business services that occur in the "cloud" rather than on the user's own hardware. For smaller accounting practices and other businesses, cloud computing can offer access to sophisticated resources that would not otherwise be available.
Social media refers to the means of interactions by which people create and share information within communities on the Internet. Common social media websites used by CPA firms and their clients include such familiar names as Facebook, Twitter, Google+, LinkedIn, Flickr, and Myspace. The social media phenomenon encompasses billions of users worldwide and continues to grow in popularity. For example, all of the Big Four and most national accounting firms have Twitter, Facebook, and LinkedIn accounts and regularly tweet on a variety of issues. Associates at CPA firms are able to network through these social media sites. Businesses of all sizes have come to realize the importance of including social media, once thought of as only a passing fad, within their marketing mix.
With access to data becoming virtually unlimited and constantly changing, the privacy protections afforded by the Constitution can be seen as both limited and antiquated. The line between traditional computing and cloud computing is blurring, as is the distinction between whether data are stored locally or in the "cloud." But the laws that protect communications have not been updated in decades. Many in the legal community believe that the "reasonable expectation of privacy" doctrine needs to be updated for the issues entailed in cloud computing. The framework for the protection of electronic communications is governed by the Fourth Amendment, as well as various federal statutes, such as the Electronic Communications Privacy Act of 1986 (ECPA), which includes the Stored Communications Act (SCA).
The Fourth Amendment provides, specifically, that "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated." Its primary purpose is to ensure the privacy of citizens and prevent government intrusion. To determine whether the Fourth Amendment applies to particular situation, a court looks to see if the government activity amounts to a search. The test for determining whether an activity amounts to a search involves a subjective inquiry examining the facts and circumstances in each situation.
In the past, courts have applied the Fourth Amendment to Internet communications by analogy to the physical world. The traditional cases have focused on whether information was considered "content" or "non-content." In most cases, the courts have held that access to Internet communications that amount to content of the communication is a search that necessitates the procurement of a warrant. On the other hand, access to non-content information--such as routine information, including an Internet Protocol (IP) address--involves a lesser legal process.
Federal courts have approved government requests for warrantless access to a customer's cell site data under the SCA on the grounds that the data are in the possession of a third party and are therefore not protected by the Fourth Amendment. The process for obtaining the communications depends on how long the information is stored and the classification of the provider. The SCA imposes a "less-than--probable cause standard," which is lower than the standard required by the Fourth Amendment.
The Supreme Court has not yet addressed the application of Fourth Amendment constitutional protections to e-mail or other data stored in the cloud, but a few lower courts have addressed this important issue. In 2010, a significant appeals court judgment in U.S. v. Warshak (631 F.3d 266 [6th Cir. 2010]) held that e-mail was protected by the Fotuth Amendment, and that government agents should obtain a probable cause warrant from a court before compelling e-mail providers to turn over users' messages--regardless of whether they had been stored on a server for more than 180 days. In Warshak, the Sixth Circuit found that consumers have a reasonable expectation of privacy in the content of e-mails stored on third-party servers. Warshak was investigated for a scheme involving defrauding customers of his company. The government received access to approximately 27,000 e-mails from Warshak's ISP. Warshak moved to suppress the access because the government did not have a warrant and the access was protected under the Fourth Amendment. The Sixth Circuit held that an Internet Service Provider (ISP) that stores or sends e-mail is not a third party from which electronic communication can be compelled without a warrant, and it is subject to the constitutional protections of the Fourth Amendment. It is important to clarify that the court's decision did not entirely bar warrantless searches. It noted that, where an ISP has a stated policy of monitoring the contents of e-mail and did monitor them, a warrant might not be required. This case shows that the privacy and confidentiality rights associated with data vary significantly, depending upon the terms of the service agreement.
Regarding statutory law, the ECPA governs law enforcement access to e-mails. It has been said to bring the constitutional and statutory protections against wiretapping of communications into the computer age. But, written nearly 30 years ago, the ECPA has been criticized as outdated. It draws a distinction between e-mail that is stored on an email provider's server for 180 days or less, and email that is older or has been opened. The former requires a warrant; the latter does not.
In addition to federal and state laws, CPAs face myriad rules and regulations in regard to keeping their clients' information confidential. One of the main confidentiality requirements arises from the ALCPA's Code of Professional Conduct Rule 301. Rule 301 requires members in public practice not to disclose any confidential client information without the client's explicit permission. The rule provides limited exceptions to the confidentiality requirement, such as when a CPA is complying with a subpoena or summons; undergoing a peer review inspection or ethics investigation; or navigating a prospective purchase, sale, or merger of the CPA firm. The confidentiality requirement imposed by the AICPA upon its members is generally extended to nonmember CPAs through various mechanisms. First, many state boards of accountancy have adopted or make reference to the AICPA Code of Professional Conduct. Many state CPA societies also require members to abide by the code or have wording in their own charters to prohibit the dissemination of protected client information. Finally, CPAs must also consider other confidentiality requirements that might be imposed by the PCAOB, SEC, RS, and other privacy laws at the state and federal levels. For example, in many states CPAs are shielded by client-accountant privilege.
A CPA's ability to keep a client's information confidential has become increasingly difficult, if not impossible, in the digital age. The day of hard copy files and manually prepared documents is a thing of the past; only the smallest firms have not made the move, in at least some respect, to digitize their operations. The issue then becomes: how can CPAs fulfill their responsibilities to keep their clients' information confidential in the digital age, when much of a CPA's work product is either prepared, stored, or disseminated online?
Recognizing the challenges faced by businesses in managing privacy, a joint project of the AICPA and Canadian Institute of Chartered Accountants (CICA) resulted in the issuance of GAPP in 2009, which was developed for use by businesses in developing privacy programs and as a tool for boards and others charged with governance and oversight. The framework consists of a single privacy objective that is supported by 10 privacy principles. The AICPA suggests that GAPP can be effectively used to accomplish the following:
* Establish and manage privacy programs
* Monitor and audit privacy programs
* Measure performance and benchmark privacy programs.
Although GAPP does not specifically mention cloud computing or social media, the standards provide practitioners with suitable criteria to assist clients in developing and maintaining privacy policies.
The accounting profession has seen many dramatic changes over the last 20 years, perhaps the most prominent of which has been the effect of technology. Gone are the days of green bar paper, abandoned in favor of electronic preparation and storage of the accountant's work product. While many CPA firms prepare and store documents on servers physically located in the firm's office, many firms prepare and store documents in the cloud. In addition, over the last 10 years, e-mail and social media have gained vast social acceptance and have become common methods of communication between clients and their accountants. But cloud computing and social media present significant challenges for CPA firms and their clients, not only with respect to managing these data, but--more importantly--with respect to the confidentiality and privacy of the data.
One troubling aspect mat practitioners need to be aware of is the IRS's position on social media. Despite the IRS recently agreeing to not read taxpayers' e-mails without first obtaining a search warrant, the IRS's position on social media is less restrictive. The IRS provides guidance to investigators about reading publicly accessible social media websites to find information about taxpayers that might contradict their tax returns. In addition, during recent testimony before Congress, IRS acting commissioner Steven Miller indicated that he was not sure if the IRS's requirement for obtaining warrants to access taxpayers' emails also applied to private communications exchanged on social media sites. The IRS has issued guidance to CPAs about safeguarding taxpayer information, but it has not specifically addressed cloud computing.
Cloud computing raises serious privacy and confidential concerns for CPAs, because not only are the firm's data entrusted to the cloud service provider--so are the clients' data. Data breaches at a cloud service provider could allow for unauthorized access or access by governmental agencies without the CPA's consent. From a legal standpoint, cloud computing also presents jurisdictional issues. Data uploaded to the cloud reside on physical servers. These physical locations may be in other states, perhaps even other countries. As mentioned above, the current laws are unclear about this matter, and there are few cases that have dealt with cloud computing. In light of constantly changing technology, there have been several legislative proposals to extend Fourth Amendment protections to digital communications and update existing statutory protections, including the SCA for information in the cloud.
Confidentiality and Data Security
Keeping data confidential and secure in the digital age is a paramount concern for most CPAs. These concerns are particularly important because the disclosure or release of sensitive data could have serious implications for not only a CPA's clients, but also the CPA firm itself. There are many things that one can consider in light of the recent high-profile cases discussed previously.
Selection of cloud service providers. Don't take security for granted. Inquire about a provider's policies with regard to confidentiality, data integrity, and availability. Make sure that the service provider has received an AICPA Service Organization Controls (SOC) report. These reports are prepared at three levels. Level 1 (SOC1) focuses on internal controls over financial reporting, Level 2 (SOC2) focuses on security and data processing integrity, and Level 3 (SOC3) is a Trust Services report. CPAs should consider which level of report would be necessary, depending upon various factors, such as the type of data being uploaded to the cloud and the sensitivity of those data.
Service agreements. When selecting or assessing cloud service providers, the details of the service agreement merit serious consideration.
Social media. Advise clients of the appropriateness of using social media to announce major life events such as trips, large purchases, and extravagant lifestyles. Consider adopting effective strategies for monitoring and maintaining the firm's own social media.
E-mails. Consider the need to consult with an attorney on the development of policies regarding the deletion of old e-mails from ISP servers.
Policies. Decide which information needs to be stored electronically on inhouse servers and which information will be uploaded to the cloud. Consider which information should be stored electronically and which information should be retained in hard copy.
Although the jurisprudence of privacy rights with regard to Internet users is in its infancy, current case law sheds some light, however dim, on how the Fourth Amendment and federal statutes apply to the cloud and cloud computing. Courts have not distinguished between traditional forms of Internet communication and cloud-based communication. When applying the SCA, cloud computing has not received the same amount of privacy protections as traditional e-mail services. CPAs should consider the implications of these grey areas of the law and structure their practices and policies accordingly. Cloud computing and social media offer CPAs undeniable possibilities with regard to expanding technological capabilities and generating new business, but these increased opportunities come at a cost. Perhaps the most important take-away is that the amount of privacy anyone's data have in the cloud is determined by the cloud service provider's agreement.
Maria Pirrone, JD, CPA, is an assistant professor of accounting at St. John's University, Jamaica, N.Y. and Joseph E. Trainor, PhD, CPA, is also an assistant professor of accounting at St. John 's University.
|Printer friendly Cite/link Email Feedback|
|Author:||Pirrone, Maria; Trainor, Joseph E.|
|Publication:||The CPA Journal|
|Date:||Nov 1, 2013|
|Previous Article:||Evaluating the competence of a financial expert witness: seven factors for consideration.|
|Next Article:||Addressing the challenges of the 'bring your own device' opportunity.|