Al Jones, a staff member of the CPA firm Smith & Smith CPAs, was in the middle of replying to email messages at the office when he clicked a link and a small pop-up “Security” screen required his password in order for him to continue. Jones entered his password and continued reading his email. He was unaware that he had just enabled a hacker to access his email account.
Some of Jones’s email correspondence was with a payroll service provider regarding W-2 forms. Jones received a message from the payroll provider’s email address requesting copies of a large number of client W-2 forms. It was an unusual request, but Jones complied with it.
Jones grew concerned about the unusual request and emailed the provider to inquire whether the forms had been received, but got no reply. The hacker had accessed the provider’s email account and had diverted their response. Jones eventually called his contact at the provider. The provider representative indicated that they had not requested or received the W-2 forms, and had stated so five days ago when they responded to Jones’s email inquiry.
Jones then looked closely at the email address of the email sender who requested the W-2 forms. It looked much like the payroll provider’s email address except that it was off by one character. The W-2 forms Jones had sent included Social Security numbers, but he wasn’t certain whether the form files he’d sent were encrypted. He then reported the potential breach to the firm’s managing partner.
After reading the following questions, select the one answer that is the best response.
1) Which step out of the following should the firm take first?
Call in a computer forensics expert to determine whether or not a data breach has occurred.
Report the potential breach to the firm’s cyber insurance carrier.
Report the potential breach to law enforcement.
2) Social media posts about the firm’s potential breach begin to appear, perhaps as the result of the hacker wanting to cause trouble for the firm. The firm should:A.
Post a statement on social media indicating that a potential data breach occurred at the firm, but that the firm will take care of those affected and will assume damages if it is determined that a breach has actually occurred.
Work with your insurance, legal and forensics advisers to ascertain whether a breach has actually occurred and whether it requires notification of the individuals affected; also work with the advisers to craft notification letters and any other communications.
Both of the above.
3) Post-breach communications with affected clients should:A.
Explain in detail how the firm got into the breach situation in the first place.
Reassure clients that the firm is on top of the situation and will address the cause of the breach quickly.
Offer a sincere apology and consider offering credit monitoring and identity theft assistance.
B and C.
A, B and C.
1) Answer A: Incorrect.
If a forensics expert conducts an investigation outside of the firm’s relationship with an insurance carrier or attorney, the communications produced by the investigation may not be protected by attorney-client privilege.
Answer B: Correct.
The firm should first report the breach and obtain the advice of the firm’s insurance advisers. If no cyber coverage is in place, an attorney should be consulted. The subsequent communications produced by an investigation may then be protected by attorney-client privilege. If a breach has occurred, as defined by the state and federal laws that apply, the next steps would include complying with those laws, which may require reporting to law enforcement.
Answer C: Incorrect.
A potential breach should not be reported to law enforcement. If it has been determined that a breach has occurred, as defined by the state and federal laws that apply, the next steps would be to comply with the laws, which may require reporting to law enforcement.
2) Answer A: Incorrect.
Statements and messaging should focus on established facts and not on speculation or conjecture. Admitting liability or assuming damages generally violates conditions of insurance policies if done before notifying the insurance carrier of a potential claim and obtaining the carrier’s written consent.
Answer B: Correct.
All communications should be created in conjunction with insurance and legal advisers. While it is important to communicate quickly, messaging should focus on established facts and not on speculation or conjecture. Admitting liability or assuming damages generally violates conditions of insurance policies if done before notifying the insurance carrier of a potential claim and obtaining the carrier’s written consent. The firm should first report a potential claim to its insurance carrier, work with the carrier, and obtain its consent before making any statements.
Answer C: Incorrect,
as explained in the answers to A and B.
3) Answer A: Incorrect.
As data breaches have become more common, few people care about the details of how organizations got into the situation in the first place. What people want to know is that management is on top of the situation and will address the cause of the breach quickly.
Answer B: Correct but not the best answer.
People are also interested in a sincere apology, credit monitoring, and identity theft assistance.
Answer C: Correct but not the best answer.
People also want to know that the firm is on top of the situation and will address the cause of the breach quickly.
Answer D: Correct.
Don’t delay responding to confirm how the breach occurred. People want to know that management is on top of the situation and will address the cause of the breach quickly. They are also interested in an apology as well as good information and services that address their concerns and anxieties. Studies show that it can take 8 to 12 months to repair reputational damage and diminished brand value from a data breach, so moving quickly while working with risk and legal advisers is important.
Answer E: Incorrect, as explained in the preceding answers.
“War Stories” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession. All names have been changed.