by Rickard Jorgensen, FCII, ARM, ACIArb.
There has been a lot of publicity about hacking attacks on CPA firms. Most recently, the big four CPA firms have been targeted by a sophisticated hack that compromised communications, documents and plans of some of their biggest clients.
An article in The Guardian newspaper described an attack on Deloitte which went undetected for several months. An email server was compromised which gave hackers unrestricted access to all areas. It is likely that much client commercial data was stolen which could be used by competitors and speculators.
Similarly, the SEC’s Edgar system was hacked this year and this event gave criminals access to information about company earnings, internal stock trading and planned mergers and acquisitions which could allow hackers to sell the data to speculators or make money by knowing how a stock price would react to this confidential news.
Even the smallest CPA firms keep copies of corporate tax returns, credit information and business plans about commercial clients.
So you think you have coverage?
Many professional liability insurance policies provide an element of liability coverage for claims arising from theft of client data. Many restrict coverage to Personally Identifiable Information, which essentially includes such data as social security numbers, credit card and medical records. One recently launched national insurance program added cyber coverage to their policy under an Enhanced Cyber Endorsement which limits coverage to Confidential Records. This is defined in the policy as:
Confidential record means a natural person’s first name or first initial and last name, in combination with:
- Information which is associated with and which uniquely identifies a natural person including, but not limited to social security number, driver’s license number or other personal identification number (including an employee identification number or student identification number);
- Financial account number (including a bank account number, retirement account number or healthcare spending account number);
- Credit, debit or payment card numbers;
- Any information related to employment by an insured;
- Individually identifiable information considered nonpublic personal information pursuant to Title V of the Gramm-Leach Bliley Act of 1999, as amended;
- Any individually identifiable information considered protected health information pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended; or
- Any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public;
Although there is no specific exclusion in the policy for commercial client records, the precursor clause which uses the term: “a natural person’s first name or first initial and last name, in combination with” implies that the coverage applies to individuals only.
A unique approach
This is a unique approach to this coverage and I am not aware of any other accountants’ professional liability insurance company that restricts coverage in this way.
How does CPAGold™ cover cyber theft of client information?
Conversely, CPAGold™ takes a different approach by giving affirmative coverage. In the Client Identity Theft endorsement the definition of Property damage is expanded to include:
client records, information or personal data which is in your care, custody or control, or over which you are exercising physical control for any reason;
Additionally, CPAGold™ provides addition coverage via the definition of Privacy covered act which is as follows:
8.20 Privacy covered act means:
8.20.1 Loss or theft of client information transmitted via electronic media or contained on any portable computer or media device used for professional services;
8.20.2 Personal injury arising from your use of electronic media, including the publishing of an Internet website or your memberships of a social networking website;
8.20.3 Misdirection of electronic mail or other electronic media; or
8.20.4 Solely with respect to client notification and consultant costs, loss or theft of confidential client information;
The Enhanced Cyber Endorsement which can be attached to the CPAGold™ policy also provides affirmative coverage:
8.35 Data means any data, text, sounds, images or similar matter, including Corporate Information or Personal Information that exists on a Computer System and is subject to scheduled back-up procedures and security protections.
8.32 Corporate Information means any proprietary or confidential corporate information in any format that cannot be lawfully obtained or known by the general public, including customer lists, trade secrets and financial information that are provided to the Insured by a third party
Restricting cyber coverage to a natural person’s Personally Identifiable Information creates a major uninsured flaw. Theft of commercial client information can create a significant exposure for any CPA firm. Read your policy. Have your insurance adviser or legal counsel review your coverage. Or consider purchasing a separate cyber policy which provides coverage for theft or ALL client information.