4 Essential Legal Documents For Meeting Your Cyber Security Policy Obligations

Technology and cloud accounting have done wonders for the accounting industry. However,  with greater volumes of sensitive data comes increased cyber security risk.

The good news is that those risks can be mitigated and managed.  

Yet most accounting firms DON’T currently have the Cyber Security Policy documents in place to comply with current data breach legislation and protect themselves in the event of a breach and/or PI Insurance Claim.

In this article, we’ll outline the 4 Essential Legal Documents accounting firms should have in place to meet their Cyber Security Policy obligations as a responsible data custodian. 

(Please note: these document templates are provided free to Practice Protect subscribers to use in their firms. Enquire now about gaining access.)

Document 1: Staff IT & Internet Policy Document

Your team members have access to a myriad of passwords and logins across their working and personal lives.

A formal Staff IT & Internet Policy sets company expectations around how company assets are used to access data and the internet.

The details of your policy should contain guidance on the “DOs” and DON’Ts” that will help to keep your firm and your clients safe. For example:

  • Don’t upload any firm material to any publicly accessible website or computer without permission.
  • Ensure all devices that connect to firm systems are secure and have appropriate protections in place (e.g. PIN codes, thumbprint identification, FaceID etc.)
  • Don’t put any external storage devices (e.g. USB drives, portable hard drives) into a firm computer unless the device has been virus checked.
  • If a virus warning shows on your screen, do not proceed. Speak to an authorised person.
  • Don’t click on any unusual attachments, except for approved file types.
  • Don’t use your work email to register on illegal, unsafe or suspect websites.

While some of these items may seem like “common sense”, formalising this document is critical.   

In the event of a PI claim, the first thing an insurance company will look for is that systems and procedures were in place to protect client data.  Insurance firms routinely deny claims when they discover a formal policy wasn’t in place.

This policy is often the key document that validates your insurance.

Document 2: Client Engagement Letter Language

A good Client Engagement Letter outlines the obligations and expectations for the relationship.

When it comes to data security, your Client Engagement Letter should communicate your firm’s proactive approach to protecting client privacy.

Here’s an example of recommended language we suggest to Practice Protect clients:

Sample Client Engagement Letter Language

The measures we can put in place to protect your personal information and data include (but are not limited to):

  • The ability to apply two step authentication (2SA) to access across all sensitive applications (not on an application by application basis).
  • Restriction of remote access to specific locations and/or block overseas access to our systems.
  • Track and monitor attempted access to our systems and identify suspicious activity.
  • Log usage in an audit trail and retrospectively determine the suspected source of a breach to report to authorities. With this tool we can see what applications were accessed, when they were accessed and from where.
  • Terminate user access to all sensitive cloud applications by disabling a single user account.
  • Remotely wipe mobile devices in the event they’re breached, lost or the user associated with the device is terminated. We can also restrict access to reasonable times such as business hours.
  • We are able to share access to applications using a single user ID without having to divulge cloud app passwords to staff.
  • Our staff only need to remember one single password to all sensitive applications, decreasing the risk associated with “password sprawl”.  
  • The ability to federate our identity systems so that access to desktops, servers and browser-based cloud applications are accessed via one single identity.

We have policies and documentation in place that:

  • Educate and set expectations with staff on best practice password and access management, in the form of an IT and Internet Usage Policy.
  • Third Party Access Agreements that govern and limit liability in the event a third party such as an IT contractor or outsourced provider should breach our data security policies.
  • A Privacy Policy that makes clear how we manage client information.
  • A Data Breach Response Plan that lays out the steps we take in the event of a breach and communicates our obligations under the Notifiable Breach Legislation.
  • A specialist data security legal service contracted to support us in the event of a breach to ensure the appropriate remediation and notification steps are taken.
  • A retainer-based engagement with a specialist cyber-security firm that provides guidance and best practice systems to protect our clients’ privacy.
  • Cloud Best Practice™ Certification that validates our firm as a responsible data

Cyber concerns are often an “unspoken objection” from potential clients. Being proactive in addressing these concerns is a marketing strategy that savvy firms have employed to win more new business.

Document 3: Third Party Data Access Agreement

Current legislation states that the party that holds the relationship (the accountant) with the party whose information is breached (the client) is responsible for the protection of data and liable in the event that a data breach occurs.

However, third party contractors, outsourced providers and IT providers have a responsibility for the way they manage an accountant’s client privacy.

A Third Party Data Access Agreement:

  • sets specific expectations when it comes to data management
  • limits your firm’s liability
  • emphasises the responsibility of the third party in the event they’re responsible for a breach

Document 4: Data Breach Response Plan

With the right tools and training in place, you can significantly reduce the risk of a data breach affecting your firm. 

However, it’s also prudent to have a Data Breach Response Plan so you’re on the front foot in the event of an incident. 

Notifiable Breach legislation states that a firm with a Data Breach Response Plan will be looked upon favourably in the event of a data breach.

Here’s an outline of our Data Breach Response Plan template, which covers off the sections that should be included in your Plan:

Data Breach Response Plan and Policy Table of Contents
Data Breach Response Plan Structure (full version free to Practice Protect subscribers).

Conclusion And Next Steps

While getting the right compliance documents in place probably isn’t the reason you get out of bed in the morning, they’re an essential part of firm governance. 

The right frameworks will not only protect your firm, but they can also serve as “marketing documents” that position you as a highly professional firm. 

The downside is that engaging a specialist law firm to draft these documents for you can get expensive.  $5,000 to $10,000 in legal fees is not out of the question. 

But before you go spending that type of money, remember that Practice Protect subscribers are licensed to use all our Cyber Security Policy templates free of charge. Also you can download a free cyber security policy template here

Practice Protect is a low-cost solution that protects your firm from cyber security threats and embarrassing data leaks, while helping your team to work efficiently in a cloud-first world.  

Book a demo to discuss your situation and explore how we can help.