Introduction
This is a class comprised of four 25-minute lectures delving into the important discussion of Data Protection and Cyber Security for Accountants.
Learning Outcomes
This course learners will take away:
- Why they need to consider data protection and cyber security, as business owners, and as accountants, and what Federal and State laws they need to be aware of, and with which they must comply
- How to begin and advance the process of developing a comprehensive data protection and cyber security program
- How to prepare your business and your personnel for the inevitable cyber-attack, how to respond to an attack, and how to recover and move forward after an attack
- Understanding risk and risk mitigation – through insurance, contracts and vendor management programs
Core Values
According to the former Chairman of the House Intelligence Committee, Mike Rogers, “[t]here are two kinds of companies. Those that have been hacked and those that have been hacked but don’t know it yet.” More than 70% of cyber attacks are against small to medium size businesses; and according to the Ponemon Institute, the average cost of a data breach to a business in the United States is $7.91 million. While we read about these attacks daily in the news, a small business owner is often at a loss as to where to begin. However, as accountants, and trusted business advisors to your clients, you cannot ignore this issue. As it is, all 50 states have breach notification statutes that require a business owner to report a breach that exposes personal information; and already 25 states have adopted proactive legislation, requiring business owners to proactively take “reasonable” measures to protect the personal information that they collect, control, process, use, transmit, store and destroy. Even in the absence of any legislation, the courts have ruled that a company has “a common law duty” to take “reasonable measures to protect” the sensitive data it collects form the “foreseeable risk that [hackers] would attempt to [compromise and/or steal] that information.” Dittman v. UPMC, No. 43 WAP 2017, 2018 WL 6072199 (Pa. Nov. 21, 2018). This course will help you, as trusted advisors to your clients, to protect your business and your clients’ data, and to be able to respond and recover from the inevitable breach.
Resources
There is not text book for this course. There will be 4 – 25 minute lectures with power point slides. Additionally, the courses will provide links and resources for:
Topics Covered in this Course
Lesson 1: Why does it matter? Why does an entity think about data privacy and security
- test
- test
- As a business owner
- We will discuss the impact on any business to be cyber mindful, as well as the impact for failure to be mindful
- As an accountant
- We will discuss why the obligations are heightened with the type of data held by accountants, and how their clients rely upon them as trusted advisors.
- By law
- Federal law
- We will discuss at a high-level certain key Federal Statutes, including CAN-Spam (regarding online advertising), Computer Fraud and Abuse Act (as a tool to enforce against rogue employees), Section 5 of the FTC Act, and others
- State law (a survey)
- We will discuss to whom the California Consumer Privacy Act, and what it means for your business
- We will discuss other pending state laws, including NY, NJ, MA, and others
- We will discuss Illinois’ BIPA (Biometric Information Privacy Act)
- Case law
- Two key cases will be discussed which, in the absence of a law, imposed common law duty on companies to protect personal information
- Sectoral law – we will discuss broadly the federal laws and industry specific laws in place – which do not apply to accountants per se, but may impact accountants as vendors and/or as business associates (under HIPAA)
- HIPAA
- GLBA
- NYS DFS Regulations
- International considerations
- GDPR – we will discuss the key rights for individuals, and the obligations of companies – and vendors – regarding data collection, use, consent, the right of erasure (to be forgotten), risk assessments, and more
- Federal law
Lesson 2: Where do I start and what do I do?
- Identify
- A business cannot develop policies and procedures without understanding what data the control and/or process, and where that data is stored, collected, processed, shared, and how/when it is destroyed. This applies to electronic data as well as paper (hard copies) and other media.
- Assess
- A discussion of what a risk assessment is, what a penetration test is intended to accomplish and when/how a company should do either
- Identification and discussion as to types of risks
- Mediate/Remediate (covered in part in third lecture) (see below for more)
- Once risks are identified, do you:
- Accept the risk
- Remediate (eliminate the risk)
- Mitigate the risk – put in measures to reduce the impact
- Shift the risk –to vendors, cyber insurers, etc.
- Once risks are identified, do you:
- Monitor
- Monitoring your systems is critical to identifying incidents quickly
- Respond (covered in the third lecture)
- Companies should (and will soon by law be required to have) an incident response plan
- Recover
- After an incident occurs, how will your business get back to “normal operations”
- Resources – frameworks and samples
Lesson 3: Policies, Procedures, Incident and Breach Response
- Developing policies and procedures
- Written
- Technical
- Outward facing
We will discuss what these policies should look like; where they should be maintained; how often they are reviewed and/or updated and understanding the difference between internal policies and public privacy notices (and why both are needed)
- Training
- One of the best, most cost effective ways to protect your environment and data is to train your personnel
- We will discuss who needs to be trained, how often and how to effect training
- Developing an Incident Response Plan
- we will discuss what the plan should entail
- who should be part of your incident response team
- should a company do a table top exercise
- How often should the plan be reviewed
- Responding to an Incident
- response will depend on the nature of the incident, but you need to respond quickly
- was there an incident (only) – or an actual breach (NEVER use the “B” word before you need to do so)
- do you need to give notice, and if so, to whom, how and when?
- do I have clean systems and data to continue to operate while I respond?
- Diagnosing the Breach
- has the root cause/means of access been identified?
- Has the “back door” been closed?
- Recovering, restoring and regrouping
- We will discuss how you get back to business as usual – and how you go about regaining customer and/or employee trust
- Revisit written policies and procedures- where did they feel and how do they need to be revised to avoid a repeat?
- If policies are changed, do you need to retrain personnel and/or revise your publicly facing privacy notice?
Lesson 4: Types of Risk, Risk Shifting, and Vendor Management
- Types of Risk
- Financial – we will discuss direct costs (costs to investigate, recover data, replace hardware or software (or both), etc., third party costs (fines, credit monitoring costs, and claims for damages)
- Operational- we will discuss how an incident impacts operations – how many of your resources will be tied up in incident response – and who will continue to do the day to day work? And consider how motivated employees are if they know their data was breached…
- Reputational – we will discuss the public reaction, investor reaction, customer reaction and employee reaction. Americans are quick to trust in the first instance… but will they trust again after you have had a breach?
- Legal – in part, this ties into financial (fines, statutory damages), but also you may receive a cease and desist order to bar you from continuing certain data related activities. Further, you may be facing lawsuits from (e.g) state AG’s, the FTC and/or individuals (although not every state and/or statute affords individuals a private right of action)
- Risk Shifting
- Insurance
- Crime, cyber, business interruption and more
- We will discuss what insurance should look like – and understanding
- Dollar deductibles
- Time deductibles
- Sub limits
- Business interruption coverage
- What will cover a breach vs a phish
- Failure to report a breach could result in denial of a claim
- Contracts
- Indemnification – what type of indemnification do you have – if it is only damage to tangible property, then data breaches are not included
- Insurance: Does the vendor have insurance to stand behind the indemnity
- If you are the vendor, what are you (already) bound by – think about confidentiality obligations
- Caps on damages
- If damages are limited to (e.g.) fees paid in one year, not likely to cover the full extent of damages after a data breach
- Are consequential or incidental damages excluded? Is there a carve out for a confidentiality /data breach
- Do your vendors need to give you notice if they have a data incident? What are you obligations to report “upstream”?
- Insurance
- Vendor Management (see above, too)
- Risk assessments – did your vendor recently conduct a risk assessment? Do they conduct penetration tests annually? Will the vendor share results?
- Are they certified by a third party (for e.g. PCI compliance?)
- If you are asked by your clients, how will you answer?
- Contracts – does your vendor contract address the issues noted in Section b above? Have you committed to issues for which you do not have insurance coverage?
- Insurance – have you seen the certificate of insurance? Do you know what the policies exclude or limit?
Each session will have a multi choice quiz after you have completed the module to make sure you’ll remember core ideas presented.
Attendance and Grading
All learners who have registered must watch all videos. Learners will be prompted to verify their presence every ten minutes as they watch the lecture videos. Home works are graded “pass” or “fail” based upon meeting deadlines and completing the assignment. We recommend watching one pre-recorded video Lesson per week. You must pass the quiz after each video in order to proceed to the next Lesson.
Live Office Hours
Live office hours are crucial to your understanding and application of course concepts. Because of the depth of this particular course, your instructor will hold one-hour sessions through ZOOM. You are required to attend. A ZOOM invitation for the live session will be sent to you as soon as you register for the course.
Each session will discuss in greater detail the topics covered in the lessons, and is intended to be interactive. This is your chance to ask questions of the instruction, and to learn from your fellow class mates.
Quizzes
Two types of quizzes are administered for each course; end-of-Lesson quiz and a cumulative end-of-course quiz. Final grades are given on a pass/ fail basis.
- Quizzes after each Lesson to verify learners understand core concepts and know how to apply them before advancing in the course. Minimum passing standards will be learners must achieve an 80% or higher grade for all end-of-Lesson quizzes to qualify to take the cumulative quiz. The LMS provides the quality control to ensure only learners who have achieved an 80% score in a Lesson quiz can advance in the course. Learners have three attempts to meet this requirement. Those who fail the end-of-Lesson quiz must watch the Lesson again and pass the quiz before advancing in the course.
- Final cumulative quiz-learners must have a comprehensive understanding of all course concepts delivered based on achieving a score of 90% or better in order to receive CPE credits. Only those who have achieved 80% or higher in Lesson quizzes qualify to take the final cumulative quiz. Group Leaders will monitor the performance of learners. All courses require learners to take the final cumulative quiz.
Course Instructor Biography
Michelle Schaap, Esq. C is Member of Chiesa Shahinian & Giantomasi PC (CSG), with offices in New York and New Jersey. She is an adjunct instructor for the New Jersey Small Business Development Corporation, and regularly lectures and speaks on cyber security and data privacy.
Combining her technology and corporate experience, Ms. Schaap has spearheaded and developed CSG’s cybersecurity practice. She regularly counsels clients on cybersecurity preparedness, advises clients when data security incidents arise, and trains companies on best practices for security procedures addressing both their business operations and clients’ concerns. Ms. Schaap assesses her clients’ risk management practices and security incident preparedness to develop a proactive response and recovery plan to enable her clients to recover from security breaches. Additionally, Ms. Schaap works with client in contract review, drafting and negotiation in critical areas of privacy and security.
Ms. Schaap received her Cybersecurity and Privacy Law Certification from Mitchell Hamline School of Law. She received her Juris Doctor from Rutgers School of Law – Newark, and graduated Cum Laude from Cornell University’s College of Arts & Sciences. Ms. Schaap is also a certified construction project manager, earning her certification from New Jersey Institute of Technology.
Ms. Schaap is a sought after lecturer and speaker. She has spoken on cyber security and data privacy at ISACA, the New Jersey State Bar Association, Professional Women in Construction, Newark Regional Business Partnership, and numerous other private and public forums. She has presented webinars for Lorman and Strafford.