CPAs, like all providers of personal financial services, were required* (*no longer the requirement , as of October 13, 2006, see below) by law to inform their clients of their policies regarding privacy of client information. CPAs have been and continue to be bound by professional standards of confidentiality that are even more stringent than those required by law.  Therefore, we have always protected your right to privacy.

Types of Nonpublic Personal Information We Collect

We collect nonpublic personal information about you that is provided to us by you or obtained by us with your authorization.

Parties to Whom We Disclose Information

For current and former clients, we do not disclose any nonpublic personal information obtained in the course of our practice except as required or permitted by law.  Permitted disclosures include, for instance, providing information to our employees, and in limited situations, to unrelated third parties who need to know that information to assist us in providing services to you.  In all such situations, we stress the confidential nature of information being shared. 

Protecting the Confidentiality and Security of Current and Former Clients’ Information

We retain records relating to professional services that we provide so that we are better able to assist you with your professional needs and, in some cases, to comply with professional guidelines.  In order to guard your nonpublic personal information, we maintain physical, electronic, and procedural safeguards that comply with our professional standards.

*********************

Please call if you have any questions, because your privacy, our professional ethics, and the ability to provide you with quality financial services are very important to us.

The State of Connecticut added another layer of disclosure effective October 1, 2008.  This required disclosure is found here: publicly displayed policy.

FREQUENTLY ASKED QUESTIONS 

1.      I’m a professional CPA and have a duty of client confidentiality that is stricter and carries more sanctions than the Gramm-Leach-Bliley Act.  I am concerned that this notification may confuse my clients because it makes no sense to notify them that I am doing what they always have trusted me to do.  Are you sure I have to do this?

Yes. The Gramm-Leach-Bliley Act places requirements on those who are “significantly engaged” in providing individual clients with tax return preparation and tax and financial planning services, including CPAs. While you are already protecting client confidentiality under Rule 301 of the AICPA Code of Professional Conduct, Gramm-Leach-Bliley also requires you to notify clients of your policies to protect the privacy of their personal financial information, as described in the practice guide.  Although the AICPA will continue working for a regulatory or legislative exemption for CPAs, the current law requires you to comply.

2.      Do I have to provide the privacy notification to clients who are minors, such as children of clients for whom I do individual tax returns?

The regulations do not address this issue, and generally minors are protected by Gramm-Leach-Bliley.  However, the FTC has said that minors in a family do not have to receive separate notifications, and this is because the parent engages the CPA and provides the personal financial information for the children, and is thus the customer or client, even if the child is a college student.  In such situations, a single notification to the parent would suffice.

3.      Do I have to provide separate notifications to both spouses?

Section 313.7(d) of the regulations states that where there are joint account holders, a single privacy notice can be provided, and this would apply where there is a joint income tax return.  However, where separate personal financial services are provided to each spouse, separate notifications might be required.   

4.      I provide services to a trust—do I need to provide a privacy notification to the trustee or the beneficiaries or both? 

This is a difficult issue because a trust can be both an entity and an aggregate from a theoretical standpoint, and the FTC is currently deciding this issue.  The preamble to the regulations exempts trustees from providing notices to beneficiaries, but this is at least partly because trustees are fiduciaries with responsibilities to the beneficiaries, and this provides protection.  Also, Gramm-Leach-Bliley is intended to protect individuals, not trusts, and in most cases, notification to trustees and beneficiaries would not be required.  However, if you are providing tax, investment advisory services, trust accounting, and other financial services to a trust, but these flow through directly to individual beneficiaries through the trust with whom you work closely, you should consider who the real recipient of your services is and whether you should provide notification to beneficiaries until the FTC provides additional guidance.

5.      Same question as 4, but with respect to partnerships.

Same answer as 4.  In most situations, partnerships would not receive notification, as they are businesses, not individuals which are the focus of Gramm-Leach-Bliley.  However, if you are providing financial services through a partnership to individual partners with whom you work closely, you should consider who the real recipient of your services is and whether you should provide notification to partners until the FTC provides additional guidance.

6.      Are there any state privacy protection laws that I have to comply with? 

Our practice guide addresses the Federal Gramm-Leach-Bliley Act, and does not address state privacy statutes, regulations, or cases.  If there are additional state requirements for privacy protection, these are best addressed by your state society.  If you are a state-registered investment advisor, for instance, you must also comply with the state requirements for investment advisors.

7.      I may be selling or merging my firm in the near future—do I have to notify my clients that I may disclose personal financial information to the new/additional owners and give them an opportunity to opt out of this disclosure?

Section 313.15 (a)(6) of the FTC regulations provide an exception to the requirement for client notice and “opt-out” provisions “in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit.” 

However, be aware that Section 7216 of the Internal Revenue Code prohibits the unauthorized disclosure of tax return information, and while there are some exceptions for sales and mergers under the Treasury Regulations, the extent of these exceptions is not clear.  Section 301.7216-2(l) and (m) allows the disclosure of a list of tax clients, which would normally be tax return information, in conjunction with a sale or disposition of the practice.  Also, where a practice is transferred in steps, such as where a new owner joins the firm, and then the old owner leaves, Regulations Section 301.7216-2(e)(1) does not require client permission for turning over tax return information.  The IRS is currently revising the Section 7216 regulations, and in the meantime, because of potential criminal sanctions and in the interest of maintaining good client relations, it might be wise to obtain permission from clients before turning over tax returns or return information in a sale or merger.  Also, the AICPA Code of Professional Conduct protects client confidentiality in a merger or acquisition.  Specifically, AICPA Interpretation 301-3 [ET section 301.04] requires that a member take appropriate precautions (for example, through a written confidentiality agreement) so that the prospective new owners do not disclose any information obtained during the course of the review of the member’s practice. Members reviewing the practice in connection with a prospective purchase or merger are also bound by Rule 301 – Confidential Client Information.

After the sale or merger, the new firm must notify clients if the privacy policies will change—see FTC regulations section 313.4(e)(1)(i).

8.      In auditing a financial institution, I have been asked by the client to sign a Gramm-Leach-Bliley motivated agreement not to disclose any personal financial information about the institution’s clients that I learn in the audit.  Some information in my records may be disclosed in a peer review.  Do I have to sign such an agreement?

Gramm-Leach-Bliley allows financial institutions to disclose information to auditors without notifying clients or giving them an opportunity to opt out of disclosure.  Similarly, in a peer review CPA firms can disclose, without a client opt-out, information on their personal financial service clients.  Also, peer reviews are to be conducted in a way that protects CPA client confidences, so the public is protected.  However, while Gramm-Leach-Bliley does not require such an agreement, if the client or the client’s attorney require the CPA to sign a non-disclosure agreement as part of the audit engagement, the CPA should require that the agreement allow disclosure to a peer reviewer to avoid breaching the agreement in fulfilling peer review requirements. 

9.      Are there agencies other than the FTC who have regulations under Gramm-Leach-Bliley that apply to me?

Other agencies, like Federal banking agencies and the SEC, also have regulatory authority under Gramm-Leach-Bliley.  However, the FTC’s regulations, discussed in our practice guide, apply to the broadest array of financial services, and other agency regulations are consistent with them.  For SEC regulated entities, like federally registered investment advisers, SEC Regulation S-P imposes requirements that are similar to the FTC, and the SEC regulations are available at www.sec.gov/rules/final/34-42974.htm

10.  In future years, I can include the disclosure with my engagement letter, but for the mailing on or before July 1, mailing to my 600 clients is going to cost about $400 for postage, printing, and supplies, plus time for my administrative staff to label and stuff envelopes.  Can I put other client communications in the same envelope to try to get some value for this expense?

Your client notification must be “prominent,” but that doesn’t mean that you can’t put other client communications in the same envelope.  With the recent passage of the tax act, you might, for instance, include information about its provisions and suggest that your clients come in for an estate planning update or a planning session on education tax benefits.

11.  Where can I get a copy of the Gramm-Leach-Bliley Act and FTC regulations? 

The Act is at http://www.currentlegal.com/LegalNews/uspl1998/106-102.html and the regulations and additional practice guidance are at:  www.ftc.gov/privacy/index.html (then scroll down to the Gramm-Leach-Bliley Act).

12.  Do I have to personalize the privacy notification letters to my clients and keep copies of all the letters to prove that I sent them?

You don’t have to send a personalized letter to each client—you can send a standardized “Dear Client” letter or could even include the notice in a client newsletter sent to each individual client.  If you make a good-faith effort and are in substantial compliance, it is extremely unlikely that you will ever have to “prove” that you sent the notices.  However, you should maintain a simple record of the mailing—a copy of the letter and a list of the clients to whom it was sent (or at least a description of the categories of clients to whom it was sent).  A written office procedure indicating that the notice is to be mailed before July 2 of this year, to new clients, and annually after this year to continuing clients would also help show compliance.

President Signs Bill Exempting CPAs from Requirement Provision Included in the Financial Services Regulatory Relief Act of 2006

Washington, DC, October 13, 2006—The President today signed a bill that exempts certified public accountants from the Gramm-Leach-Bliley Act’s requirement that CPAs send their clients an annual privacy notice, the American Institute of Certified Public Accountants announced. The exemption is effective immediately.
“This is wonderful news and a win for both CPA practitioners and their clients. The disclosure statements are often confusing to clients and they are expensive and time-consuming for CPAs to prepare,” said Barry C. Melancon, President and CEO of the AICPA. “Since the exemption is effective upon the President’s signature, all those CPAs who are now preparing this year’s privacy notices can stop. They won’t have to send Gramm-Leach-Bliley Act privacy notices out this year. They can instead put that time into serving their clients.”
Melancon said that the AICPA has worked with lawmakers since enactment of the Gramm-Leach-Bliley Act to achieve the change, which was possible because CPAs are certified or licensed by state boards of accountancy and are already subject to state laws and regulations that prohibit disclosure of nonpublic personal information without the expressed consent of the client.
“The Gramm-Leach-Bliley requirement was redundant for CPAs, as well as a regulatory burden,” Melancon said. “We thank Representatives Mark Kennedy (R-MN) and Colin Peterson (D-MN) for taking the lead in the House to correct this inequity. It was their efforts to exempt CPAs that caused the provision initially to be included in the Financial Services Regulatory Relief Act of 2006. We also appreciate the support of Senators Mike Enzi (R-WY) and Debbie Stabenow (D-MI), who championed the exemption in the Senate,” he added.
The House passed the Financial Services Regulatory Relief Act of 2006 on September 27, 2006 by a vote of 417-0. The Senate unanimously passed it on September 30, 2006. The bill also is intended to provide regulatory relief for insured depository institutions.
The American Institute of Certified Public Accountants (www.aicpa.org) is the national, professional association of CPAs, with approximately 330,000 members, including CPAs in business and industry, public practice, government, and education. It sets ethical standards for the profession and U.S. auditing standards for audits of private companies; federal, state and local governments; and non-profit organizations. It also develops and grades the Uniform CPA Examination.

 

Among all other policies disclosed, it is also our privacy protection policy that:

1. We protect the confidentiality of your Social Security numbers
2. We prohibit the unlawful disclosure of your Social Security numbers
3. We limit access to Social Security numbers to our employees and to authorized agents of the government and, if desired by you and with your permission, to bankers, lenders, lawyers, accountants, executors, relatives and other parties to whom you communicate to us that such disclosure be made.

Substitute House Bill No. 5658

Public Act No. 08-167

AN ACT CONCERNING THE CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS.

Be it enacted by the Senate and House of Representatives in General Assembly convened:

Section 1. (NEW) (Effective October 1, 2008) (a) Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.

(b) Any person who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed. For purposes of this subsection, "publicly displayed" includes, but is not limited to, posting on an Internet web page. Such policy shall: (1) Protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

(c) As used in this section, "personal information" means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

(d) For persons who hold a license, registration or certificate issued by a state agency other than the Department of Consumer Protection, this section shall be enforceable only by such other state agency pursuant to such other state agency's existing statutory and regulatory authority.

(e) Any person or entity that violates the provisions of this section shall be subject to a civil penalty of five hundred dollars for each violation, provided such civil penalty shall not exceed five hundred thousand dollars for any single event. It shall not be a violation of this section if such violation was unintentional.

(f) The provisions of this section shall not apply to any agency or political subdivision of the state.

(g) Any civil penalties received pursuant to this section shall be deposited into the privacy protection guaranty and enforcement account established pursuant to section 19 of substitute senate bill 30 of the current session.

Approved June 10, 2008

Colin M. Cody, CPA, CMA
TraderStatus.com LLC
6004 Main Street
Trumbull, Connecticut 06611-2400

(203) 268-7000


                  MEMBERSHIPS

                
                  Member PCPS                                        
                  The AICPA Alliance for CPA Firms
                  Partnering for CPA Practice Success

                  American Institute of CPAs
                  Connecticut Society of CPAs
                  Institute of Management Accountants

Last updated: October 01, 2008
visitors since July 15, 2006
TraderStatus™, TradersTaxPlan™, TradersAdvantage™,
TraderStatus.com™, TradersTaxPlan.com™, TradersAdvantage.com™,
DoYourOwnDaytraderTaxes™, DoYourOwnTaxes™, DoingYourOwnTaxes™,
DoYourOwnDaytraderTaxes.com™, DoYourOwnTaxes.com™, DoingYourOwnTaxes.com™,
DoYourTaxesOnline™, DoYourOwnTaxesOnline™, DoYourTaxesOnline.com™, and  DoYourOwnTaxesOnline.com™
are trademarks and service marks of Colin M. Cody, CPA and TraderStatus.com, LLC, Trumbull Connecticut
Copyright© 2002 Colin M. Cody, CPA and TraderStatus.com, LLC, All Rights Reserved