Privacy Concerns Add to Outsourcing Issue

Privacy Concerns Add to Outsourcing Issue
CPAs Must Ensure Security of Data

New York— Sole practitioner Judith Penney is hawkish on protecting her clients’ private information, as all CPAs tend to be.

But last year, she discovered almost incidentally that her tax services provider had begun to use a technical support contractor overseas, and she started to lose sleep over it.

“About three months ago, I picked up the phone with a question, and as I started talking to them (her tax services provider), I became curious,” Penney said. “I said, ‘Where are you?’ and they said they were in India, and I was a little nervous. As tax season got closer…I started getting up in the middle of the night thinking about privacy.”

Apparently, other practitioners found the company’s outsourcing practices troublesome, too. Penney said that enough of them complained that the company decided to bring its technical support back to the United States.

Privacy stands out among concerns raised by practitioners regarding outsourcing financial services to contractors in other countries. With a clear professional obligation to their clients, Penney and other CPAs have grown alarmed by the knowledge that using a third-party tax provider could put their clients’ information at risk. They worry about transferring sensitive information to countries without adequate safeguards and enforcement against fraud or identity theft.

“This is dangerous and scary,” Penney said.

Some practitioners over the last few months have raised the privacy issue as an objection to outsourcing tax services overseas. This has come up amid a general interest in outsourcing that prompted the New York State Society of CPAs’ Tax Division Oversight Committee (TDOC) to form an outsourcing task force, led by Alan Frankel.

Frankel has presented the TDOC with a report outlining current issues, resulting in plans for an article to be printed by early summer in The CPA Journal.

According to Frankel’s report, which features interviews with practitioners, other concerns include worries over the quality of service, the limitations of outsourcing to only simple returns (at least for the time being), additional review time by CPAs at home, and a public relations problem for CPAs who may be deemed unpatriotic as they ship staff jobs overseas.

Others have seen advantages, including decreased input time, reduced fees for other comparable tax services, expanded capacity for U.S. firms, less of a need for extra staff at peak times, a more conducive atmosphere for firms to transition to the “paperless” office, and the possibility that as more firms turn to outsourcing, the competition will force prices down even more.

Privacy: CPAs’ Responsibilities

Privacy concerns have raised questions about what CPAs can do to ensure that, if they do outsource overseas, they are protecting their client’s information. While CPAs have a clear responsibility to their clients, the liabilities of outsourcing overseas have not been fully explored publicly.

“This is so new that it hasn’t been addressed yet,” NYSSCPA President-Elect John Kearney said. Questions arose during the Society officer visits last fall about the CPA’s liability that could accompany outsourcing, he said. “That’s a question that needs to be asked.”

Ric Rosario, vice president of risk management services with Camico Mutual Insurance Co., the Society-endorsed professional liability insurance carrier, compares the current concerns over outsourcing overseas to the same concerns of the early 1980s when firms began to send tax work out to services within the United States.

“Outsourcing itself is an old issue,” Rosario said. “It’s reemerged now because CPAs are sending information to foreign countries and because identity theft is more prevalent. But when CPAs did it in the 1980s there was basically the same concern: how to protect information. It’s the same issue as 25 years ago.”

Rosario pointed to the American Institute of CPAs’ guidelines, such as ET Section 391—Ethics Rulings on Responsibilities to Clients in the Code of Professional Conduct, which allow for outsourcing tax services, but charge CPAs “to take all necessary precautions” that its use does not release confidential information.

(The NYSSCPA Code of Conduct Rule 301 similarly states that members can’t disclose client information without specific consent by the client, with some caveats in regard to investigations, subpoenas and professional peer review.)

Penney, the practitioner who started losing sleep last year when she discovered her firm was outsourcing to India, said she is skeptical about privacy standards and security in India.

“It boils down to: I don’t release my client’s private information unless I’ve got a court order. There are other exceptions, like when selling a business or for peer review,” Penney said. “But as a small practitioner, those aren’t the issues I’m worried about.”

Penney covered her bases as much as she could: she had individual clients sign a privacy waiver with a statement that made them aware that she was using an outsourcer. After she discovered the outsourcing to a foreign country that she couldn’t trust herself, she refused to send any more client information until the company brought the outsourcing service back to the U.S.

Rosario said that was more than enough; CPAs don’t have to disclose to clients that they’re sending information anywhere because the law permits sending information to outside parties as part of “the transaction” with the client.

“You have the responsibility of due diligence, proper controls and to monitor that over time, but there isn’t anything that says to tell your client that you’re outsourcing,” he said.

But liability is a risk if the CPA doesn’t monitor how a client’s information is being used, and he recommends practitioners have a dialogue with tax service providers about transmission, controls and the security the outsourcer provides.

“The CPA has an obligation to inquire about those,” he said. “If someone is damaged, and it’s determined the CPA didn’t take adequate steps for security and monitoring, that’s a new liability. To couple with that the possibility that the CPA never told the client, there’s a real liability then.”

For an article on AICPA outsourcing guidance, visit www.aicpa.org on the Internet.