June 2001
New Privacy Rules
Apply to CPAs
July
1 Deadline for Compliance
By Ric Rosario, CPA
REDWOOD
CITY, CALIF.—Congress has approved the Gramm-Leach-Bliley Privacy Act, which,
among many other things, requires financial planners and tax preparers to notify
clients of policies regarding the privacy of nonpublic personal information.
Nonpublic personal information is personally identifiable financial information
that is:
provided by the client; developed from the engagement;
and obtained by the accountant. The federal regulations (Title 16 of
the Code of Federal Regulations, Section 313 et seq.) became effective Nov. 13,
2000. If a privacy notice is required, the initial privacy notice needs to be
provided no later than July 1, 2001, to clients covered under the act. Although
most CPAs are subject to state controls that are substantially more stringent
than federal controls over client information, compliance with the federal act
and its performance procedure is still required.
These provisions apply directly
to consumers (in other words, individual clients). Businesses are not covered
by the act, which defines consumers as clients who receive any financial products
or services to be used primarily for personal, family, or household purposes.
If the CPA has clients who are covered under the act, he or she is required
to provide them with an initial privacy notice that is written and presented clearly
and conspicuously (no later than July 1, 2001). The notice can be presented or
mailed to the client, and CPAs must provide an initial notice to the client prior
to or at the time the relationship starts.
Annual vs. Initial Notice
The act requires the firm to provide the privacy notice to clients on at least
an annual basis. The annual notice can either stand alone or be part of the annual
engagement letter. The required initial notice can also serve as the first annual
notice. This will probably not be practical for CPAs with tax clients, though,
because the next annual notice is required 12 months from the first annual notice—outside
the normal business cycle for tax clients.
Thus, the first annual notice (different
from the initial notice) should go out with the tax organizers and engagement
letters in December and January. This will put all tax clients on a calendar year
cycle, which is more typical for tax practitioners.
Depending upon how a firm
handles clients’ nonpublic personal information, a CPA will fall into three general
areas, which will dictate what is required in the privacy notices (see sample
notices):
a) The CPA provides no personal client information to outside
parties. b) The CPA provides personal client information to an affiliate.
c) The CPA provides personal client information to a nonaffiliate. Most
CPAs fall into the area of not sharing any client information with outside parties.
If this is the case, the privacy notice has some minimal requirements to be included.
If a CPA shares personal client information with an affiliate or nonaffiliate,
there are broader requirements on what needs to be in the privacy notice.
An affiliate is a company under the control (the power to exercise a controlling
influence over the management or policies) of another company. If a separate company
is setup to perform financial planning services, for instance, this would likely
be an affiliate.
Both the initial notice and the annual notice have to include
certain information, depending on how the CPA handles personal client information:
categories of nonpersonal client information collected; categories
of nonpersonal client information disclosed; categories of parties to whom
the firm provides information; the firm’s policies and practices to protect
the confidentiality and security of client information; an explanation of
the consumer’s right to prevent the CPA from disclosing information to nonaffiliate
third parties; and disclosures of all information that is permitted by law.
If a firm does intend to share nonpublic personal information to a nonaffiliate,
the act allows the client to opt out, meaning the client can refuse to allow the
sharing of his or her personal information. For CPAs, this is not an issue, since
normally client permission is necessary before confidential information can be
released to any third party (Internal Revenue Code sections 6713, 7216, Regs.
Sec. 301.7216). Various state laws also require disclosure and consent.
There
are a number of exceptions to the privacy notice and opt-out requirements. For
CPAs in a general practice, most do not apply. However, the exception that could
apply is “any disclosure to outside parties that is necessary to effect, administer,
or enforce a transaction requested or authorized by the client.” If a CPA needs
to enforce the right to collect a fee on an engagement authorized by the client,
the CPA could disclose information necessary for a collection agency without a
privacy notice and an opt out.
If business is conducted electronically, there
is direction on how to post a notice on a website.
The new privacy regulations
can get complicated, and this advisory is intended to give a brief summary. If
further research or questions remain, there is a good source on the Internet at
greatland.com/privacy/. The site also sells related products.
The AICPA intends
to seek administrative relief for CPAs. The answer to the request for relief will
not likely be available before the July deadline. AICPA members can call an updated
telephone line at (202) 434-9216 to follow new developments on this privacy provision.
Camico understands that CPAs have always maintained the highest standards
on client confidentiality. At the same time, compliance with these new requirements
is necessary.
Camico policyholders will receive a decision chart and sample
privacy notices that can be used immediately. If elements of the new regulations
need to be reviewed, or changes to the notice are necessary and in need of review,
please contact Camico’s advisory services hotline at (800) 652-1772. To receive
a sample privacy notice, please contact the Camico sales department at (800) 652-1772,
ext. 22.
Ric Rosario is vice president of loss prevention services with
Camico. 
