• United States



New Rules for Accountants Placing Data at Risk?

Jun 30, 20092 mins
Data and Information Security

Most businesses who handle highly sensitive information are now sensitized to ensure their vendor and business partner agreements have appropriate protections for confidentiality and security.  In particular, given the lax privacy, security, and other laws in many jurisdictions abroad, businesses generally include contractual prohibitions on sending their most sensitive data outside the United States without their prior written authorization.  This is to ensure they know where their data is at all times and, if appropriate, can conduct additional due diligence regarding the facilities and countries to which the data may be sent. 

In recognition of the foregoing, some state Board’s of Accountancy have issued new regulations making clear to accountants that they must obtain their customer’s prior authorization before transmitting customer information outside the United States.  For example, the California Board of Accountancy California Code of Regulations, Title 16, Section 54.1, provides as follows:   “In the event that confidential client information may be disclosed to persons or entities outside the United States of America in connection with the services provided, the licensee shall inform the client in writing and obtain the client’s written permission for the disclosure.”

One would think this is a good thing.  In fact, some accounting firms are using this new “protection” to grant themselves unbridled rights to send customer data anywhere they choose – even without the express written permission contemplated by the regulations.  These firms have turned the new regulation on its head by dropping form language into every single service description, statement of work, and other similar document requiring the customer to acknowledge that the accountant has affiliates and contractors in other countries and that the customer agrees its highly sensitive information may be sent to any or all of those countries, in the accountant’s sole discretion.

The foregoing approach undermines the entire idea of the new regulations.  Customer’s must understand exactly where their data will reside and have the opportunity to conduct whatever additional due diligence is necessary to (i) either become comfortable with where their data will be used or (ii) reject the request to use the offshore affiliate and/or contractor. 

Businesses must be aware of these changing regulations and ensure requests by accountants for broad, unchecked rights to offshore data are rejected.  Businesses should continue to control the destiny of their data. 


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author