When we talk about any "increase" we have to say compared to what. In this case the CPA has to assess the data security for on-shore operations before he can assess the increased risk posed by offshoring.

What is the typical level of data security in a small business or a CPA office?        

Since there are few staff members, there is little separation of duties. Such lack of separation encourages internal security problems.




The data resides in paper files. Paper files are vulnerable to fire and water damage.




The office is not physically secure. Staff members, leasing office personnel, and janitors have keys to the office. Any of them can copy confidential data.




Paper records are not shredded before being discarded.




The computers have no protection from unauthorized users or have relatively weak password control. Often the password is taped to the workstation.




Any email communication is done in the clear.




Workstations have recording devices which makes it easy to copy data.




Usually all workstations have email and internet access. It makes unauthorized transmission of data easy.

 

Let us look at how these factors change when accounting is sent offshore.

Internal control improves because the people who are authorizing the transactions are separated from the people doing the record-keeping.




All files are maintained electronically. Such data is backed up to an off-premises secure server. So threats from fire, water, and copying are significantly reduced.




Offshore contractors restrict physical access to keep unauthorized people out.




Workstations have access to only the data that is processed on that workstation.




Email communications are encrypted.




All recording devices on the workstations are disabled.




Only supervisors have access to email and internet.

 

We believe that best security practices can be installed when the client, the CPA, and the offshore contractor work together.

The first line of responsibility lies with the client. The Better Business Bureau has an excellent pamphlet on how to protect data theft. http://www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf As the pamphlet points out technical solutions are not enough. They must be combined with good practices in everyday management of the company. 

The CPA should advise the client to implement the common sense measures advocated in this pamphlet.

The offshore contractor must apply the same real world as well as technical solutions to security. The offshore contractor must consider the sensitivity of the data being entrusted to them and take appropriate measures to safeguard the information. A responsible contractor would only accept data than is essential to  the task.

Let us now look at whether popular offshore destinations like India are more vulnerable to data theft. According to a March 2007 Symantec report entitled "Symantec Internet Security Threat Report Trends for July- December 2006", US was the country with highest level of malicious activity. China was next and India did not make it into the top ten. http://eval.symantec.com/...tepaper_internet_security_threat_report_xi_keyfindings_03_2007.en-us.pdf

Another common sense conclusion one can draw is that the thieves concentrate on high value targets. You can look at the data compiled by the Privacy Rights Clearinghouse. http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP. During 2005, 2006, through June 20, 2007 they reported 155 million records having been compromised. Out of that less than 1000 records were compromised in attacks that netted 100 records or less. Thus records from an offshore contractor serving small businesses are less likely to be a target of identity thieves.

The CPA needs to assess the sensitivity of the data and put a value on it. The CPA can have the contractor include a liquidated damages clause if the said data is compromised.  If the contractor is not willing to agree to a reasonable liquidated damage figure, find another contractor.

Data security is a complex issue. However, we can enunciate certain principles that can be applied by a small business:

Collect the least amount of data needed to serve the customer.




Since a large proportion of data theft involves the employees, screen them carefully.




In addition, the employees need to be trained to recognize various strategies used by criminals to facilitate data theft.




Take security measures in the office; for example use a locked mailbox, lock the office when it is empty even for a short period of time, shred any paper records before disposal, reformat hard drives before donating, selling, or returning a computer etc.




Take common sense precautions against cyber attacks. Encrypt the sensitive data, use firewalls, and keep your internet security software updated.




Comply with any specific security standards that are applicable to your business. For instance credit card information needs to be secured to a specific standard.

 

Providing security costs time and money. In a competitive world no business can spend more on security than what the market would pay for. Ultimately security is determined by the customers' willingness to pay. 

While more money can buy more security, one must remember that no security is absolute. Just think about how many times classified information has been stolen from the US government.

Eventually there will be a security breach. How do you deal with such a breach? It seems that the best approach is to inform the individuals or businesses whose data have been compromised, notify the law enforcement authorities, and support the affected parties to monitor their credit reports.

Security is a multi-faceted problem. The key to success is co-operation between the client, the CPA, and the offshore contractor. No one party can be effective without the others.