The American Institute of CPAs and the Canadian Institute of Chartered Accountants have updated the privacy principles that accountants can recommend to clients with more measures to fight identity theft.
The two groups Generally Accepted Privacy Principles date back to 2003 and were last updated in 2006. In response to a series of high-profile security breaches in both countries and the growing incidence of identity theft, the two accounting organizations have expanded the principles to include new protocols for securing personal information. The AICPA and the CICA collaborated on the principles with the Institute of Internal Auditors and the Information Systems Audit and Control Association.
This has been a document that the task force has been working on for several years, said Nancy Cohen, the AICPAs senior technical manager in specialized communities. Since 2006, we saw that identity theft resulted in a considerable number of lawsuits, and we looked at the document to see if things needed updating as the technology has changed.
The document still contains 10 principles, but now has 73 criteria. They provide a set of best practices that CPAs and CAs can help their clients to implement through advisory services, privacy risk assessments, attestations and audits.
The AICPA recently sued the Federal Trade Commission to exempt CPAs from the so-called Red Flag Rule on identity theft (see
The FTC rule was trying to reduce the damage to the victims of identity theft, but not helping an organization to have good privacy practices, she said.
The principles are available in two versions: one for business management, and one for CPAs and CAs in public practice who provide consulting and attestation/audit services. Copies of the principles, along with additional privacy resources, are available at