A corporate client in Richmond just sent me their engagement agreement and it has a whole section on data security requirements. They want to know how I store their billing data, whether it's encrypted, who has access, and what happens to it when the engagement ends. I've never had a client ask this before — my smaller clients just email me their bills and don't think twice about it. But this company has a compliance department and they're serious. What are best practices here? I don't have any formal data security policy.
How do you handle client billing data security?
This is becoming more common especially with larger corporate clients and anything in healthcare or finance. Here's what I do: all client billing data is stored on an encrypted external drive, not on my regular computer hard drive. I use BitLocker encryption which is built into Windows. I have a written data retention policy that says I keep billing data for 7 years after engagement completion and then securely destroy it. My engagement agreement includes a confidentiality clause. It's not rocket science but having it written down and documented makes compliance departments happy.
I went through this with a hospital system in Cincinnati. They required that all their billing data be stored in a HIPAA-compliant manner. Utility bills aren't technically PHI but the hospital's security policy applied to all third-party consultants regardless. I ended up getting a secure cloud storage account with encryption at rest and in transit, enabled two-factor authentication on everything, and wrote a one-page data handling policy. Cost me about $15/month for the storage and a few hours to write the policy. The hospital's compliance officer approved it and now I use that same setup for all my clients.
Janet raises an important question that every auditor should think about even if their current clients aren't asking. Your client's utility bills contain account numbers, service addresses, usage patterns, and payment amounts. That's sensitive business information. At minimum you should have: (1) encrypted storage for all client data, (2) a written confidentiality clause in your engagement agreement, (3) a data retention and destruction policy, and (4) password protection on any spreadsheets or workpapers that contain client data. If you're emailing bills back and forth, use encrypted email or a secure file sharing service rather than plain email attachments. This is about professionalism as much as compliance.
Took the advice from this thread and put together a one-page data security policy. Client's compliance team reviewed it and approved with one minor change. They also appreciated that I was willing to work with them on it rather than pushback. Engagement is moving forward. Lesson learned — having a basic data security policy ready before a corporate client asks for one is much better than scrambling to create one on the spot.