February 2013

In order to reach 100% participation among states in the ALD, we know that we need to address your main concern… come on…. It’s the elephant in the room…. Security of data. NASBA is dedicating this three-part series to tackling the tough questions about data security. The first part of this series was featured in the November 2012 ALD Newsletter. In this second part, we cover web security, user accessibility, linking records and more!

Some of the data that you contribute to the ALD and CPAverify can be sensitive in nature and we have taken all necessary precautions to safeguard it.

The ALD web server is a SSL-based, password-protected database intended for Accountancy board staff only. NASBA staff are the only ones able to create user accounts. Established password and log in protocols help promote tighter security.

Access to ALD is available for Board of Accountancy Executive Directors, as well as any board staff approved by the Executive Director. Request for access can be directed to the ALD Manager.

Because every authorized user has access to data provided by each board participating in ALD, every user is required to sign a Security Agreement before accessing ALD the first time. This security agreement covers being a responsible user of the database and prohibits the sharing of usernames and passwords.

Conversely, anyone can use CPAverify, the public version of the ALD…

A completely free service to the public, the CPAverify website gives visitors the ability to search through thousands of CPA records without even having to register!

How does this work?

Well, the information in CPAverify is fed from the ALD system, but with tighter controls. The amount of information available to the public in CPAverify is very limited compared to the vast amount of data available to boards in ALD. Generally, only basic information is shown. Those fields include: state of licensure, licensee or firm name, city and state, license number, status, type of license, issue date, expiration date and an indicator of any possible disciplinary history. In terms of disciplinary history, we always encourage users to contact the Board of Accountancy directly to get the full details about an action that shows up in a licensee’s history.

When a CPA is licensed in more than one state, several accountancy board records show up in CPAverify for that person. You may be wondering, “How do you know if John Smith licensed in New York is the same John Smith licensed in Texas?” Let’s discuss how we link these records…

Individual accountancy board licensee records are linked to other accountancy board licensee records by a unique identifier, which is created combining the last 4 digits of a licensee’s social security number with their date of birth. If accountancy boards do not send this data, then records can’t be linked and the true power of the national database is lost. Therefore, it is important for accountancy boards to provide this data.

To help ensure that this data is secure, a hashing algorithm is applied to transform the data into a code that no longer resembles the original data points. This means that the original data (the last 4 digits of a licensee’s social security number with their date of birth) never leaves the Board of Accountancy’s system, only the hashed data is transferred.

Even with the power of modern computers, cracking this “code” is extraordinarily difficult. Much of the corporate world relies on this method to ensure that their data is secure.

We take security of data extremely seriously and hope that what we’ve outlined here makes that clear. Stay tuned for more details about ALD and CPAverify security in the next article in this series in May’s ALD Newsletter. If you have any questions, we’re happy to answer them. Call or email Elizabeth at 615-564-2143 or [email protected].