If your business handles client financial information, tax data, Social Security numbers, bank account details, or health information, you have legal and ethical obligations to protect that data. A breach — whether from a cyberattack, a stolen laptop, or a misdirected email — can expose your clients to identity theft, trigger regulatory penalties, and permanently damage your professional reputation.
FJ & Associates, PLLC advises Utah professional service firms and small businesses on client data security — the policies, tools, and practices that protect sensitive client information and demonstrate the stewardship that clients expect from firms they trust with their financial lives.
Questions about protecting your clients’ data? Call (801) 927-1337 or email admin@cpaone.net.
The IRS Written Information Security Plan (WISP) Requirement
For tax preparers and accounting firms, the IRS requires a Written Information Security Plan (WISP). This is not optional guidance — it is a federal requirement under the Gramm-Leach-Bliley Act (GLBA), which applies to tax preparers as “financial institutions” under FTC interpretation.
Your WISP must address:
- How you identify and assess risks to client information
- The safeguards you use to protect client data
- How you select and oversee service providers who handle client data
- How you will respond to a data breach
The IRS provides a template WISP for small tax and accounting firms that can be customized to your practice. We recommend reviewing and adopting this template as a baseline, then building the actual security practices that make it real.
The Most Common Client Data Security Failures
Sending Sensitive Documents via Unsecured Email
Standard email is not encrypted in transit. Sending a tax return, W-2, Social Security number, or bank account detail via unencrypted email is a data security risk — if that email is intercepted, the data is exposed. Secure file sharing portals (TaxDome, ShareFile, Canopy) encrypt documents in transit and at rest. We use secure portals for all client document exchange.
No Access Controls on Shared Drives
Businesses that store client documents in a shared Google Drive or Dropbox folder without access restrictions are allowing all employees to see all client data — including clients whose accounts those employees don’t work on. Access should be restricted by role and by client relationship.
No Multi-Factor Authentication on Email
Your email account contains more sensitive information than almost any other system. An attacker who accesses your email can reset passwords for every other system linked to that email address. MFA on your business email is not optional — it is the single most impactful security control you can implement.
Retaining Data Longer Than Necessary
Data that no longer serves a business purpose is unnecessary risk. Every additional year of retained client data is additional exposure if a breach occurs. Establish a data retention policy that specifies how long each type of record is kept and how it is destroyed when the retention period expires.
No Employee Offboarding Process
When an employee leaves, their access to all client data systems — email, cloud storage, accounting software, CRM, payroll — must be revoked immediately. Many small businesses have former employees with active credentials to sensitive systems months after departure.
Essential Client Data Security Controls
Secure File Transfer
Replace email attachments with a client portal for all document exchange. TaxDome, ShareFile, and Liscio are popular options for accounting and tax firms. Clients upload documents through a secure web portal; you access them through the same portal — no email attachment, no risk of misdirected sensitive documents.
Access Controls and Least Privilege
Each employee should have access only to the data they need to do their job — no more. Implement role-based access controls in every system that holds client data: accounting software, document storage, payroll, CRM. Review access permissions quarterly.
Multi-Factor Authentication
Require MFA for all systems that hold client data: email, accounting software, document storage, payroll. This is the single highest-ROI security control for preventing unauthorized access.
Device Security
All devices used to access client data — laptops, phones, tablets — should have:
- Full-disk encryption (FileVault on Mac, BitLocker on Windows)
- Screen lock with a PIN or password
- Remote wipe capability (find-my-device enabled)
- Current operating system and software updates
A lost or stolen laptop with full-disk encryption is not a data breach. A lost or stolen laptop without encryption is.
Data Retention and Destruction Policy
Define retention periods for each data type. Tax returns: 7 years. Payroll records: 4 years minimum (IRS), 7 years recommended. Client correspondence: 3–5 years. When retention period expires, data must be destroyed securely — not just deleted but overwritten (digital) or shredded (paper).
Utah Data Breach Notification Requirements
Utah Code § 13-44 (Protection of Personal Information) requires businesses to notify Utah residents of security breaches involving their personal information. Key requirements:
- Notification must be made “in the most expedient time possible” — generally interpreted as within 30 days
- Notification must go to the Utah Attorney General if more than 500 Utah residents are affected
- “Personal information” includes SSN, driver’s license number, financial account numbers, and medical data
A breach notification requirement applies regardless of whether actual harm occurred — if personal information was exposed, notification is required. Having an incident response plan — who to call, what to document, how to notify — before a breach occurs is essential.
How FJ & Associates Protects Your Data
When you share financial information with FJ & Associates, your data is protected through:
- Secure client portal for all document exchange (no unencrypted email attachments)
- Role-based access controls — only team members working on your account access your information
- Encrypted cloud storage for all client documents
- MFA required for all staff on all systems holding client data
- A firm-level WISP that is reviewed and updated annually
We treat your financial information with the same care we expect for our own — and we advise clients on building equivalent protections for their own customers’ data.
Protect Your Clients’ Trust — and Your Professional Reputation
Client data security is not just a compliance obligation — it is a professional responsibility. The clients who trust you with their financial information deserve to know that information is protected.
Call (801) 927-1337 | Email admin@cpaone.net | 612 N Kays Dr Suite 120, Kaysville, UT 84037
About the Author: Missy Dennis, CPA | Partner | FJ & Associates, PLLC | Kaysville, Utah
Missy holds a Master of Accounting degree from the University of Utah and is a licensed Certified Public Accountant. She is committed to providing clear, accurate, and actionable guidance so clients can navigate complex financial decisions with confidence. With more than twenty years of public accounting experience, Missy Dennis specializes in: Tax preparation and tax advisory; Bookkeeping strategy alignment; Estate and trust taxation; Audit and consulting services; Low-income housing tax credits; Non-profit accounting; Small- and mid-sized business advisory.
