(801) 927-1337
Portal Pay Invoice
Client Portal Pay Invoice
(801) 927-1337
FJ & Associates, PLLC
  • ABOUT US
  • SERVICES
    • Accountant
    • Tax Preparation Service
    • Financial Audit
    • Accounting Firm
    • Bookkeeping Service
    • Certified Public Accountant
    • Payroll Service
    • Tax Consultant
    • Tax Preparation
  • ADDITIONAL RESOURCES
    • Blogs
    • Tax Organizer
  • PEER REVIEW
  • CONTACT US
  • ABOUT US
    • Accountant
    • Tax Preparation Service
    • Financial Audit
    • Accounting Firm
    • Bookkeeping Service
    • Certified Public Accountant
    • Payroll Service
    • Tax Consultant
    • Tax Preparation
    • Blogs
    • Tax Organizer
  • PEER REVIEW
  • CLIENT PORTAL
  • CONTACT US

FJ & Associates

Get back to doing what you do best

Client Data Security for Utah Small Businesses and Professional Service Firms

June 22, 2026 By Missy Dennis

If your business handles client financial information, tax data, Social Security numbers, bank account details, or health information, you have legal and ethical obligations to protect that data. A breach — whether from a cyberattack, a stolen laptop, or a misdirected email — can expose your clients to identity theft, trigger regulatory penalties, and permanently damage your professional reputation.

FJ & Associates, PLLC advises Utah professional service firms and small businesses on client data security — the policies, tools, and practices that protect sensitive client information and demonstrate the stewardship that clients expect from firms they trust with their financial lives.

Questions about protecting your clients’ data? Call (801) 927-1337 or email admin@cpaone.net.

The IRS Written Information Security Plan (WISP) Requirement

For tax preparers and accounting firms, the IRS requires a Written Information Security Plan (WISP). This is not optional guidance — it is a federal requirement under the Gramm-Leach-Bliley Act (GLBA), which applies to tax preparers as “financial institutions” under FTC interpretation.

Your WISP must address:

  • How you identify and assess risks to client information
  • The safeguards you use to protect client data
  • How you select and oversee service providers who handle client data
  • How you will respond to a data breach

The IRS provides a template WISP for small tax and accounting firms that can be customized to your practice. We recommend reviewing and adopting this template as a baseline, then building the actual security practices that make it real.

The Most Common Client Data Security Failures

Sending Sensitive Documents via Unsecured Email

Standard email is not encrypted in transit. Sending a tax return, W-2, Social Security number, or bank account detail via unencrypted email is a data security risk — if that email is intercepted, the data is exposed. Secure file sharing portals (TaxDome, ShareFile, Canopy) encrypt documents in transit and at rest. We use secure portals for all client document exchange.

No Access Controls on Shared Drives

Businesses that store client documents in a shared Google Drive or Dropbox folder without access restrictions are allowing all employees to see all client data — including clients whose accounts those employees don’t work on. Access should be restricted by role and by client relationship.

No Multi-Factor Authentication on Email

Your email account contains more sensitive information than almost any other system. An attacker who accesses your email can reset passwords for every other system linked to that email address. MFA on your business email is not optional — it is the single most impactful security control you can implement.

Retaining Data Longer Than Necessary

Data that no longer serves a business purpose is unnecessary risk. Every additional year of retained client data is additional exposure if a breach occurs. Establish a data retention policy that specifies how long each type of record is kept and how it is destroyed when the retention period expires.

No Employee Offboarding Process

When an employee leaves, their access to all client data systems — email, cloud storage, accounting software, CRM, payroll — must be revoked immediately. Many small businesses have former employees with active credentials to sensitive systems months after departure.

Essential Client Data Security Controls

Secure File Transfer

Replace email attachments with a client portal for all document exchange. TaxDome, ShareFile, and Liscio are popular options for accounting and tax firms. Clients upload documents through a secure web portal; you access them through the same portal — no email attachment, no risk of misdirected sensitive documents.

Access Controls and Least Privilege

Each employee should have access only to the data they need to do their job — no more. Implement role-based access controls in every system that holds client data: accounting software, document storage, payroll, CRM. Review access permissions quarterly.

Multi-Factor Authentication

Require MFA for all systems that hold client data: email, accounting software, document storage, payroll. This is the single highest-ROI security control for preventing unauthorized access.

Device Security

All devices used to access client data — laptops, phones, tablets — should have:

  • Full-disk encryption (FileVault on Mac, BitLocker on Windows)
  • Screen lock with a PIN or password
  • Remote wipe capability (find-my-device enabled)
  • Current operating system and software updates

A lost or stolen laptop with full-disk encryption is not a data breach. A lost or stolen laptop without encryption is.

Data Retention and Destruction Policy

Define retention periods for each data type. Tax returns: 7 years. Payroll records: 4 years minimum (IRS), 7 years recommended. Client correspondence: 3–5 years. When retention period expires, data must be destroyed securely — not just deleted but overwritten (digital) or shredded (paper).

Utah Data Breach Notification Requirements

Utah Code § 13-44 (Protection of Personal Information) requires businesses to notify Utah residents of security breaches involving their personal information. Key requirements:

  • Notification must be made “in the most expedient time possible” — generally interpreted as within 30 days
  • Notification must go to the Utah Attorney General if more than 500 Utah residents are affected
  • “Personal information” includes SSN, driver’s license number, financial account numbers, and medical data

A breach notification requirement applies regardless of whether actual harm occurred — if personal information was exposed, notification is required. Having an incident response plan — who to call, what to document, how to notify — before a breach occurs is essential.

How FJ & Associates Protects Your Data

When you share financial information with FJ & Associates, your data is protected through:

  • Secure client portal for all document exchange (no unencrypted email attachments)
  • Role-based access controls — only team members working on your account access your information
  • Encrypted cloud storage for all client documents
  • MFA required for all staff on all systems holding client data
  • A firm-level WISP that is reviewed and updated annually

We treat your financial information with the same care we expect for our own — and we advise clients on building equivalent protections for their own customers’ data.

Protect Your Clients’ Trust — and Your Professional Reputation

Client data security is not just a compliance obligation — it is a professional responsibility. The clients who trust you with their financial information deserve to know that information is protected.

Call (801) 927-1337 | Email admin@cpaone.net | 612 N Kays Dr Suite 120, Kaysville, UT 84037


About the Author: Missy Dennis, CPA | Partner | FJ & Associates, PLLC | Kaysville, Utah

Missy holds a Master of Accounting degree from the University of Utah and is a licensed Certified Public Accountant. She is committed to providing clear, accurate, and actionable guidance so clients can navigate complex financial decisions with confidence. With more than twenty years of public accounting experience, Missy Dennis specializes in: Tax preparation and tax advisory; Bookkeeping strategy alignment; Estate and trust taxation; Audit and consulting services; Low-income housing tax credits; Non-profit accounting; Small- and mid-sized business advisory.

Filed Under: Bookkeeping

FJ & Associates, PLLC

Portal Login

Kaysville

612 N Kays, Dr. #120
Kaysville, UT 84037
Phone: (801) 927-1337
admin@cpaone.net

Roy

5145 Airport Rd #100
Roy, UT 84067
Phone: (801) 825-4100
admin@cpaone.net

Tulsa Oklahoma

3171 South 129th East Ave, Suite A
Tulsa, OK 74134
Phone: (801) 927-1337
admin@cpaone.net

Westerly Rhode Island

13 Airport Road, #1033
Westerly, RI 02891
Phone: (801) 927-1337
admin@cpaone.net

Copyright © 2026 All Rights Reserved | Privacy Policy | Terms of Use