Data Security for Tax and Accounting: 5-Step Plan to Securing Client Data

Clients trust your tax or accounting firm with their sensitive personal data. Access to this data allows you to do your job, including:

• Social Security numbers
• Financial information
• Addresses, phone numbers, and other personal details

Creating a strong data security plan helps protect your firm’s reputation, builds client trust, and keeps sensitive information safe — a true win-win. However, developing an effective plan requires time, careful analysis, and a clear understanding of today’s cyber threats.

For US tax professionals, having a formal Written Information Security Plan (WISP) is no longer optional. As of 2025–2026, the IRS and FTC require all paid tax return preparers to implement and maintain a Written Information Security Plan (WISP). Failing to have one not only increases your risk of a data breach but can also result in heavy fines, PTIN suspension, and other regulatory penalties.

Prioritizing the protection of the right data, systems, protocols, and access can go a long way in keeping your clients’ information secure.

Why Is Data Security Important Now More Than Ever?

Every 11 seconds, a business somewhere in the world falls victim to a ransomware attack, and the overall frequency of cyberattacks continues to accelerate. Web-based attacks affect a large share of companies, and the average cost of a data breach now stands at $4.44 million globally according to IBM’s latest Cost of a Data Breach Report.

The rapid change in technology is driving cyberattacks.

Companies are relying on multiple services to keep their operations running smoothly. Cloud computing, whether for databases, full servers, or even just backing up your internal systems, also increases the risk of data breaches.

Proper hardening of systems and security can prevent attacks, but when 95% of attacks occur due to human error, you must look beyond basic cybersecurity and protect your data from multiple access points.

Multiple Points of Potential Data Security Risks in Tax and Accounting Firms

As an accounting firm grows, you must transition from learning how to protect your company from cyber attacks to creating new protocols that protect data even when it’s shared with others.

Firms have multiple points in their operations where data may be shared with others that can put it at risk, including:

Temporary Staff Hiring

Temporary staff are a point of weakness for many firms. When you hire during a busy season, you have little time to properly train staff and make them aware of all of your policies and protocols.

Internal procedures and security measures can be taken to protect your client data from the inside.

TaxDome allows for firms to:

• Grant limited access to accounts
• Decide stages of access for temporary team members
• Automatically grant access to client data to a specific employee when a task needs to be completed
• Revoke access when an employee completes a task

Hiring Outsourced Staff

When hiring outsourced staff, you may be granting them data that is easier to restrict internally. You should consider all of the data that you share with these individuals and may grant them access to, in certain situations, just the previous year’s information.

Privacy Is More Important Than Security

You must ask yourself why security is more important than privacy? Firms should be focusing on both. A lot of resources are spent on security, but there has been a growing gap in trying to keep data private that is just starting to be closed.

If you keep close control of your client data, create strict access control systems, encrypt data, and take additional measures to keep data private, it will be an integral part of your cybersecurity efforts.

Privacy is more important than security, but privacy and security do work together to keep your firm and client information safe.

You should start with a data security plan before taking additional measures to strengthen your firm’s security.

AI-Powered Phishing and Social Engineering

Attackers now use Generative AI to craft highly convincing emails, SMS (smishing), and even voice clones (vishing). These attacks specifically target accounting staff during the busy season to gain access to portals or wire transfers.

Creating a Data Security Plan in 5 Simple Steps

Your firm should work with security experts to create a data security plan that offers the best security for your clients. But you should start creating a plan using the following five-step process:

1. Learn the Basics

Data security risks can come from five key areas:

• Exploitation of resources to gain access to data
• Access data through system or data tampering
• Accessing sensitive data while being unauthorized
• Disrupt business services or processes to gain access
• Ransomware, which holds data hostage and blocks access to it

Basic security must protect against the above vulnerabilities while also considering phishing and simpler attacks too.

2. Identify Sensitive Data

Identify what data is the most vital to protect, who has access to the data, and which data, if not protected, would have the least impact on clients or your firm. You need to identify all customer information risks.

3.  Evaluate and Consider Risk

Consider all of the risks and then assess the current security measures in place to eliminate these risks. When you know the risks and what security is in place, you can then design a data security plan.

4. Create a Written Information Security Plan (WISP)

Now, you want to create a plan to protect your most vital data while creating systems and/or protocols to protect against potential risks. You should be working with all stakeholders and security professionals to devise a strategy that provides a robust data security plan.

Your plan should not just be a set of verbal rules. Create a formal, written document that outlines how your firm protects client data, handles potential breaches, and trains staff. This is now a regulatory requirement in many jurisdictions.

5. Implement and Monitor

Once a plan is in place, you need to implement the plan and continually monitor and test the plan. You’ll need to adjust the plan, review it and monitor it routinely to ensure that your firm is doing all it can to keep your data safe and secure.

4 Additional Tips to Strengthen Your Firm’s Security

Creating a data security plan is only part of the data security process. You need to take actionable steps to begin protecting your client data as fast as possible, including:

1. Beyond Passwords: Multi-Factor Authentication and Passkeys

While 2FA is essential, 2026 marks the rise of Passkeys. These use biometrics (FaceID, TouchID) or hardware keys (YubiKey) to eliminate the risk of stolen passwords entirely. TaxDome supports advanced MFA and biometric authentication to keep your firm ahead of hackers.

2.  Put Policies in Place

Internal policies are essential for keeping client data safe and secure. These policies should include:

• Workers sign NDAs
• Creation and implementation of IT/cybersecurity policies
• Ensuring all employees are trained on and formally sign these policies

Creating strong internal policies, with input from key stakeholders and security experts, helps stop potential threats before they materialize. It’s also highly recommended to establish policies around data classification to improve access control and overall security posture.

Security Awareness Training (SAT) should be a core part of your internal policies. Conduct regular phishing simulations to test your team’s readiness. Remember: a security plan is only as strong as the person with the most access. Training your staff to recognize phishing attempts and AI-generated scams is one of the most effective first lines of defense.

You can also train employees on best practices, such as never emailing clients or sending sensitive messages outside of a secure client portal or messaging system.

3. Secure Client Portal and Messaging Systems

One of the biggest mistakes a firm can make is to request client personal data via email. Instead, using a secure client portal and messaging system offers better protection than sending information through text or email.

Securing data sharing through internal software and systems reduces the risk of client data being exposed.

TaxDome’s client portal and secure messages system integrates both features in one secure portal.

4. Follow Basic Security Practices

Whether an employee is working from home or is using your internal computers, there are base measures that must be taken to harden your firm’s security:

• Install a firewall
• Install antivirus/malware protection
• Keep firewall and antivirus updated
• Keep operating systems updated
• Restrict access to program installs on company computers

Hackers will try to infiltrate your systems using the easiest method possible. If you don’t patch a system or software and there’s a known security issue, the hacker will use this known vulnerability to access the data.

Final Thoughts

Why is data security important now more than ever? The industry is evolving and changing. Online services, from SaaS solutions to simple cloud backup of client information, can leave security risks open to your business and clients.

If you’re not continually trying to strengthen your data security, you’re putting your clients and firm at risk of a data breach.