What Happens to Client Data in a Breach? What CPA Firms Need to Know

What gets exposed

CPA firms hold some of the most valuable personal and financial data that exists. Social Security numbers. Bank account details. Business financials. W-2s. Prior-year tax returns. Investment statements. If a firm is breached, that is what the attacker gets.

Financial data sells for more on criminal markets than almost any other category of stolen data. That is why accounting firms are a deliberate target, not an incidental one. The attackers know what you have.

What typically happens in a breach

1. 1

   An attacker gains access, usually through a stolen credential, a phishing email, or an unpatched vulnerability. In many cases, they have been inside the network for days or weeks before anything is noticed.

2. 2

   The attacker moves through the network, identifying what is there and what is valuable. For a CPA firm, that means client files, email archives, and any cloud storage connected to the network.

3. 3

   The attacker either exfiltrates the data quietly, deploys ransomware to encrypt it and demand payment, or both. In ransomware attacks, data is often copied before it is encrypted so the attacker can threaten to publish it if the ransom is not paid.

4. 4

   The firm discovers the breach, either because systems stop working, because a client reports suspicious activity, or because they receive a ransom demand.

5. 5

   The firm has to determine what was accessed, notify affected individuals, and manage the legal and reputational fallout.

Your notification obligations

If a breach exposes personal information, most states require you to notify affected individuals within a specific timeframe. Illinois, for example, requires notification without unreasonable delay once a breach is discovered. For a CPA firm with clients across multiple states, you may be subject to notification requirements in each of those states.

If you handle tax information, IRS Publication 5293 outlines data security responsibilities for tax professionals. The IRS also requires tax preparers to have a Written Information Security Plan, or WISP, in place. Many firms do not have one.

Depending on the nature of the data exposed, you may also have obligations under the Gramm-Leach-Bliley Act, which applies to financial institutions including tax preparers who receive certain types of financial information.

What it costs

The direct costs of a breach include forensic investigation to determine what happened, legal counsel to advise on notification requirements, actual notification to affected individuals, and credit monitoring services for those individuals if required.

For a small firm, those costs alone can run tens of thousands of dollars. Add a ransomware payment if the firm chooses to pay, lost billable time during recovery, and any client relationships that do not survive the incident.

The indirect costs are harder to measure. Clients who leave because they no longer trust the firm with their data. Referrals that never come because of what happened. A reputation that takes years to rebuild.

What actually prevents this

• Multi-factor authentication on every account, especially Microsoft 365 and any cloud storage
• Endpoint protection that goes beyond basic antivirus, including behavior-based detection
• Regular security training so staff can recognize phishing attempts before they click
• Documented backup procedures with regular testing so you can recover without paying a ransom
• A Written Information Security Plan and an incident response plan so you know what to do if something happens
• Annual review of your cyber insurance policy to confirm your security controls meet the policy requirements