Working with Accountants, Lawyers, and Records

Your CPA has your personal and business tax returns going back 10 years. Your lawyer has contracts, employment records, and letters about your business disputes. Your bookkeeper has a QuickBooks file with your complete financial picture.

All of that data is sitting in their systems. Do you know how secure those systems are? Do you have agreements with them about what happens if they're breached?

Most owners don't think about this until it's too late.

What this solves (in real business terms)

Your professional advisors hold sensitive data about your business and personal life. Tax returns contain SSNs, income, deductions, home addresses. Contracts contain deal terms, trade secrets, customer lists. Employment records contain performance issues, compensation, and personal information.

If your CPA gets breached, you have a problem—even though you didn't create the vulnerability.

What can go wrong

The CPA firm breach. In 2022, a regional accounting firm in the Southeast was breached. The attackers got the tax returns of 500 clients. Those clients—business owners—had their SSNs, income, addresses, and deduction histories exposed. Notification costs, credit monitoring, and state AG inquiries followed. The affected businesses had no recourse because they had no contract with the CPA firm governing breach liability.

The attorney-client privilege exception. Your lawyer's email was compromised. Opposing counsel in your litigation now has access to attorney-client privileged communications. Your case may be compromised. Your lawyer may be liable—but your exposure remains.

The QuickBooks breach. A small business owner's bookkeeper used a cloud-based QuickBooks. The bookkeeper's email was phishing. The attacker got QuickBooks credentials. They had 3 years of financial records, employee W-2s, customer invoices, and vendor payment records. This data was worth more than the business itself to an identity thief.

The inheritance problem. The business owner passed away. The family couldn't access the accountant's records because everything was password-protected with a password nobody knew. Years of tax returns, the estate planning documents—all locked away.

What it costs (honest ranges)

| What | What you'll pay | |------|----------------| | Secure file sharing with your advisors (Citrix ShareFile, Box) | $15–$50/user/month | | CPA firm security requirements checklist | $0 | | Data sharing agreement template | $500–$2,000 (one-time) | | Annual security review of advisor relationships | $1,000–$3,000 | | Accountant's CYBER insurance verification | $0 (ask them) |

Minimum viable implementation

1. Ask your advisors about their security practices. Email your CPA: "What security standards do you maintain? Do you have cyber insurance? What happens if you have a breach that involves our data?" If they can't answer, that's information.

2. Establish secure file transfer. Don't send tax documents via unencrypted email. Set up a secure portal. Most CPA firms have one—use it. If yours doesn't, ask them to use one.

3. Create data sharing agreements. At minimum, a written agreement that covers: what data they hold, how they protect it, what happens in a breach, how long they keep it, and what happens when the relationship ends.

4. Maintain your own copies. You are entitled to copies of everything you give them. Keep a backup. Store it securely.

5. Document access credentials. Who has access to your tax records, legal files, and financial systems? If you got hit by a bus tomorrow, could your family or successor access what they need?

6. Review access quarterly. When your CPA relationship changes, when your lawyer changes firms, when your bookkeeper leaves—update your access records and change passwords.

Vendor questions (copy/paste)

For your professional advisors about their security:

For accountants:

1. "Do you maintain a written information security program? Can I see your policies?"
2. "Do you have cyber liability insurance? What coverage limits?"
3. "What happens to our data if you have a breach? How quickly will you notify us?"
4. "Do you use multi-factor authentication on your systems that hold our data?"
5. "Who else has access to our data? Staff? Subcontractors? Cloud providers?"

For lawyers:

1. "Does your firm maintain cybersecurity standards consistent with state bar requirements?"
2. "How do you handle privileged communications via email and file sharing?"
3. "What's your data retention policy for client files?"
4. "If your firm is breached, what's your notification process for affected clients?"

For bookkeepers/financial advisors:

1. "What software do you use? What are its security features?"
2. "Who has access to our financial data? How is access controlled?"
3. "Do you conduct security training for your staff?"
4. "What happens to our data if your relationship with [software vendor] changes?"

When to hire help

Hire help if:

• You're in a regulated industry where financial data has specific compliance requirements
• Your advisors hold data on employees, customers, or third parties
• You're going through a business transition (sale, succession, merger)
• You've had a breach at an advisor's firm affecting your data
• You need to audit what data your advisors have and ensure it's protected