Privacy Guide for Accountants and CPAs

Accountants and CPAs sit at the intersection of some of the most sensitive personal data in existence: Social Security numbers, bank account details, income records, investment portfolios, and complete tax return histories. That access makes you a uniquely high-value target for identity thieves, social engineers, and data brokers. Protecting your personal information is not just a professional obligation — it is a critical defense for both you and your clients.

Why Accountants Are Prime Targets

Tax professionals handle the exact data that criminals need to commit identity theft and financial fraud. During tax season, phishing campaigns specifically targeting accountants spike dramatically. The IRS has repeatedly warned about schemes in which attackers impersonate the IRS, state tax agencies, or professional organizations to trick CPAs into surrendering client data.

But the risk extends beyond phishing emails. When your personal information — your home address, phone number, and professional affiliations — is readily available on data broker sites, attackers gain the raw material they need to:

• Impersonate you to clients: A criminal who knows your home address, phone number, and firm name can craft convincing emails or phone calls requesting sensitive documents from your clients.
• Target you for tax refund fraud: With enough personal details, attackers can file fraudulent tax returns in your name or use your credentials to access tax filing systems.
• Launch business email compromise attacks: Data brokers sell information that helps attackers build profiles detailed enough to bypass security questions and social-engineer their way into your accounts.

Regulatory Requirements You Cannot Ignore

Beyond the practical risks, accountants face specific legal obligations to safeguard data:

• IRS Publication 4557: The IRS requires all tax professionals to create and maintain a written information security plan. This includes securing both client data and the personal information of anyone in the practice.
• Gramm-Leach-Bliley Act (GLBA): Under the FTC's Safeguards Rule, financial institutions — including tax preparers — must implement comprehensive data security programs. Failure to comply can result in significant fines and legal liability.
• State privacy laws: Many states impose additional breach notification requirements and data protection standards that apply directly to accounting professionals.
• AICPA Code of Professional Conduct: The American Institute of CPAs requires members to maintain confidentiality of client information, which extends to securing the systems and personal data that could provide a pathway to that information.

How Data Broker Exposure Creates Vulnerabilities

Data brokers compile and sell personal information scraped from public records, social media, and commercial databases. For accountants, this exposure creates several serious problems:

Clients Can Find Your Personal Details

When a client searches your name online, data broker sites may display your home address, personal phone number, estimated income, property records, and even names of family members. This blurs the line between your professional and personal life and can create uncomfortable or unsafe situations.

Criminals Build Convincing Impersonation Profiles

The more personal data available about you online, the easier it becomes for an attacker to impersonate you convincingly. A fraudster who knows your home address, your spouse's name, and the name of your firm can craft messages that pass the gut-check test for even cautious clients.

Your Home Address Becomes a Liability

Many CPAs operate home offices or use their home address for business registration. When that address appears on data broker sites alongside your professional credentials, it creates a direct link between your personal life and your client data — a link that attackers can exploit.

Securing Your Personal Information

Taking control of your personal data exposure requires a systematic approach:

Remove Your Information from Data Brokers

Manually opting out of data broker sites is time-consuming and often temporary, as brokers frequently re-list information. PrivacyOn monitors over 100 data broker sites and continuously removes your personal information, significantly reducing the attack surface that criminals can exploit. For accountants handling sensitive client data, this ongoing protection is especially valuable because it eliminates the personal details that make impersonation and social engineering attacks possible.

Separate Your Personal and Professional Identities

• Use your firm's address — not your home address — on all professional registrations, licenses, and public filings.
• Maintain a dedicated business phone number and email address. Never use personal accounts for client communication.
• Register your professional domain with privacy protection to keep your personal contact details out of WHOIS databases.

Lock Down Public Records

• If your state allows it, request that your home address be redacted from property records and voter registration files.
• Use a registered agent service for any business filings that require a public address.
• Consider an LLC or P.O. Box for business correspondence to keep your residential address off public documents.

Protecting Client Data

Your personal security and your client data security are deeply interconnected. Strengthening one reinforces the other:

• Multi-factor authentication: Enable MFA on every system that touches client data — tax software, email, cloud storage, and bank accounts. Use authenticator apps or hardware keys rather than SMS codes.
• Encrypted communications: Use encrypted email or secure client portals for exchanging tax documents. Never send Social Security numbers or financial records through standard email.
• Access controls: Limit who in your firm can access client data. Apply the principle of least privilege so that staff members only see the information they need for their specific tasks.
• Regular security training: Ensure everyone in your firm can recognize phishing emails, suspicious phone calls, and social engineering attempts. The IRS recommends annual security awareness training at minimum.
• Incident response plan: Have a documented plan for responding to a data breach, including notification procedures for clients, state regulators, and the IRS.

Ongoing Vigilance

Privacy protection is not a one-time project. Data brokers continuously acquire new data, public records are regularly updated, and attackers constantly refine their techniques. Accountants and CPAs should:

1. Monitor your online exposure quarterly: Search for your name, firm name, and phone number to see what information is publicly available.
2. Review and update your security plan annually: The IRS requires a written security plan, and it should evolve as threats change.
3. Stay current with IRS security alerts: Subscribe to IRS e-News for Tax Professionals and the Security Summit alerts for the latest threat intelligence.
4. Use a data removal service: PrivacyOn provides continuous monitoring and removal, saving you the hours it would take to manually track and remove your data from hundreds of broker sites.

The trust your clients place in you extends beyond accurate tax returns. They trust you with the most sensitive details of their financial lives. Protecting your own personal data is the foundation of that trust — because when your information is compromised, your clients' information is next in line.