A former client’s tax files are still sitting in your SharePoint. Their QuickBooks credentials are saved in your password manager. Their portal login was never revoked. Nobody did anything wrong - you just never had a process for ending the relationship. That’s the problem.

The Problem: Offboarding Doesn’t Happen by Default

Most CPA firms invest real effort in onboarding. There’s a checklist, an engagement letter, a portal setup sequence, and maybe a welcome email. You need all of it because you’re collecting sensitive financial data from day one.

But when an engagement ends? It just stops. The client stops responding. You finish the final return. Maybe you send a closing letter. And the files, credentials, and access permissions stay exactly where they were.

This isn’t rare. It’s what happens when there’s no formal offboarding process.

What typically lingers after a client relationship ends:

  • Document management systems — prior-year returns, financial statements, and workpapers in shared folders
  • Client portals — active login credentials to portals containing years of sensitive documents
  • Your firm’s email — threads with Social Security numbers, K-1s, account numbers
  • Shared credentials — logins to the client’s QuickBooks, payroll platform, or bank feed that staff still has saved
  • Contractor or temporary staff access — project-based contributors never formally removed from the client’s file

None of this is intentional. It’s the natural residue of work. But once the relationship ends, that data is exposure without purpose. And exposure without purpose is liability.

Why This Matters for CPA Firms

CPA firms operate inside a web of data protection obligations most clients don’t fully understand — and many firms underestimate themselves.

IRS Publication 4557, Safeguarding Taxpayer Data, is the clearest starting point. It requires tax preparers to implement a written information security plan (WISP) covering how client data is handled, stored, and disposed of. Disposal isn’t just shredding paper. It applies to digital data too — and it applies to former clients just as much as current ones.

State laws add another layer. California’s Consumer Privacy Act (CCPA) gives individuals the right to request deletion of their personal data. If a former client asks you to delete their data and you can’t because you don’t know where it lives, that’s a compliance failure. The penalty: up to $7,500 per intentional violation.

California’s data breach notification law also matters. If a breach exposes a former client’s records — data that should have been archived or destroyed months ago — you’re explaining to regulators why it was still accessible. That’s a conversation nobody wants.

The professional liability angle is equally real. A malpractice claim tied to a data breach involving a former client’s tax records is harder to defend without a documented offboarding process. Your Errors & Omissions carrier will ask. Your state board of accountancy may too.

How to Build a Defensible Client Offboarding Process

The goal isn’t perfection on day one. It’s a documented, repeatable process you can point to.

Step 1: Define the Trigger

Offboarding should start when the final deliverable is sent — not when the client stops paying, not when someone remembers. Define the trigger in your engagement workflow so it happens automatically.

Step 2: Revoke Portal and System Access

Deactivate every platform the client accessed: your document portal, project management tools, communication platforms. Do this before archiving.

Also revoke your firm’s access to the client’s systems. If your staff saved credentials to their accounting software, payroll platform, or bank feed, remove those from your password manager and revoke them at the source.

Step 3: Return, Archive, or Destroy Client Data

Your WISP should govern this decision. The options:

  • Return — send the client a final document package via your portal, then remove firm copies per your retention schedule
  • Archive — move files to a restricted, encrypted archive with defined retention periods (typically seven years for tax workpapers)
  • Destroy — permanently delete data outside your retention obligations using methods that meet NIST 800-88 guidelines

Whatever you choose, document it. Write down what was done, who did it, and when.

Step 4: Rotate Shared Credentials

If your firm uses any shared logins that included this client’s work — even a generic staff email used to access their accounts — rotate those credentials after the engagement ends. This matters most with cloud accounting platforms.

Step 5: Review Contractor and Temp Staff Access

If contractors, seasonal hires, or project-based staff worked on this client, verify their access was scoped to that engagement. If it wasn’t formally tied to the engagement lifecycle, revoke it now and fix your access process going forward.

Step 6: Document Everything

Create a simple offboarding record for each client: what data was returned or destroyed, when portal access was revoked, who completed each step, the date. This record is your defense if something surfaces later.

A shared checklist in your practice management system works. Format matters less than consistency.

What to Look for in an IT Partner

Your IT provider should be an active part of your offboarding process — not someone you call when something breaks. When evaluating a managed IT partner, ask:

  • Can you audit active access permissions by client? You need to know who has access to what at any moment, and be able to remove it cleanly.
  • Do you support identity and access management tools? Solutions like Microsoft Entra ID let you tie user access to defined groups, making offboarding faster and more auditable.
  • How do you handle credential management for third-party systems? A good partner helps you implement a firm-wide password manager with proper controls, not workarounds.
  • Can you document data disposal in a way that satisfies IRS Publication 4557? Ask specifically whether they can support your WISP implementation.
  • Do you have experience with CPA firms? Accounting firms have regulatory obligations most IT providers aren’t calibrated for. Make sure yours is.

The Bottom Line

Client offboarding is a data security problem disguised as an administrative task. Former client files, credentials, and portal access don’t clean themselves up — and without a documented process, they become quiet liability in your systems. The fix isn’t complicated, but it has to be intentional. Build the checklist, define the trigger, and make it repeatable. That’s a defensible process.

Frequently Asked Questions

How long should a CPA firm keep former client data?

The IRS generally recommends keeping client tax records for at least seven years, which aligns with the statute of limitations for most tax matters. Some states require longer. Records like engagement letters and signed authorizations may warrant longer retention for professional liability purposes. Your written information security plan should document your specific retention schedule by record type.

What does IRS Publication 4557 require for client data disposal?

IRS Publication 4557 requires tax preparers to have a written information security plan that covers how taxpayer data is protected, stored, and disposed of when no longer needed. For digital data, acceptable methods include overwriting, degaussing, or physical destruction of storage media. The publication addresses both paper and electronic records, and it applies to former client data as well as current.

Can a former client request that a CPA firm delete their data under CCPA?

Under the California Consumer Privacy Act, individuals can request that a business delete their personal information. However, exemptions exist — including data a business is required to retain for legal reasons. For CPA firms, IRS and state tax authority record-keeping requirements may limit what can actually be deleted. Document any exemptions you apply and respond to requests within 45 days.

What’s the risk if a data breach involves a former client’s records?

If a breach exposes a former client’s information, you’re still subject to California’s data breach notification law, which requires timely notification to affected individuals. The fact that the data belonged to a former client isn’t a defense — it may raise questions about why that data was still accessible after the engagement ended. A documented offboarding process showing proper data handling is a meaningful mitigating factor in regulatory and malpractice contexts.

If you’re working through client offboarding data security challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area — we know your world.