A client asks you to confirm that their 2011 tax return no longer exists at your firm. You go looking - and you find it in three places: a scanned PDF in your document management system, an email attachment in a former partner’s archived inbox, and a folder on a server you thought was decommissioned two years ago.

That’s not a hypothetical. It’s what happens when a retention policy hasn’t kept pace with how your firm actually stores data.

The Problem: Most CPA Firms Don’t Have a Policy - They Have a Template

Ask a small or mid-size accounting firm to produce their client data retention policy, and one of three things usually happens. They hand you something downloaded from a professional association years ago that nobody has reviewed since. They describe an informal practice - “we keep everything for seven years” - that exists only in someone’s head. Or they admit there’s nothing formal at all.

None of these hold up when a client asks questions, a state board inquiry comes in, or you’re trying to defend yourself after a data incident.

The deeper problem is that “we keep everything for seven years” sounds cautious and responsible. It isn’t. Federal and state requirements vary significantly by document type. The Internal Revenue Service (IRS) generally requires records supporting a tax return to be kept for three years from the filing date - or six years if substantial underreporting is possible. Some states require longer retention for state tax records. Audit workpapers may have their own retention requirements under standards set by the American Institute of Certified Public Accountants (AICPA) or the Public Company Accounting Oversight Board (PCAOB).

Conflating all of these into a single “keep it forever” approach doesn’t protect you. It accumulates risk. Every year of unnecessary retention is another year that data can be breached, subpoenaed, or accidentally disclosed.

And then there’s the destruction side of the equation - which most template policies ignore entirely.

Why This Matters for CPA Firms

Accounting firms handle some of the most sensitive personal and financial data in existence: Social Security numbers, bank account details, business financials, and estate information. That makes you an attractive target and a regulated custodian, whether you think of yourself that way or not.

The Gramm-Leach-Bliley Act (GLBA) applies to many CPA firms that provide financial services to individuals. Under the GLBA Safeguards Rule - updated and strengthened in 2023 - you’re required to have a written information security program, and that program needs to address how you handle and dispose of client information. A vague retention policy doesn’t satisfy that requirement.

State-level rules add more complexity. California’s Consumer Privacy Act (CCPA) gives individuals the right to request deletion of their personal information in many circumstances. If your firm can’t identify where a client’s data lives, you can’t honor that request - and you can’t demonstrate compliance. Other states are following California’s lead with similar legislation.

Beyond regulation, there’s the practical liability question. If your firm suffers a breach, the scope of that breach - and your exposure - is directly proportional to how much data you were holding. Firms that retain client files indefinitely because “we might need them someday” are carrying risk that has no corresponding benefit after the required retention period has passed.

Your professional reputation is also on the line. Clients increasingly expect to know how their data is handled. The firms that can answer that question clearly are building trust. The ones that can’t are quietly losing it.

How to Build a Policy That’s Actually Defensible

A defensible retention policy has four working parts: a schedule, a scope, a destruction procedure, and an owner. Here’s what each should include.

The Retention Schedule

Map document types to specific retention periods - not one blanket rule. At minimum, your schedule should address:

  • Tax returns and supporting documents (federal and state, distinguished by jurisdiction)
  • Audit and attest workpapers (check AICPA standards and any PCAOB requirements if applicable)
  • Client correspondence, including email
  • Engagement letters and contracts
  • Billing records
  • Estate and trust-related documents, which often carry longer requirements

Distinguish between records you’re retaining for the client’s benefit versus records you’re keeping for your own professional protection. The rules - and the appropriate retention periods - are different for each.

The Scope (Where the Data Actually Lives)

This is where most policies fail. Your filing cabinet is the least of your worries. Your policy must account for:

  • Cloud document management systems (ShareFile, NetDocuments, CCH, etc.)
  • Email archives and server backups
  • Decommissioned drives and old workstations
  • Third-party applications that hold client data (tax prep software, payroll platforms, client portals)
  • Personal devices, if any staff access work files remotely

If the policy only addresses paper and local servers, it’s describing a firm that hasn’t existed for fifteen years.

The Destruction Procedure

Define how data gets destroyed - not just when. For digital files, “deletion” isn’t enough; drives need to be wiped using standards like the National Institute of Standards and Technology (NIST) 800-88 guidelines, or physically destroyed. For paper, cross-cut shredding or a certified shredding service is required.

For any destruction of sensitive media, obtain and retain a certificate of destruction. If a regulator or a client asks whether a record has been disposed of properly, a certificate is your evidence. A verbal assurance is not.

Build a destruction log. Record what was destroyed, when, by whom, and how. This is the paper trail that turns your policy from a document into a practice.

The Policy Owner

Someone needs to own this. Assign a specific role - a partner, your firm administrator, or your IT provider - with responsibility for reviewing the policy annually and triggering destruction cycles on schedule.

What to Look for in an IT Partner

If you work with a managed IT services provider (MSP), your retention and destruction policy touches their work directly. Ask the right questions before you assume they’ve got it covered.

  • Can you give me an inventory of where client data lives across all our systems, including cloud and backup environments?
  • Do you have a documented process for securely wiping or destroying hardware before it’s decommissioned?
  • Can you provide certificates of destruction for retired drives and devices?
  • How do your backup and archiving configurations interact with our retention schedule - are we retaining backups longer than the policy requires?
  • Have you worked with CPA firms on GLBA Safeguards Rule compliance before?

A provider who can answer these questions specifically - not just reassuringly - is one who understands what’s actually at stake for your firm.

The Bottom Line

A client data retention policy isn’t a legal formality you file and forget. It’s a working document that defines what you keep, where you keep it, how long you keep it, and how you dispose of it when the time comes. Firms that treat it seriously reduce their breach exposure, stay ahead of regulatory requirements, and can answer hard questions when clients or regulators start asking them. Firms that don’t are holding more risk than they realize.

Frequently Asked Questions

How long does a CPA firm have to keep client tax records?

The IRS generally requires taxpayers to retain records supporting a return for at least three years from the filing date, though this extends to six years if there’s a risk of substantial underreporting. CPA firms should consult both federal guidelines and their state’s specific requirements, since some states have longer mandates. Many firms also retain workpapers longer for professional liability protection - but those decisions should be documented in policy, not made by default.

Does GLBA apply to small accounting firms?

Yes, the Gramm-Leach-Bliley Act applies to many accounting firms, including small ones, that provide financial products or services to individuals. The Federal Trade Commission (FTC) Safeguards Rule requires these firms to implement a written information security program that includes procedures for secure data disposal. Firm size doesn’t create an exemption - it only affects some of the specific implementation requirements.

What’s the right way to destroy digital client records?

Simply deleting files or reformatting a drive isn’t sufficient for sensitive client data. The NIST Special Publication 800-88 (Guidelines for Media Sanitization) provides the recognized standard for digital destruction, including overwriting, cryptographic erasure, and physical destruction depending on the media type. For any destruction of records containing personally identifiable information (PII) or financial data, firms should obtain a certificate of destruction and log the event with the date, description of what was destroyed, and the method used.

Can clients request that a CPA firm delete their data?

Under the California Consumer Privacy Act (CCPA), California residents have the right to request deletion of their personal information held by businesses that meet certain thresholds. Whether a specific CPA firm is subject to CCPA depends on factors like revenue and data volume, but the broader trend toward individual deletion rights is growing across states. Firms should know where client data lives and have a process for responding to deletion requests - including understanding which records must be retained regardless of a client’s request due to legal or professional obligations.

If you’re working through client data retention policy challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area - we know your world.