Protecting Client Financial Data at End of Life
Accounting firms hold detailed financial information about their clients, from individual tax returns to complete corporate financial records. This data includes tax file numbers, bank account details, investment portfolios, business financial statements, and payroll information for the client’s employees. The concentration of sensitive financial data across multiple clients makes accounting firm IT equipment particularly high-value targets for data theft, and correspondingly high-priority for proper destruction at end of life.
What Accounting IT Systems Store
Accounting practice management software stores client contact details, engagement records, billing information, and work-in-progress data. Tax preparation software contains tax returns, supporting schedules, prior year data, and tax file numbers for individuals and entities. Accounting and bookkeeping platforms (Xero, MYOB, QuickBooks) hold transaction data, bank feeds, payroll records, and financial reports.
Document management systems store signed financial statements, audit working papers, tax correspondence, and supporting documentation. Email systems contain client communications with attached financial documents, ATO correspondence, and advisory opinions. Cloud storage and backup systems may hold copies of all of the above.
Professional and Regulatory Requirements
Accounting firms are subject to professional standards administered by CPA Australia, Chartered Accountants Australia and New Zealand, and the Institute of Public Accountants. These bodies set ethical requirements that include obligations around client confidentiality and data protection.
The Tax Agent Services Act 2009 and the Code of Professional Conduct for tax practitioners include requirements around the handling of client information. The Tax Practitioners Board (TPB) can take disciplinary action against practitioners who fail to protect client data, including through improper disposal of IT equipment.
The Corporations Act 2001 requires financial records to be retained for seven years. The Income Tax Assessment Act requires tax records to be kept for five years from the date of lodgement. For audit engagements, ASIC requires audit working papers to be retained for seven years after the audit report date. AML/CTF requirements apply to accounting firms that provide designated services, requiring customer identification records to be kept for seven years.
Tax File Number Security
Tax file numbers (TFNs) are subject to specific protection under the Privacy Act 1988 and the Tax File Number Guidelines issued by the Australian Information Commissioner. The guidelines impose strict obligations on how TFNs are collected, used, stored, and destroyed. IT equipment that has stored TFNs must be sanitised to a standard that ensures the TFNs cannot be recovered.
Given the high concentration of TFNs on accounting firm IT equipment, NIST 800-88 Purge-level sanitisation or physical destruction is appropriate for all storage media from accounting practices.
Multi-Client Risk
Unlike many businesses where IT equipment primarily holds the organisation’s own data, accounting firm equipment holds data for dozens or hundreds of different clients. A single unsanitised hard drive from an accounting firm could contain financial records spanning the firm’s entire client base, multiplying the impact of any data exposure.
This multi-client risk profile means that the consequences of improper disposal are amplified compared to a single-entity business. A data breach from disposed accounting firm equipment could trigger notification obligations to hundreds of individuals and entities, damage the firm’s professional reputation across its entire client base, and result in disciplinary action from professional bodies.
Cloud Accounting Considerations
Many accounting firms now use cloud-based platforms (Xero, QuickBooks Online, MYOB Business) rather than locally installed software. While this reduces the amount of client financial data stored on local devices, it does not eliminate it. Local devices may still cache data from cloud applications, store downloaded reports and documents, contain email attachments with financial information, and hold browser-cached data including login credentials for client accounts.
When disposing of devices used to access cloud accounting platforms, sanitise the local storage and also review whether the firm’s access to client cloud accounts needs to be deactivated as part of the device transition.
Accounting firms are custodians of their clients’ complete financial lives. The professional trust that underpins the accounting relationship extends to how client data is handled at every stage, including the final stage of IT equipment disposal.