When you hand a bookkeeping service access to your bank accounts, payroll records, and tax information, you are extending significant trust. The question most business owners never ask before doing so is: what exactly is that service doing to protect the data you have shared with them?
The answer matters more in 2025 than it ever has. Cybercriminals specifically target accounting firms due to the valuable sensitive data they maintain. One in three small and medium businesses reported being hit by a cyberattack in the last year, with average costs reaching $255,000 per incident. Non-compliance with data protection regulations can result in hefty fines and legal actions that further strain tight budgets.
Professional bookkeeping services that handle client financial data are subject to specific federal and state security obligations, many of which business owners are not aware of. Understanding what those obligations are, what good security practice looks like beyond the minimums, and how to evaluate a provider’s security posture gives you a far more complete picture of what you are actually getting when you sign with a bookkeeping service.
At CoCountant, security and compliance are operational requirements, not marketing claims. Here is what every small business bookkeeping service should be doing to protect your financial data, and the questions you should be asking any provider before you trust them with it.
The Legal Compliance Framework: What Bookkeeping Services Are Required to Do
Most business owners assume data security obligations apply to large corporations and technology companies. The reality is that bookkeeping and accounting firms handling client financial information are classified as financial institutions under federal law and are subject to the same data protection requirements that apply to banks and investment firms.
The FTC Safeguards Rule and GLBA
The Gramm-Leach-Bliley Act, enforced through the FTC Safeguards Rule, requires every accounting firm, tax preparer, enrolled agent, and bookkeeping service that handles non-public personal information to maintain a comprehensive Written Information Security Plan. This requirement applies regardless of firm size. Solo practitioners preparing a single tax return must comply with the same WISP requirement as large firms.
Non-compliance is not a paperwork technicality. The FTC has increased enforcement activity significantly in 2025 and 2026, with penalties reaching $500,000 for notification failures and up to $46,517 per violation per day for ongoing non-compliance. Each missing section of a WISP counts as a separate violation, which means the exposure adds up quickly.
IRS Publication 4557 and the Written Information Security Plan
IRS Publication 4557 is the federal government’s definitive guide for protecting taxpayer data. It requires every tax professional and accounting service handling federal tax information to document how they protect that data across nine specific areas. Those areas include risk assessment, access controls, encryption, employee training, backup procedures, patch management, vendor oversight, incident response, and WISP maintenance.
Since 2024, the IRS has added a direct WISP certification question to the PTIN renewal process. Tax professionals who cannot certify compliance are exposed to PTIN revocation, which means they can no longer legally prepare returns. The WISP requirement is not optional, and it is not limited to large practices.
State-Level Data Protection Laws
Federal requirements establish the floor. State regulations frequently impose additional obligations that vary by jurisdiction. Key state requirements in 2025 include Massachusetts 201 CMR 17, which requires a comprehensive written security plan for any entity holding personal information of Massachusetts residents, New York 23 NYCRR 500, which mandates written cybersecurity policies and a designated cybersecurity officer, and California CCPA and CPRA, which establish consumer data protection rights requiring documented security practices.
Bookkeeping services with clients in multiple states must navigate multiple overlapping compliance frameworks simultaneously, which is one reason documented security programs are not a nice-to-have but a legal necessity.
The Six Core Security Measures Every Bookkeeping Service Should Maintain
Beyond the legal requirements, these are the specific security practices that distinguish a professional bookkeeping service from one that treats data protection as an afterthought. These are the questions to ask any provider before signing.
1. Data Encryption at Rest and in Transit
Encryption converts financial data into unreadable code that can only be accessed with an authorized decryption key. Enterprise-grade platforms like QuickBooks Online use 256-bit AES encryption for stored data and TLS encryption for data transmitted between systems. This is the same standard used by major financial institutions.
The IRS requires tax professionals to enable full-disk encryption such as BitLocker or FileVault on all devices handling client data, and to configure TLS 1.2 or higher for data in transit. A bookkeeping service that cannot confirm the encryption standards applied to your data is a service operating below the legal minimum.
2. Multi-Factor Authentication on All Systems
Multi-factor authentication requires users to verify identity through at least two separate methods before accessing financial systems. The IRS now sets MFA as a minimum requirement on all systems handling taxpayer data. Studies have shown that 30% of internet users have experienced a data breach due to a weak password. MFA directly prevents the most common form of unauthorized access: a compromised password alone is not enough to get in.
Every team member at a professional bookkeeping service who accesses client accounts should be required to use MFA. This should not be optional or individual-discretion. It should be a firm policy applied consistently.
3. Role-Based Access Controls
Not every team member needs access to every piece of client data. Role-based access controls ensure that each person can only see and edit the specific data their role requires. A bookkeeper reconciling bank accounts does not need access to payroll records. An accounts payable specialist does not need access to tax documents.
This principle of least-privilege access limits the potential damage from any single compromised account, whether through external attack or internal error. Single sign-on combined with role-based permissions protects accounting firms from data breaches, strengthens compliance, and reduces the blast radius of any security incident.
4. Automated Backups and Disaster Recovery
Professional bookkeeping services should maintain automated backups of client financial data stored in geographically distributed locations. This protects against ransomware attacks, hardware failures, natural disasters, and accidental deletion. Cloud platforms like QuickBooks Online handle this automatically as part of their infrastructure, but the bookkeeping service should be able to confirm that backup procedures are in place and tested.
The WISP requirement under Publication 4557 specifically includes backup procedures in its nine documented areas. A provider that cannot explain their backup and recovery process has a documented compliance gap.
5. Employee Screening and Ongoing Security Training
Security is ultimately a people problem as much as a technology problem. Human error accounts for breaches that even the best tools cannot stop. Professional bookkeeping firms implement employee screening processes before hiring team members with access to client financial data, and they maintain ongoing security training programs that cover phishing identification, password management, secure communication protocols, and incident reporting.
A single employee training session is not enough. Security education should be ongoing and evolve as new threats emerge. Modern accounting security demands continuous staff training and 24/7 threat detection rather than periodic awareness sessions. The WISP requirement explicitly includes employee training as one of its nine required documented components.
6. Written Incident Response Plan
A written incident response plan specifies exactly what happens when a security incident occurs: how it is detected, how it is contained, who is notified, how clients are informed, and how the affected systems are recovered. The FTC Safeguards Rule requires documentation of containment, notification, and recovery steps to minimize damage from potential incidents.
Professional bookkeeping services should be able to describe their incident response process clearly. If a breach occurs, how quickly would you be notified? What steps would the provider take to contain the damage? What documentation would be produced for regulatory reporting? A provider without documented answers to these questions has a compliance gap that could become your problem if a breach occurs.
Compliance Standards for Bookkeeping Firms: What Good Looks Like in Practice
Beyond individual security controls, compliance standards for bookkeeping firms reflect a systematic approach to data protection that is documented, maintained, and regularly reviewed. Here is what that looks like in an operationally mature service.
The IRS Security Six. The IRS’s minimum security requirements for tax professionals cover six areas: anti-virus and anti-malware software, firewall protection, multi-factor authentication, drive encryption, VPN for remote access, and data backup. These are the floor, not the ceiling, but a bookkeeping service that cannot confirm all six are in place is operating below the minimum legal standard.
A current, documented WISP. The WISP is not a one-time document. It must be annually reviewed or updated whenever material changes occur, such as new software adoption, cloud migration, or changes in team structure. A WISP that has not been updated since it was first created is a compliance liability, not a compliance asset.
Vendor oversight. Many breaches stem from insecure third-party systems. A compliant bookkeeping service conducts due diligence on the vendors and platforms it uses to manage client data, ensuring those vendors meet or exceed the firm’s own security requirements. This includes the accounting platform itself, any payroll integrations, and any document management tools.
Audit trail documentation. Every access to client financial data should be logged with a timestamp, user record, and action history. This creates the documentation required for regulatory compliance and provides evidence in the event of a dispute or investigation.
Data portability and end-of-relationship security. A compliant bookkeeping service has a documented process for what happens to client data when the relationship ends. Your financial records should be returned to you in a usable format, and any copies retained by the service should be handled according to documented retention and destruction policies.
Data Protection Bookkeeping Service: Questions to Ask Before Signing
This is the practical application of everything above. Before trusting any bookkeeping service with your financial data, these questions deserve specific answers:
| Question | What a Compliant Answer Looks Like |
| Do you have a Written Information Security Plan? | Yes, documented, current, and annually reviewed |
| What encryption is applied to client data? | 256-bit AES at rest, TLS 1.2+ in transit |
| Is MFA required for all team members? | Yes, mandatory across all client-facing systems |
| How are access controls managed? | Role-based permissions with audit trail logging |
| What is your backup and recovery process? | Automated, geographically distributed, regularly tested |
| What does your employee screening process involve? | Background checks, NDAs, ongoing security training |
| Do you have a written incident response plan? | Yes, with defined notification timelines |
| What platform does my data live in? | Standard platform I independently own (e.g. QuickBooks) |
| What happens to my data if the relationship ends? | Documented return and destruction policies |
Any provider that cannot answer these questions directly and specifically is operating with security practices below what client financial data deserves.
Bookkeeping Security Practices: How Cloud Platforms Raise the Bar
One of the most important shifts in bookkeeping security over the past decade is the move from local desktop systems to enterprise-grade cloud platforms. The security infrastructure of platforms like QuickBooks Online exceeds what most local setups could realistically maintain.
Professional bookkeeping firms implement advanced data encryption, secure cloud platforms, and strict confidentiality agreements to protect client financial information. They follow rigorous employee screening, limit access to authorized personnel, and regularly update cybersecurity protocols to prevent breaches and data loss.
The key qualifier is that cloud security is only as strong as the configuration. The most commonly cited cloud threats are misconfiguration, account hijacking, and unauthorized access, not inherent platform vulnerabilities. Gartner has noted that the vast majority of cloud security failures result from customer-side configuration errors rather than platform failures. A professional bookkeeping service with documented access controls, MFA requirements, and regular security reviews configured correctly on an enterprise platform provides substantially better protection than an unmanaged local alternative. CoCountant runs exclusively on QuickBooks Online, which provides enterprise-grade encryption, MFA support, role-based access controls, and automated geographic backup. Client data lives in accounts clients independently own, not in a proprietary system that creates dependency on a single provider. See the full service scope on our online bookkeeping service page.
The Bottom Line
Security and compliance in bookkeeping are not features a service can opt into selectively. They are legal requirements that apply to every firm handling client financial data, and they reflect the professional obligation that comes with the access a bookkeeping service is granted to some of the most sensitive information a business generates.
The businesses that understand this ask better questions before signing, choose providers with documented security practices, and operate with greater confidence that the financial data driving their decisions is being handled with appropriate care.
The question is not whether security matters in bookkeeping. It clearly does, and the regulatory framework behind it is enforceable and increasingly enforced. The question is whether the provider you are evaluating can demonstrate that they are meeting the standard your financial data deserves. If you want a direct, specific conversation about how CoCountant approaches security and compliance for client financial data, contact us and we will walk you through every detail before you commit to anything.
FAQs
What security measures should a small business bookkeeping service maintain?
At minimum, a professional bookkeeping service should maintain 256-bit AES encryption for stored data and TLS encryption for data in transit, mandatory multi-factor authentication for all team members, role-based access controls, automated geographically distributed backups, a written incident response plan, ongoing employee security training, and a documented Written Information Security Plan compliant with the FTC Safeguards Rule and IRS Publication 4557.
What is the FTC Safeguards Rule and does it apply to bookkeeping firms?
The FTC Safeguards Rule, which enforces the Gramm-Leach-Bliley Act, classifies tax preparers and accounting firms as financial institutions subject to the same data protection standards as banks and investment firms. All bookkeeping and accounting services that handle client financial information are required to maintain a Written Information Security Plan regardless of firm size. Non-compliance carries penalties starting at $50,000 per violation, and the FTC has significantly increased enforcement activity in 2025 and 2026.
What is a Written Information Security Plan and why does it matter for bookkeeping clients?
A WISP is a federally mandated documented security program that specifies how a bookkeeping or accounting firm protects client financial data across nine required areas including risk assessment, access controls, encryption, employee training, backup procedures, vendor oversight, and incident response. It matters for clients because a firm with a current, compliant WISP has systematically addressed data protection obligations. A firm without one is operating below the legal minimum and has unaddressed security vulnerabilities that could expose client financial data.
What is the IRS Security Six?
The IRS Security Six are the minimum cybersecurity controls required for tax professionals, as outlined in IRS Publication 4557. They cover anti-virus and anti-malware software, firewall protection, multi-factor authentication, drive encryption, VPN for remote access, and data backup. These represent the floor of acceptable security practice for any service handling taxpayer data. Professional bookkeeping services should meet or exceed all six.
How do I verify that a bookkeeping service is handling my data securely?
Ask directly for documentation of their security practices, including confirmation of their WISP compliance, encryption standards, MFA requirements, access control policies, backup procedures, and what happens to your data if the relationship ends. A reputable provider will answer these questions without hesitation and with specific, documented answers rather than vague assurances. Also confirm that your financial data lives in a standard platform you independently own rather than a proprietary system the provider controls.
