Data Security & Confidentiality Policy

Effective Date: 2/8/2025

Last Updated: 2/8/2025

At Brendan CPA, we are committed to maintaining the confidentiality, security, and integrity of client information. As a licensed CPA in New York, we adhere to all applicable state and federal regulations, AICPA professional standards, and IRS data protection guidelines to ensure the highest level of privacy and security for our clients.

This Data Security & Confidentiality Policy explains how we handle, store, and protect sensitive client data, including tax, financial, and personal information.

1. Confidentiality Commitment

We understand that as a CPA firm, we handle highly sensitive financial and tax-related information. We are legally and ethically bound to maintain strict confidentiality under:

✅ New York State Accountancy Laws
✅ AICPA Code of Professional Conduct (Confidential Client Information Rule 1.700.001)
✅ IRS Data Protection and Circular 230 Regulations
✅ FTC Safeguards Rule & Gramm-Leach-Bliley Act (GLBA) for Financial Data Protection

Our Confidentiality Commitments to Clients:

  • We never disclose, sell, or share client data with third parties unless legally required.
  • All client communications, tax documents, and financial records are strictly confidential.
  • Employees, contractors, and third-party vendors handling data must sign confidentiality agreements.
  • Clients can request a copy of their confidentiality rights at any time.

2. Types of Data We Protect

We handle and protect the following categories of confidential client information:

📌 Personal Information
✔ Full name, address, phone number, email
✔ Social Security Number (SSN) / Taxpayer Identification Number (TIN)

📌 Financial & Tax Information
✔ Income records, W-2s, 1099s, K-1s
✔ Tax returns, deductions, and credits
✔ Business financials, profit & loss statements
✔ Banking and payment details for tax filings or refunds

📌 Client Communications & Documents
✔ Emails, phone calls, and consultation notes
✔ Documents uploaded via our secure client portal
✔ Any sensitive business or tax planning information

3. Secure Data Storage & Encryption

We use industry-leading security measures to protect all client data from unauthorized access, breaches, and cyber threats.

✅ Encrypted Cloud Storage – All financial records, tax documents, and client files are stored in a secure, encrypted cloud server (ProConnect Tax).
✅ No Physical Copies – We do not store or print paper copies of client tax returns or financial documents.
✅ Secure Client Portal – Clients upload and retrieve documents via an encrypted client portal to prevent unauthorized access.
✅ Multi-Factor Authentication (MFA) – Required for accessing sensitive financial systems and tax preparation software.
✅ Restricted Employee Access – Only authorized personnel have access to client files, and access is logged and monitored.

4. Data Sharing & Legal Disclosures

We never share, sell, or disclose confidential client data except under the following circumstances:

✔ Client Authorization – We may share tax returns or financial records only with written client consent (e.g., for loan applications, tax audits).
✔ Legally Required Disclosures – We may disclose information only when legally mandated, such as:

  • IRS or state tax audits
  • Court orders or subpoenas
  • Fraud investigations by regulatory agencies
    ✔ Third-Party Service Providers – We use trusted accounting platforms (e.g., ProConnect Tax, Intuit, Google Analytics) to enhance security, but we do not share client financial data for marketing or analytics purposes.

📌 Client Rights: Clients have the right to request a copy of their records, opt-out of certain data sharing, or dispute incorrect information.

5. Data Retention & Secure Disposal

We retain client records only for as long as legally required and securely dispose of data when it is no longer needed.

📌 Data Retention Periods
✅ Tax Records: Stored for up to 7 years (per IRS & NY regulations).
✅ Financial Statements & Bookkeeping Records: Retained for at least 5 years.
✅ Client Communications & Consultations: Retained for up to 3 years, unless part of an ongoing service agreement.

📌 Secure Data Disposal

  • Digital Records: Securely deleted using permanent data erasure methods.
  • Emails & Communications: Automatically deleted after 3 years, unless needed for compliance.
  • Client Portal Documents: Automatically removed after retention period expires.

6. Client Rights & Control Over Data

As a client of Brendan CPA, you have the following rights:

✔ Request Access to Your Records – You may request copies of your financial data and tax filings.
✔ Correct or Update Information – If you find inaccuracies in your data, we will correct them upon request.
✔ Opt-Out of Data Sharing – Clients may request not to have their data shared with third parties (except for legal or regulatory compliance).
✔ Request Deletion of Personal Data – Upon request, we will remove personal information unless legally required to retain it.

📩 To exercise these rights, contact us at: [email protected]

7. Breach Prevention & Incident Response

In the rare event of a data breach or unauthorized access, we follow strict incident response protocols:

📌 Security Incident Response Plan
✔ Immediate Investigation – If a breach is suspected, we conduct a forensic review.
✔ Client Notification – Affected clients will be notified within 72 hours, as required by law.
✔ Regulatory Reporting – If required, we report breaches to the IRS, NY State, and relevant authorities.
✔ Enhanced Security Measures – If an issue is detected, we implement stronger security protections immediately.

8. Compliance with Professional Standards & Governing Laws

We strictly adhere to the following laws, regulations, and ethical standards:

✅ New York State CPA Regulations (Title 8, Article 149 of NY State Education Law)
✅ AICPA Code of Professional Conduct (Confidential Client Information Rule 1.700.001)
✅ IRS Security Standards & Circular 230 Regulations
✅ FTC Safeguards Rule & Gramm-Leach-Bliley Act (GLBA)
✅ CCPA (California Consumer Privacy Act) – If applicable to clients from California

All personnel handling financial and tax data are trained on compliance and confidentiality obligations.

9. Contact Us

For questions regarding this Data Security & Confidentiality Policy, or to request data access or corrections, contact:

📧 Email: [email protected]

By using our services, you confirm that you have read, understood, and agreed to this policy.