Compliance Essentials: Data Retention, Cyber Insurance & Certificates
Discover key strategies for effective data retention and essential insights into cyber insurance to safeguard your organization.
Table of Contents
Compliance Essentials: Data Retention, Cyber Insurance & Certificates
VeritGuard Knowledge Base | Compliance
In This Article
- Digital Data Retention: Do You Have to Delete Client Records?
- Cyber Insurance: Do Solo Practitioners Need It?
- Compliance Certificates: What Verito Can Provide
- Our Compliance Resources & References
- How VeritGuard's WISP Service Ties It All Together
- Frequently Asked Questions
Digital Data Retention: Do You Have to Delete Client Records?
This is one of the most common questions we hear: "Do I have to go through every piece of software and delete old client records?" The short answer is no, not exactly. But you do need a plan for how you handle old data. Let's break it down.
IRS Publication 4557 requires that you have a data retention and destruction policy. However, it does not mandate deleting records after a specific number of years. How long you keep records depends on your state rules, professional obligations, and engagement letters with clients.
The FTC Safeguards Rule takes a slightly different angle. It requires you to limit data collection and retention to what is reasonably necessary, and to securely dispose of data you no longer need. In plain English: don't hoard data "just in case."
You need a written policy that defines how long you keep records and how you destroy them. "Keep everything forever" is not compliant. Neither is "delete everything after April 15." The policy should be documented in your WISP and followed consistently.
What "delete from every software" actually looks like in practice:
| System | What to Do |
|---|---|
| Tax prep software (Drake, Lacerte, ProSeries, UltraTax) | Archive old returns per your retention policy. Most of these programs have built-in archival features. You don't need to surgically delete individual returns day-to-day. |
| Cloud storage / shared drives | Remove client files per your retention schedule. This includes folders on your hosted server, Google Drive, OneDrive, or any other file storage. |
| Archive or delete client-related emails once the retention period expires. This is often the system people forget about. | |
| Backup systems | Backups naturally cycle out old data over time. You do not need to go into your backups and delete individual client records. As long as your backup retention window is reasonable (30-90 days is typical), old data phases out on its own. |
Define a retention period (many CPAs use 7 years to match IRS audit windows), document it in your WISP, and follow it consistently. When a record hits the end of its retention period, remove it from active systems. That's the standard regulators expect.
Cyber Insurance: Do Solo Practitioners Need It?
Strongly recommended, yes. Even if you're a one-person firm.
Here's the reality: a data breach can cost anywhere from $50,000 to $200,000+ in notification costs, legal fees, forensic investigation, and regulatory penalties. That range applies even to small firms. A single ransomware incident or stolen laptop with client SSNs can trigger all of those costs at once. Cyber insurance is designed to cover exactly this.
What a typical cyber insurance policy covers:
- Breach notification costs (you're legally required to notify affected clients)
- Forensic investigation to determine what happened
- Legal defense and counsel
- Regulatory fines and penalties
- Business interruption (lost revenue while systems are down)
- Ransomware payments (varies by policy; some exclude this)
The FTC Safeguards Rule does not explicitly require cyber insurance. However, many state CPA boards and E&O (Errors & Omissions) providers are starting to recommend or require it. It's quickly becoming a baseline expectation.
Having VeritGuard in place actually helps with your insurance application. Many cyber insurance providers offer lower premiums for firms with managed IT security, endpoint protection, MFA, and a WISP. Verito can provide documentation of your security posture for your insurance application.
Typical cost for a small firm: $500 to $2,000 per year, depending on firm size, revenue, and coverage limits. For most solo practitioners, it falls on the lower end of that range. Compared to the potential cost of a breach, it's a practical investment.
Compliance Certificates: What Verito Can Provide
We get this question a lot: "Can Verito give me a compliance certificate to put on my website?" Here's how it works.
To demonstrate compliance to your clients, the strongest approach is a combination of:
- A completed WISP (Written Information Security Plan)
- Managed IT security through a provider like VeritGuard
- Active cyber insurance coverage
- Annual cybersecurity training for all staff
Together, VeritGuard plus a WISP cover a significant portion of IRS and FTC requirements. The remaining pieces (policies, insurance) are on your side, and we guide you put those in place as well.
Our Compliance Resources & References
"Where does Verito get all this information?" Fair question. Here are the primary sources our compliance team monitors:
| Resource | What It Covers |
|---|---|
| IRS Publication 4557 | "Safeguarding Taxpayer Data" -- the primary IRS guidance for tax professionals on data security requirements. |
| FTC Safeguards Rule (16 CFR Part 314) | The federal regulation requiring financial institutions (including tax preparers) to implement comprehensive information security programs. |
| NIST Cybersecurity Framework | The framework Verito aligns its security controls to. Widely recognized across industries. |
| IRS Publication 5293 | "Data Security Resource Guide for Tax Professionals" -- a companion resource to Pub 4557 with additional practical guidance. |
| FTC "Start with Security" | A plain-language guide from the FTC on security fundamentals for businesses handling consumer data. |
Verito stays current by monitoring IRS.gov updates, FTC enforcement actions, and AICPA cybersecurity guidance. Our compliance team reviews regulatory changes quarterly to make sure our services and your WISP stay aligned with current requirements.
How VeritGuard's WISP Service Ties It All Together
A WISP (Written Information Security Plan) is the single document that ties your retention policy, insurance, security tools, and training into one cohesive plan. Think of it as the "master checklist" that regulators want to see.
What Verito provides as part of select VeritGuard plans:
- WISP creation -- customized to your firm, not a generic template
- Ongoing maintenance -- updated as regulations change or your firm evolves
- IRS Pub 4557 coverage -- the WISP addresses each requirement outlined in the IRS guidance
- FTC Safeguards Rule alignment -- maps your security controls to federal requirements
The data retention policy, cyber insurance documentation, and security controls discussed in this article all live inside your WISP. It's the one document that proves you're taking compliance seriously, and it's the first thing an auditor or regulator will ask for.
Frequently Asked Questions
Q: Can I just keep all client records forever?
Not recommended. You need a documented retention policy with a defined timeline. "Keep everything" creates unnecessary risk and may violate FTC Safeguards Rule requirements around limiting data retention to what's reasonably necessary. Pick a retention period, put it in writing, and follow it.
Q: What if a client asks for their records to be deleted?
Honor the request. Document that you fulfilled it (date, what was removed, who handled it). Make sure to remove from all active systems, not just one application. Backups will cycle out naturally; you do not need to purge individual records from backup archives.
Q: How do I get cyber insurance?
Contact your E&O (Errors & Omissions) insurance provider. Most offer cyber coverage as an add-on or can refer you to a cyber-specific carrier. Verito can provide documentation of your security posture to support your application, which often helps with approval and pricing.
Q: Can I display a "Verito Secured" badge on my website?
Contact your account manager to discuss options. We're also exploring badge programs for VeritGuard clients, so ask your account manager about current availability.
Q: How often do IRS compliance requirements change?
The IRS and FTC update guidance periodically, sometimes annually, sometimes in response to specific threats or enforcement priorities. There is no fixed schedule. Verito monitors these changes continuously and updates your WISP accordingly so you don't have to track it yourself.
Verito Technologies | VeritGuard Knowledge Base | Last updated: April 2026
Table of Contents