Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Contact Us
  • Verito
  • Home

  • Applications

    • Managed IT

      • Cloud Hosting KB

        • Home
        • Managed IT

        Data Retention Rules for CPAs

        Understand essential data retention guidelines for CPAs to ensure compliance and protect client information effectively.

        Table of Contents

        Data Retention Rules for CPAs 1. The Rules Explained FTC Safeguards Rule: The Two-Year Disposal Requirement FTC Disposal Rule: How to Destroy Data IRS: Record Retention Guidelines 2. How to Reconcile the Conflict 3. Recommended Action Plan for a CPA Firm A. Categorize Your Data B. The "Purge" Process (FTC Compliance) C. The "Litigation Hold" Exception D. State-Level Requirements Summary for Your Policy Manual Quick Reference

        Data Retention Rules for CPAs

        Understand essential data retention guidelines for CPAs to ensure compliance and protect client information effectively.

        Written by MIT Team  |  Last published: April 11, 2026


        1. The Rules Explained

        FTC Safeguards Rule: The Two-Year Disposal Requirement

        1. The Misconception: The FTC tells you to keep data for 2 years.
        2. The Actual Rule: Under the FTC Safeguards Rule (16 CFR 314.4(c)(6)), you must develop procedures for the secure disposal of customer information no later than two years after the last date the information was used in connection with the provision of a product or service to that customer -- unless one of the following exceptions applies:
          • The information is necessary for business operations or other legitimate business purposes
          • Retention is required by law or regulation (e.g., IRS audit statutes)
          • Targeted disposal is not reasonably feasible due to how the information is maintained
        💡 Key Distinction
        The two-year clock is tied to when you last used the information to serve the client -- not the last time anyone at your firm accessed the data. Pulling old records for an internal review does not reset the clock.

        FTC Disposal Rule: How to Destroy Data

        1. What It Is: A separate FTC regulation (16 CFR Part 682) under the FACT Act that dictates how you must destroy consumer information when you dispose of it.
        2. The Requirements: You cannot simply throw papers in a dumpster or drag files to the recycle bin. The rule requires:
          • Physical records: Must be shredded, burned, or pulverized so the information cannot practicably be read or reconstructed.
          • Electronic records: Must be destroyed or erased so the information cannot practicably be read or reconstructed. For traditional hard drives, use software that overwrites the drive sectors. For SSDs (solid-state drives, now standard in most modern computers), use the manufacturer's Secure Erase command or physically destroy the drive, as standard overwriting tools are not reliable on SSDs.
        ⚠ These Are Two Separate Rules
        The Safeguards Rule (16 CFR 314) tells you when to dispose of customer information (two years after last use, with exceptions). The Disposal Rule (16 CFR 682) tells you how to destroy it securely. Both apply to CPA firms, but they are separate regulations with different scopes. The Safeguards Rule covers all customer information; the Disposal Rule specifically covers consumer report information and records.

        IRS: Record Retention Guidelines

        1. The Misconception: "7 years" is the law.
        2. The Actual Rule: The IRS has a sliding scale based on the Statute of Limitations (the time the IRS has to audit a return). These periods are defined in IRC Section 6501 and related provisions, with practical guidance in IRS Publication 583 (Starting a Business and Keeping Records):
        Retention Period When It Applies
        3 Years The standard period for most tax returns (IRC 6501(a))
        6 Years If a client under-reports income by more than 25% (IRC 6501(e))
        7 Years If a client claims a loss from worthless securities or bad debt deduction (IRC 6511(d))
        Indefinitely If a client files a fraudulent return or fails to file

        Why everyone says 7 years: Because CPA firms cannot easily predict which client might be audited for bad debt (7 years) or under-reporting (6 years), most firms adopt a 7-year retention policy as a catch-all safety net.

        2. How to Reconcile the Conflict

        You might ask: "If the FTC says dispose after 2 years of non-use, but the IRS says keep for 7 years, what do I do?"

        The IRS requirement takes precedence here. The FTC Safeguards Rule explicitly contains an exception: you do not have to dispose of data if "retention is required or authorized by law or regulation." Since the IRS audit statutes (and arguably the threat of malpractice lawsuits) authorize you to keep data for audit defense, you retain it for the 7-year period.

        However, once that 7-year period is up and the client is no longer active, the FTC requirement kicks in: you must securely destroy that data. You cannot hold it "just in case" forever.

        3. Recommended Action Plan for a CPA Firm

        If you are running a firm, you should implement a Document Retention and Destruction Policy. Here is a standard framework:

        A. Categorize Your Data

        Permanent Records (Keep Forever):

        • Partnership agreements, Articles of Incorporation, Bylaws
        • Year-end financial statements (for the firm itself)
        • General ledgers (year-end trial balances)
        • Depreciation schedules (retain as long as the asset is owned + 7 years)

        Client Tax and Workpaper Records (Keep 7 Years):

        • Tax returns and all supporting workpapers
        • Bank statements, invoices, and payroll records used for preparation
        • Engagement letters
        • Start the clock from the filing date, not the document date.

        Transient / Admin Data (Keep 2 Years or less):

        • Emails that do not contain final advice or work product
        • Marketing prospect lists (if they did not become clients)
        • Drafts of documents that were later finalized

        B. The "Purge" Process (FTC Compliance)

        To satisfy the FTC Safeguards Rule, you must have a systematic way to dispose of old data.

        1. Annual Review: Every January, run a report of clients who left the firm more than 7 years ago.
        2. Notification (optional but recommended): Send a final notice to the former client:
        "Our records indicate it has been 7 years since our engagement ended. In accordance with our privacy policy, your files will be permanently destroyed on [Date]. If you need copies, please contact us before then."
        1. Secure Destruction:
          • Physical records: Use a certified shredding service that provides a "Certificate of Destruction."
          • Digital records (traditional hard drives): Do not just hit "delete." Use software that overwrites the drive sectors (wiping), or physically destroy the drive if decommissioning a server.
          • Digital records (SSDs / modern computers): Standard overwriting tools are not effective on solid-state drives due to wear leveling. Use the manufacturer's Secure Erase command or physically destroy the drive.

        C. The "Litigation Hold" Exception

        Your policy must state:

        "If a subpoena is received or a lawsuit is threatened, all document destruction for that specific client must stop immediately."

        D. State-Level Requirements

        In addition to the federal rules above, some states have their own data retention, destruction, and breach notification requirements that may layer additional obligations on your firm. Check your state's regulations to ensure your policy accounts for any state-specific requirements.

        Summary for Your Policy Manual

        "Our firm retains client tax and engagement records for a period of seven (7) years to satisfy IRS audit statutes and potential liability claims. After seven years, if there is no active engagement, records are securely destroyed in compliance with the FTC Safeguards Rule (16 CFR 314.4(c)(6)) and the FTC Disposal Rule (16 CFR 682)."

        Quick Reference

        Rule Citation What It Governs Key Requirement
        FTC Safeguards Rule 16 CFR 314.4(c)(6) When to dispose Secure disposal within 2 years of last use (with exceptions for legal retention, business need, or feasibility)
        FTC Disposal Rule 16 CFR Part 682 How to destroy Shred/burn/pulverize physical records; destroy or erase electronic media so data cannot be reconstructed
        IRS Retention IRC 6501, 6501(e), 6511(d); IRS Pub 583 How long to keep 3-7 years (sliding scale); indefinitely for fraud or non-filing
        recordkeeping accounting regulations

        Was this article helpful?

        Yes
        No
        Give feedback about this article

        RELATED QUESTIONS

        • Verito’s Compliance & Data Protection Policies

        Table of Contents

        Data Retention Rules for CPAs 1. The Rules Explained FTC Safeguards Rule: The Two-Year Disposal Requirement FTC Disposal Rule: How to Destroy Data IRS: Record Retention Guidelines 2. How to Reconcile the Conflict 3. Recommended Action Plan for a CPA Firm A. Categorize Your Data B. The "Purge" Process (FTC Compliance) C. The "Litigation Hold" Exception D. State-Level Requirements Summary for Your Policy Manual Quick Reference
        Verito Logo

        Secure Cloud Solutions for
        Tax & Accounting Professionals

        3524 Silverside rd. Suite 35B,
        Wilmington, Delaware 19810

        1-855-583-7486
        sales@verito.com

        Services

        • Dedicated Hosting
        • Managed IT Services
        • VeritComplete
        • IT for Law Firms
        • Tax Software Hosting
        • QuickBooks Hosting

        Company

        • About Us
        • Our Data Centers
        • Success Stories
        • Partners
        • Contact Us

        Pricing

        • VeritSpace Pricing
        • VeritGuard Pricing
        • VeritComplete Pricing
        • Free Hosting Trial
        • Hosting Demo

        Resources

        • Blogs
        • FAQs
        • Knowledge Base
        • Our Support Channels
        • Privacy Policy

        Compare

        • vs. Rightworks
        • vs. ACE Cloud
        • vs. Cetrom
        • vs. In-House
        • View All
        4.9 

        125+ Reviews on G2

        G2 High Performer
        AICPA SOC

        Proud Affinity
        Partner of:

        natp logo
        nea logo
        nstp logo
        4.9 

        125+ Reviews on G2

        G2 High Performer
        AICPA SOC

        Proud Affinity Partner of:

        natp logo
        nea logo
        nstp logo

        © 2026 Verito Technologies. All Rights Reserved  |  Privacy Policy  |  Terms & Conditions

        Knowledge Base Software powered by Helpjuice

        Expand