Data Retention Rules for CPAs

Understand essential data retention guidelines for CPAs to ensure compliance and protect client information effectively.

Written by MIT Team  |  Last published: April 11, 2026

1. The Rules Explained

FTC Safeguards Rule: The Two-Year Disposal Requirement

1. The Misconception: The FTC tells you to keep data for 2 years.
2. The Actual Rule: Under the FTC Safeguards Rule (16 CFR 314.4(c)(6)), you must develop procedures for the secure disposal of customer information no later than two years after the last date the information was used in connection with the provision of a product or service to that customer -- unless one of the following exceptions applies:
   • The information is necessary for business operations or other legitimate business purposes
   • Retention is required by law or regulation (e.g., IRS audit statutes)
   • Targeted disposal is not reasonably feasible due to how the information is maintained

FTC Disposal Rule: How to Destroy Data

1. What It Is: A separate FTC regulation (16 CFR Part 682) under the FACT Act that dictates how you must destroy consumer information when you dispose of it.
2. The Requirements: You cannot simply throw papers in a dumpster or drag files to the recycle bin. The rule requires:
   • Physical records: Must be shredded, burned, or pulverized so the information cannot practicably be read or reconstructed.
   • Electronic records: Must be destroyed or erased so the information cannot practicably be read or reconstructed. For traditional hard drives, use software that overwrites the drive sectors. For SSDs (solid-state drives, now standard in most modern computers), use the manufacturer's Secure Erase command or physically destroy the drive, as standard overwriting tools are not reliable on SSDs.

IRS: Record Retention Guidelines

1. The Misconception: "7 years" is the law.
2. The Actual Rule: The IRS has a sliding scale based on the Statute of Limitations (the time the IRS has to audit a return). These periods are defined in IRC Section 6501 and related provisions, with practical guidance in IRS Publication 583 (Starting a Business and Keeping Records):

Why everyone says 7 years: Because CPA firms cannot easily predict which client might be audited for bad debt (7 years) or under-reporting (6 years), most firms adopt a 7-year retention policy as a catch-all safety net.

2. How to Reconcile the Conflict

You might ask: "If the FTC says dispose after 2 years of non-use, but the IRS says keep for 7 years, what do I do?"

The IRS requirement takes precedence here. The FTC Safeguards Rule explicitly contains an exception: you do not have to dispose of data if "retention is required or authorized by law or regulation." Since the IRS audit statutes (and arguably the threat of malpractice lawsuits) authorize you to keep data for audit defense, you retain it for the 7-year period.

However, once that 7-year period is up and the client is no longer active, the FTC requirement kicks in: you must securely destroy that data. You cannot hold it "just in case" forever.

3. Recommended Action Plan for a CPA Firm

If you are running a firm, you should implement a Document Retention and Destruction Policy. Here is a standard framework:

A. Categorize Your Data

Permanent Records (Keep Forever):

• Partnership agreements, Articles of Incorporation, Bylaws
• Year-end financial statements (for the firm itself)
• General ledgers (year-end trial balances)
• Depreciation schedules (retain as long as the asset is owned + 7 years)

Client Tax and Workpaper Records (Keep 7 Years):

• Tax returns and all supporting workpapers
• Bank statements, invoices, and payroll records used for preparation
• Engagement letters
• Start the clock from the filing date, not the document date.

Transient / Admin Data (Keep 2 Years or less):

• Emails that do not contain final advice or work product
• Marketing prospect lists (if they did not become clients)
• Drafts of documents that were later finalized

B. The "Purge" Process (FTC Compliance)

To satisfy the FTC Safeguards Rule, you must have a systematic way to dispose of old data.

1. Annual Review: Every January, run a report of clients who left the firm more than 7 years ago.
2. Notification (optional but recommended): Send a final notice to the former client:

1. Secure Destruction:
   • Physical records: Use a certified shredding service that provides a "Certificate of Destruction."
   • Digital records (traditional hard drives): Do not just hit "delete." Use software that overwrites the drive sectors (wiping), or physically destroy the drive if decommissioning a server.
   • Digital records (SSDs / modern computers): Standard overwriting tools are not effective on solid-state drives due to wear leveling. Use the manufacturer's Secure Erase command or physically destroy the drive.

C. The "Litigation Hold" Exception

Your policy must state:

D. State-Level Requirements

In addition to the federal rules above, some states have their own data retention, destruction, and breach notification requirements that may layer additional obligations on your firm. Check your state's regulations to ensure your policy accounts for any state-specific requirements.

Summary for Your Policy Manual

Quick Reference