Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
An accounting firm holds the most concentrated personal and financial data of any small business on its street. To a criminal scanning Toronto and Hamilton for targets, social insurance numbers, full income histories, banking details, corporate books, and CRA credentials all sit in one convenient place.
That makes a 12-person practice a richer target than the retailer next door, and attackers know it. The question owners ask me every spring is simple: what does it actually take to keep client tax data safe?
Short answer: Canadian accounting firms protect client tax data by meeting three overlapping duties at once. Professional confidentiality through their provincial CPA body, CRA record retention and Canadian-residency rules, and PIPEDA safeguarding of personal information.
In practice that means seven controls: multi-factor authentication everywhere, email and phishing defence, encryption, least-privilege access, a Canadian-resident document store, tested backups, and managed monitoring with staff training on top.
KEY TAKEAWAYS
- Three rulebooks apply at once. CPA conduct rules, CRA record retention, and PIPEDA all govern client tax data, and a single weak control can breach all three.
- Tax season is the danger window. Attackers send tax-themed lures and impersonate the CRA when firms are busiest and most likely to click.
- Credentials are the front door. Verizon found credential abuse was the top way breaches start, so MFA on every account is the highest-value control a firm can deploy.
- Residency is a CRA rule, not a preference. Records must be kept for six years and remain accessible from Canada, which rules out casual consumer file-sharing tools.
- A breach is reportable. PIPEDA requires reporting a breach that poses a real risk of significant harm to the Privacy Commissioner, with affected clients notified.
What protecting client tax data actually requires for a Canadian accounting firm
Protecting client tax data means satisfying three duties on the same files at once: professional confidentiality to clients through a provincial CPA body, accurate records kept six years and accessible from Canada according to the CRA, and the safeguarding standard set out in PIPEDA. One stolen mailbox can break all three in an afternoon.
Most owners think of this as an IT problem. It is closer to a professional-obligation problem that happens to run on technology. Fusion Computing treats client tax data the way a vault treats cash: who can open it, what is logged, how fast it can be restored, and who gets called when something goes wrong.
Those questions map directly to the controls that regulators and insurers now expect. If you want the deployment side of accounting technology, our guide to AI for Canadian accounting firms covers it, and our IT services for accounting firms page covers the managed side. This post stays on one question: keeping the client tax data itself secure.
Why accounting firms are targets, and why tax season is the danger window
Accounting firms are targeted because they concentrate high-value data and face hard deadlines, which makes them more likely to pay when files are locked. The danger peaks from January through April. In February 2026, Microsoft tracked a tax-lure phishing campaign that reached more than 29,000 users across 10,000 organizations, with accountants and tax preparers among the named targets.
The lures impersonated tax authorities and claimed irregular filings under a recipient’s filing number. Fusion Computing sees the Canadian version every spring, aimed at CRA Represent a Client logins. A busy preparer in April is exactly the person most likely to click a convincing CRA notice.
This is not hypothetical for the profession. CPA Canada itself disclosed a breach affecting 329,000 members and stakeholders after an intrusion that ran from late 2019 into 2020, following a phishing campaign against its members, as reported at the time.
Why this matters: Verizon found that 60% of breaches involved the human element, credential abuse was the leading way breaches started at 22%, and 88% of basic web-application attacks used stolen credentials. The fix is unglamorous and effective: MFA and trained staff. Source: Verizon 2025 DBIR.
The pattern tells a firm where to spend first. Fusion Computing prioritizes the human and credential layers before anything else, because that is where the attacks actually land. If your team handles client returns, our managed cybersecurity services and the ransomware recovery playbook are built for this threat.
The Canadian regulatory baseline: CRA, PIPEDA, and provincial CPA rules
The Canadian baseline comes from three sources, and a firm must satisfy all of them. The CRA sets record-keeping and residency rules, PIPEDA sets the safeguarding and breach-reporting standard, and each provincial CPA body sets confidentiality and competence expectations. The table below turns each obligation into a daily-operations action.
| Obligation | The rule | What it means in practice |
|---|---|---|
| CRA record-keeping | Keep records six years from the end of the last tax year they relate to. | A retention and deletion schedule, not an endlessly growing shared drive. |
| CRA residency | Records must stay in Canada or remain accessible from Canada with CRA permission. | Know the data region of every cloud tool, not just the brand name. |
| CRA account access | MFA is mandatory for CRA accounts; a backup MFA option becomes required by February 2026. | Every Represent a Client login needs MFA and a recovery method. |
| PIPEDA safeguarding | Protect personal information with safeguards proportionate to its sensitivity. | Tax data is highly sensitive, so strong controls are expected, not optional. |
| PIPEDA breach reporting | Report breaches posing a real risk of significant harm to the OPC and notify individuals; keep breach records 24 months. | A written incident plan and a breach log, ready before anything happens. |
Why this matters: MFA is already mandatory for CRA account users, with a backup option required by February 2026, and PIPEDA has required reporting of significant-harm breaches since November 1, 2018. These are existing duties. Source: CRA; Office of the Privacy Commissioner of Canada.
One note on scope. Federal Bill C-8 has drawn attention, but its cybersecurity duties apply to federally regulated critical sectors such as telecom and banking, not to a private accounting practice.
For a CPA firm the operative rules are CRA, PIPEDA, and your provincial CPA body, plus Law 25 in Quebec. For the regulator-specific detail, see our guides to CRA EFILE security and FINTRAC IT controls for accountants. Firms that also serve financial services clients or run cloud productivity tools should read our Microsoft 365 Copilot oversharing audit, since AI assistants can surface tax files a user was never meant to see.
The seven controls that actually protect client tax data
Seven controls do most of the work, and they map directly to how breaches start, so a firm that deploys all seven closes the doors attackers use most. None require an enterprise budget. They require a right-sized stack built for a 25 to 200 seat practice, plus one accountable owner and the managed IT services to keep them running.
| Control | What it stops | Minimum standard |
|---|---|---|
| Multi-factor authentication | Stolen-password logins, the top entry vector | MFA on email, tax software, and CRA portals; legacy auth blocked |
| Email and phishing defence | Tax-lure phishing and CRA impersonation | Advanced filtering, external-sender banners, link scanning |
| Encryption | Readable data on lost or stolen devices | Full-disk encryption on every laptop; encrypted client portal |
| Least-privilege access | One breach becoming a firm-wide breach | Role-based folders; no shared logins; quarterly access review |
| Canadian-resident document store | Residency and PIPEDA exposure | Access-controlled storage in a Canadian region, not personal email |
| Tested backups | Permanent loss after ransomware | Immutable backups with a restore tested at least quarterly |
| Monitoring and training | Slow detection and human error | EDR or managed detection plus staff phishing training |
Fusion Computing deploys this stack in a defined order so the highest-value risk is closed first. The free CPA Technology Competence Checklist walks a firm through each control. For the access-control thinking behind least privilege, our zero-trust guide for Canadian SMBs goes deeper.
Book a consultation → and Fusion Computing will map these seven controls against your current setup before the next filing season.
Common mistakes Canadian accounting firms make, from the field
The gaps I see at incoming firms are consistent, and none are exotic. They are ordinary shortcuts that made sense when the firm was smaller and never got revisited. Three recur, and each breaks more than one obligation. According to Fusion Computing intake reviews, shared logins and unprotected mailboxes top the list almost every time.
From our intake reviews: The single most common gap is shared logins to tax-prep software paired with no MFA on the mailbox that receives client documents, the exact exposure PIPEDA expects a firm to close.
Close behind: client tax records sitting in personal email inboxes and consumer file-sharing tools instead of an access-controlled Canadian store, which is a residency and a PIPEDA problem at once.
The gap that worries me most is backups that have never been test-restored; firms learn the backup is unusable only when ransomware lands in April. Source: Fusion Computing client onboarding reviews, 2012 to 2026.
Across roughly 40 Canadian SMB deployments below 50 seats since 2012, the size of the firm never predicted whether it was breached. Patch and credential hygiene did. Each mistake is cheap to fix before an incident and ruinous to fix after one.
A shared login becomes a forensic nightmare under PIPEDA because no one can prove who did what. A personal-inbox copy of a return becomes a reportable breach the moment that account is phished. An untested backup becomes a ransom payment.
How to harden your firm before tax season
The fastest way to cut risk before filing season is to work top-down through the controls that block real attacks, starting with credentials and email. The payoff is measurable: IBM found Canadian organizations using security AI extensively averaged CA$5.19 million per breach against CA$8.53 million for those without (full report).
A practical pre-season sequence looks like this. Enforce MFA on every account and block legacy authentication. Move every client file into the Canadian store and purge copies from inboxes. Run a test restore from backup and confirm it works.
Then send the team a phishing refresher with real CRA-themed examples, and confirm a written incident plan names who to call. Our tax-season cybersecurity playbook covers that 90-day crunch in depth, and the CPA Technology Competence Checklist turns the sequence into a printable worksheet. Book a consultation → if you would rather we run it with you.
What good looks like, and how to choose an IT partner
A firm in good shape can answer five questions without hesitation: who can access client data, where it lives, when it was last backed up and tested, how a breach would be reported, and who responds at 2 a.m. during filing season. If any answer is a shrug, that is the gap to close first.
When choosing a partner, look for one that writes policy before installing tools, trains your staff, and can show a tested recovery plan rather than a list of products. Fusion Computing has secured Canadian professional-services firms since 2012, and the practices that weather an incident best prepared during a quiet month, not a busy one. A virtual CIO can own that roadmap if you lack an internal lead.
Where to start before filing season
Start with the two controls that block the most damage: MFA on every account and a backup you have actually test-restored. Fix the residency of your file storage next, then write the incident plan before you need it. Book a consultation → and Fusion Computing will close the highest-risk gaps first.
Frequently Asked Questions
How do Canadian accounting firms protect client tax data?
They meet three duties at once: CPA professional confidentiality, CRA record-keeping and Canadian residency, and PIPEDA safeguarding. In practice that means multi-factor authentication on every account, email and phishing defence, encryption, least-privilege access, a Canadian-resident document store, tested backups, and managed monitoring with staff training.
How long must an accounting firm keep client records in Canada?
The CRA requires records to be kept for six years from the end of the last tax year they relate to. Some records tied to long-term property or the wind-up of a business must be kept indefinitely. Records must remain in Canada or be accessible from Canada with CRA permission.
Does the CRA require multi-factor authentication?
Yes. MFA is mandatory for CRA account users, and a backup MFA option becomes required by February 2026. Every Represent a Client login should have MFA enabled along with a recovery method, so a lost phone does not lock a preparer out during filing season.
Where can a Canadian accounting firm legally store client tax data?
Records must be kept in Canada or remain accessible from Canada, so storage should sit in a Canadian cloud region or on-premise. Personal email inboxes and consumer file-sharing tools fail this test and create PIPEDA exposure. Use an access-controlled store whose data region you can verify.
What must a firm do after a data breach under PIPEDA?
If a breach poses a real risk of significant harm, the firm must report it to the Office of the Privacy Commissioner of Canada and notify affected individuals as soon as feasible. The firm must also keep a record of every breach of security safeguards for at least 24 months, whether or not it was reportable.
Why are accounting firms targeted during tax season?
Firms hold concentrated financial data and face hard deadlines, so they are more likely to pay quickly when files are locked. Attackers send tax-themed lures and impersonate the CRA from January through April, when staff process heavy email volume and a tax notice does not look suspicious.
Is a small accounting firm really at risk?
Yes. Attackers scan for unpatched systems and leaked credentials and do not pre-screen by revenue, so a small firm with sensitive data looks like a prime target. The right answer is a right-sized stack built for a 25 to 200 seat practice, not an enterprise system scaled down, and Fusion Computing deploys that in about a week.
How fast can a firm reduce its risk?
Material risk reduction starts in the first week. Fusion Computing enforces MFA and conditional access by day 7, deploys endpoint detection by day 14, and confirms a tested backup restore and written incident plan by day 30. Full program maturity follows over 90 days, but the riskiest doors close first.
