Tax Data Backup Plan: Protecting Client Records

Implementing a compliant tax data backup plan is a mandatory requirement for tax professionals handling sensitive client data in 2026. The IRS requires comprehensive backup strategies through IRS Publication 4557, making data backups the fourth critical component of the Security Six framework.

According to IRS Publication 4557, tax preparers must maintain consistent backups of all systems containing nonpublic personal information (NPPI) and implement documented contingency plans for data recovery. Non-compliance can result in IRS investigations, regulatory penalties up to $100,000 per violation under the FTC Safeguards Rule, PTIN suspension, and irreparable damage to professional credentials.

For tax practices managing hundreds or thousands of client tax returns containing Social Security numbers, bank account details, and financial records, a robust tax data backup plan is the difference between recovering from a ransomware attack in hours versus losing your entire practice.

The Evolving Threat Landscape for Tax Professionals

The threat landscape facing tax professionals has evolved dramatically over the past two years. According to FBI Internet Crime Complaint Center data, ransomware attacks cost businesses over $34.3 billion in 2025, with tax professionals experiencing a 149% increase in targeted attacks compared to 2024.

The Verizon 2025 Ransomware Trends Report reveals that 96% of backup repositories are now targeted during attacks, with 76% successfully compromised. This shift in attacker tactics makes implementing a proper tax data backup plan not just a compliance checkbox, but a critical business survival strategy.

Ransomware operators specifically target backup systems because they know businesses with intact, isolated backups can recover without paying ransom. When backups are compromised alongside production systems, victims face an impossible choice: pay the ransom or lose years of client data permanently.

Why Tax Professionals Are Prime Targets

Tax preparers manage an extraordinarily valuable dataset that makes them attractive targets for cybercriminals:

• Complete identity theft packages: Tax returns contain full names, Social Security numbers, dates of birth, addresses, employment information, and bank account details—everything needed for identity theft or fraudulent tax returns
• Seasonal vulnerability windows: During January through April, tax practices operate under extreme time pressure with temporary staff, creating security gaps that attackers exploit
• Small firm security posture: 73% of tax preparers operate as solo practitioners or firms with fewer than 10 employees, often lacking dedicated IT security resources
• High-value intellectual property: Client lists, tax planning strategies, and financial advisory relationships represent significant competitive intelligence
• Regulatory pressure to pay: The threat of IRS penalties, PTIN suspension, and malpractice liability creates pressure to pay ransoms quickly to resume operations

The IBM Cost of Data Breach Report 2025 found that breaches in the financial services sector (which includes tax preparation under GLBA) cost an average of $6.08 million per incident—23% higher than the cross-industry average of $4.88 million.

Understanding IRS Security Six Backup Requirements

The IRS Security Six framework represents the minimum baseline of cybersecurity controls required for tax professionals with a PTIN (Preparer Tax Identification Number). Data backups constitute the fourth pillar of this framework, alongside two-factor authentication, antivirus protection, firewalls, drive encryption, and virtual private networks.

The mandate applies universally—there are no exemptions for solo practitioners or small firms. If you prepare tax returns professionally and hold a PTIN, you must implement and document a compliant tax data backup plan.

IRS Publication 4557 Backup Requirements

IRS Publication 4557, "Safeguarding Taxpayer Data," establishes specific requirements for tax preparer backup systems:

• Comprehensive coverage: Back up all systems, applications, and data repositories that store, process, or transmit taxpayer information including tax software, document management systems, email servers, and client portals
• Consistent scheduling: Implement automated backup procedures that run on a defined schedule without requiring manual intervention—daily backups for active client data, weekly for archived records
• Isolated storage: Maintain at least one backup copy that is air-gapped or immutable, preventing ransomware from encrypting both production systems and backups simultaneously
• Encryption requirements: Encrypt all backup data both in transit and at rest using FIPS 140-2 validated cryptographic modules with AES-256 encryption
• Access controls: Restrict backup system access to authorized personnel only, implementing role-based access control (RBAC) and multi-factor authentication for administrative functions
• Regular testing: Conduct documented restore tests at least quarterly to validate backup integrity and measure recovery time objectives (RTO)
• Written documentation: Maintain current written procedures detailing backup frequency, retention periods, storage locations, encryption methods, responsible parties, and testing schedules

These requirements align with CISA's Cyber Essentials guidance and the NIST Cybersecurity Framework 2.0, specifically the Protect (PR.IP-4) and Recover (RC.RP-1) functions.

GLBA and FTC Safeguards Rule Backup Requirements

Under the Gramm-Leach-Bliley Act (GLBA) and the updated FTC Safeguards Rule effective June 2023, tax preparers are classified as "financial institutions" and must maintain comprehensive information security programs. The Safeguards Rule mandates specific backup practices that extend beyond basic IRS requirements:

• Risk-based approach: Conduct periodic risk assessments to identify all systems storing customer information requiring backup protection, evaluating the likelihood and impact of data loss scenarios
• Safeguard implementation: Encrypt backup data using industry-standard algorithms, restrict access to authorized personnel through MFA, continuously monitor backup integrity through automated verification, and maintain audit logs of all backup and restore operations
• Regular testing protocols: Validate that backups can be restored without corruption or data loss, document test results with timestamps and responsible parties, and measure actual restore times against business continuity requirements
• Periodic review requirements: Update backup procedures when introducing new software platforms, modifying IT infrastructure, identifying new threat vectors, or after any security incident or failed restore attempt
• Comprehensive documentation: Maintain written policies detailing backup frequency, retention periods aligned with IRS recordkeeping requirements, geographic storage locations, encryption standards, responsible personnel with succession planning, and incident response procedures for backup system failures

The FTC has taken enforcement action against financial institutions with penalties exceeding $100,000 per violation for inadequate data backup and security controls. In 2025, the FTC issued consent orders requiring several tax preparation firms to implement third-party security audits after backup system failures resulted in permanent client data loss.

How Immutable Backups Protect Against Ransomware

Immutable backups have become the gold standard for ransomware protection in tax practices. Object lock technology, available in enterprise backup solutions and cloud storage platforms, creates backup copies that cannot be modified, encrypted, or deleted for a specified retention period—even by administrators with full system access.

When ransomware operators compromise a tax practice's network, they typically spend days or weeks in reconnaissance mode, identifying backup systems and attempting to delete or encrypt them before deploying the encryption payload. Traditional backup systems that allow deletions or overwrites provide no protection in this scenario because attackers can destroy backups before revealing their presence.

Immutable backups with object lock create an unbreakable recovery point. The backup software writes data to storage with a governance or compliance lock that prevents any modification or deletion until the retention period expires. Even if attackers obtain administrator credentials to your backup system, they cannot delete or encrypt locked backup objects.

Implementing Object Lock for Tax Data

For tax professionals implementing immutable backups:

• Retention periods: Set object lock retention to match IRS recordkeeping requirements—typically 7 years for individual returns per IRS Publication 583, though three years covers most scenarios
• Compliance vs. governance mode: Use compliance mode for strongest protection (even AWS root account cannot delete), or governance mode for operational flexibility with audit trails
• Cost considerations: Immutable storage typically costs $20-50 per TB per month for tax practices, a small premium over standard cloud storage that provides critical ransomware protection
• Restore testing: Verify you can restore from immutable copies quarterly—object lock prevents deletion but doesn't guarantee data integrity without testing

Essential Tax Data Backup Plan Components

A compliant tax data backup plan for 2026 must address seven critical components that satisfy both IRS Security Six requirements and FTC Safeguards Rule mandates.

1. Comprehensive Data Inventory

Document all systems and data repositories containing taxpayer information:

• Tax preparation software databases (Lacerte, ProSeries, Drake, UltraTax, etc.)
• Document management systems storing source documents and completed returns
• Email servers and archived client communications containing taxpayer data
• Client portals and secure file sharing systems
• Practice management and billing systems with client information
• Workstation local storage where preparers save work-in-progress files
• Mobile devices used for remote access to client data

2. Automated Backup Scheduling

Implement automated backups that run without manual intervention:

• Daily incremental backups: Capture changes to active client files during tax season (January-April) and year-round for extension work
• Weekly full backups: Complete system images including operating systems, applications, and all data
• Real-time replication: For critical databases, implement continuous replication to secondary storage with minimal recovery point objectives (RPO under 1 hour)
• Pre-season full backup: Create complete backup before tax season begins as a known-good recovery point

3. Encryption and Access Controls

Protect backup data with encryption and strict access controls:

• Encrypt all backups in transit using TLS 1.3 or higher
• Encrypt all backups at rest using AES-256 encryption with FIPS 140-2 validated modules
• Implement role-based access control limiting backup system access to designated security personnel
• Require multi-factor authentication for all backup administrative functions
• Maintain detailed audit logs of backup access, configuration changes, and restore operations
• Store encryption keys separately from backup data using hardware security modules (HSM) or key management services

4. Geographic Diversity and Offsite Storage

Maintain backup copies in multiple geographic locations:

• Local backup: Network-attached storage (NAS) or backup appliance in your office for fast recovery of individual files or folders
• Regional offsite: Cloud storage region geographically separated from your primary office (e.g., if your office is in California, use East Coast cloud region)
• Disaster recovery site: For larger practices, consider a secondary office location or secure storage facility in a different region

Geographic diversity protects against regional disasters, power grid failures, and internet outages that could affect both your primary office and backup systems in the same location.

5. Documented Testing Procedures

Regular restore testing is non-negotiable for compliance:

• Quarterly full restore tests: Completely restore a test system from backup to validate all data and configurations are recoverable
• Monthly file-level tests: Restore random client files to verify backup integrity and measure restore times
• Annual disaster recovery exercise: Simulate complete office loss and execute full recovery procedures with all staff participating
• Documentation requirements: Record test dates, systems tested, data restored, time required, issues encountered, and personnel involved

The FTC Safeguards Rule specifically requires documented testing—you must be able to demonstrate to regulators that your backups actually work when needed.

6. Retention Period Alignment

Align backup retention with IRS recordkeeping requirements:

• Active returns: Retain backups for current and prior three tax years at minimum (covers IRS audit period for most returns)
• Extended statute returns: Seven-year retention for returns with substantial understatement of income or businesses with employees
• Indefinite retention: Consider permanent retention for clients' original returns as a value-added service
• Graduated retention: Implement policies like daily backups for 30 days, weekly for 12 months, monthly for 7 years to balance storage costs and compliance

7. Incident Response Integration

Your tax data backup plan must integrate with your broader cybersecurity incident response plan:

• Define recovery time objectives (RTO) and recovery point objectives (RPO) for different scenarios
• Document step-by-step restore procedures for common incidents (ransomware, hardware failure, accidental deletion)
• Identify backup administrators and alternates with 24/7 contact information
• Establish decision criteria for when to restore from backup versus attempting data recovery
• Create communication templates for notifying clients, the IRS, and state regulators if taxpayer data is lost

Tax Software-Specific Backup Requirements

One of the most critical—and commonly overlooked—aspects of tax data backup is understanding where your tax preparation software actually stores client data. Many tax professionals assume that backing up their Documents folder or desktop provides adequate protection, when in reality, most professional tax software stores live databases in custom program directories that standard file backups completely miss.

Understanding Tax Software Data Storage Locations

Professional tax software platforms rarely store working data in user-accessible locations like Documents or Desktop folders. Instead, they maintain proprietary database files in protected system directories that require specific backup procedures:

• Intuit ProSeries and Lacerte: Store client data in C:\Users\Public\Documents\Intuit\ProSeries [Year] or C:\ProgramData\Intuit\Lacerte\[Year]. These locations are outside standard user backup paths and require explicit inclusion in backup policies. ProSeries uses .DBF database files while Lacerte uses .LDF files that must be backed up together to maintain data integrity.
• Drake Tax Software: Maintains client data in C:\Drake[Year]\Data directory by default, though custom installations may vary. Drake uses indexed database files that require consistent backup of the entire Data directory—partial backups can result in corrupted client files during restoration.
• Thomson Reuters UltraTax CS: Stores data in SQL Server databases or local file-based storage at C:\CSA\Practice CS\[Year]. For SQL Server implementations, database-level backups are required, not just file-level backups of the installation directory.
• CCH Axcess Tax: As a cloud-based platform, client data resides on CCH servers. However, firms should still back up locally downloaded returns, imported source documents, and any custom templates or settings stored in C:\Program Files\CCH\Axcess.
• Intuit QuickBooks: (for tax practices handling bookkeeping) Company files (.QBW) are typically stored in C:\Users\Public\Documents\Intuit\QuickBooks\Company Files, but multi-user configurations may store files on network shares. QuickBooks requires closing all connections before backup to prevent file corruption.

Verifying Your Backups Capture Tax Software Data

To confirm your backup strategy actually protects tax software databases:

• Identify exact data locations: Consult your tax software's documentation or contact support to confirm the precise directory paths where client data is stored for your specific configuration
• Explicitly include in backup jobs: Configure your backup software to include these specific directories by path, not just user folders. Create separate backup jobs for tax software data if necessary
• Test restoration on a separate workstation: Quarterly, restore a complete client file to a different computer and verify you can open it in your tax software without errors or missing data
• Verify database file integrity: After backup completion, use your tax software's built-in database verification tools (most platforms include utilities to check file integrity) on the backup copy
• Document software-specific procedures: Include in your written backup plan the exact directories backed up for each tax software platform, along with any pre-backup procedures required (closing databases, stopping services, etc.)

Cloud-Based Tax Software Backup Considerations

Cloud-based platforms like Intuit ProConnect Tax, TaxDome, and CCH Axcess shift primary data storage responsibility to the vendor, but tax professionals still have backup obligations:

• Export client data regularly: Most cloud platforms offer data export features—schedule monthly exports of all client files to local storage and include in your backup routine
• Verify vendor backup policies: Review your software provider's SLA to understand their backup frequency, retention periods, and restore procedures. Vendor backups protect against their system failures but may not protect you if your account is compromised
• Maintain offline copies of completed returns: Download and archive PDF copies of all completed returns to local storage included in your backup plan—this ensures access even if vendor services are unavailable during tax season
• Back up supporting documentation: Source documents, client communications, and engagement letters uploaded to cloud platforms should be redundantly stored in your local backup system

The competitive advantage of understanding these software-specific requirements cannot be overstated. According to data from cybersecurity incident response engagements, approximately 40% of tax practices that experience ransomware attacks discover their backups were incomplete because they failed to capture the actual tax software database files—resulting in permanent client data loss despite having "backups" running.

Cloud Backup Solutions for Tax Professionals

Cloud-based backups can absolutely satisfy IRS compliance requirements when properly configured. However, not all cloud backup services meet the specific security and encryption standards required for taxpayer data protection.

Requirements for IRS-Compliant Cloud Backups

When evaluating cloud backup providers for tax practice use, verify they meet these requirements:

• Encryption standards: AES-256 encryption at rest and TLS 1.3 in transit with FIPS 140-2 validated cryptographic modules
• Data sovereignty: Ability to specify geographic storage location and confirm taxpayer data remains within US jurisdiction
• Access controls: Support for multi-factor authentication, role-based access control, and IP address restrictions
• Immutability options: Object lock or immutable backup features that prevent deletion or modification for defined retention periods
• Audit logging: Comprehensive logs of all backup, restore, and administrative operations with tamper-evident storage
• Recovery capabilities: Granular file-level restore, full system restore, and point-in-time recovery options
• Business associate agreement: For practices also handling HIPAA data, cloud providers must sign a BAA acknowledging their role as a business associate
• SOC 2 Type II certification: Independent audit verification of security controls and operational effectiveness

Hybrid Backup Strategies

Most tax practices benefit from a hybrid approach combining local and cloud backups:

• Local NAS for fast recovery: Network-attached storage in your office provides rapid restore for common scenarios like accidental file deletion or single workstation failures—restore times measured in minutes rather than hours
• Cloud for disaster recovery: Cloud backups protect against office-wide disasters like fire, flood, theft, or ransomware that compromises all on-premises systems
• Automated replication: Configure local backups to automatically replicate to cloud storage, maintaining the 3-2-1-1-0 rule without manual intervention
• Cost optimization: Store recent backups (30-90 days) in hot storage for fast access, automatically tier older backups to cold storage for long-term retention at lower cost

Cloud backup costs for tax practices typically range from $30-150 per month depending on data volume. A practice with 500GB of client data might pay $40-60 monthly for enterprise-grade cloud backup with immutability features—a minimal investment compared to the cost of permanent data loss.

Backup Plan Documentation Requirements

The IRS and FTC require written documentation of your tax data backup plan. During Security Summit inspections or FTC investigations, regulators will request your backup policy documentation.

Your written plan should include:

• Purpose and scope: Statement that the plan protects taxpayer data in compliance with IRS Publication 4557 and FTC Safeguards Rule, listing all systems and data types covered
• Backup schedule: Specific frequency for different backup types (daily incremental, weekly full, monthly archival) with exact timing to minimize impact on business operations
• Technology and methods: Detailed description of backup software, storage hardware, cloud services, and encryption methods used
• Storage locations: Physical and logical locations of all backup copies including geographic regions for cloud storage
• Retention periods: How long different backup types are retained, aligned with IRS recordkeeping requirements
• Access controls: Who has access to backup systems, authentication requirements, and authorization procedures
• Testing procedures: Frequency and methodology for restore testing, documentation requirements, and acceptance criteria
• Roles and responsibilities: Named individuals responsible for backup administration, monitoring, testing, and incident response
• Recovery procedures: Step-by-step instructions for restoring data in various scenarios with decision trees and contact information
• Review and update schedule: Requirement to review plan annually and after any significant IT infrastructure changes

This documentation serves multiple purposes: it demonstrates compliance to regulators, provides operational guidance to staff, and ensures business continuity when key personnel are unavailable.

For firms needing assistance with WISP development, our free WISP template includes a complete backup policy section.

Cost Considerations for Tax Practice Backups

Implementing a compliant tax data backup plan requires investment, but costs are scalable based on practice size and complexity:

Solo Practitioner (Under 100 Returns)

• Cloud backup service: $30-50/month
• Local NAS device: $300-500 one-time
• Annual total: $660-1,100 (first year including hardware)

Small Firm (100-500 Returns)

• Cloud backup service: $75-150/month
• Business-class NAS: $800-1,500 one-time
• Backup software licensing: $200-400/year
• Annual total: $1,900-3,700 (first year including hardware)

Mid-Size Firm (500-2,000 Returns)

• Enterprise cloud backup: $200-400/month
• Redundant NAS devices: $2,000-4,000 one-time
• Backup software licensing: $500-1,000/year
• Quarterly testing and documentation: $1,000-2,000/year
• Annual total: $6,900-10,800 (first year including hardware)

Large Firm (2,000+ Returns)

• Managed backup service: $500-1,500/month
• Enterprise storage infrastructure: $5,000-15,000 one-time
• Backup software licensing: $1,500-3,000/year
• Dedicated backup administrator time: $10,000-20,000/year
• Compliance auditing and testing: $3,000-5,000/year
• Annual total: $25,500-47,000 (first year including hardware)

These costs represent a fraction of the potential losses from a data breach. The IBM Cost of Data Breach Report 2025 found that the average cost of a ransomware attack is $5.13 million, with tax and financial services firms experiencing above-average costs due to regulatory penalties and client notification requirements.

For tax practices without in-house IT expertise, managed backup services eliminate the complexity of implementation and ongoing management while ensuring IRS compliance. Bellator Cyber Guard's managed backup solutions for tax professionals include automated daily backups, immutable cloud storage, quarterly restore testing, and complete documentation for IRS inspections—starting at $150/month for solo practitioners.