Tax Data Backup Plan: Protecting Client Records

Implementing a compliant tax data backup plan is a mandatory requirement for tax professionals handling sensitive client data in 2026. The IRS requires thorough backup strategies through IRS Publication 4557, making data backups the fourth essential component of the Security Six framework.

According to IRS Publication 4557, tax preparers must maintain consistent backups of all systems containing nonpublic personal information (NPPI) and implement documented contingency plans for data recovery. Non-compliance can result in IRS investigations, regulatory penalties up to $100,000 per violation under the FTC Safeguards Rule, PTIN suspension, and irreparable damage to professional credentials.

For tax practices managing hundreds or thousands of client tax returns containing Social Security numbers, bank account details, and financial records, a robust tax data backup plan is the difference between recovering from a ransomware attack in hours versus losing your entire practice.

The Evolving Threat Landscape for Tax Professionals

The threat landscape facing tax professionals has evolved dramatically over the past two years. According to FBI Internet Crime Complaint Center data, ransomware attacks cost businesses over $34.3 billion in 2025, with tax professionals experiencing a 149% increase in targeted attacks compared to 2024.

The Verizon 2025 Ransomware Trends Report reveals that 96% of backup repositories are now targeted during attacks, with 76% successfully compromised. This shift in attacker tactics makes implementing a proper tax data backup plan not just a compliance checkbox, but an essential business survival strategy.

Ransomware operators specifically target backup systems because they know businesses with intact, isolated backups can recover without paying ransom. When backups are compromised alongside production systems, victims face an impossible choice: pay the ransom or lose years of client data permanently.

Why Tax Professionals Are Prime Targets

Tax preparers manage an extraordinarily valuable dataset that makes them attractive targets for cybercriminals:

• Complete identity theft packages: Tax returns contain full names, Social Security numbers, dates of birth, addresses, employment information, and bank account details—everything needed for identity theft or fraudulent tax returns
• Seasonal vulnerability windows: During January through April, tax practices operate under extreme time pressure with temporary staff, creating security gaps that attackers exploit
• Small firm security posture: 73% of tax preparers operate as solo practitioners or firms with fewer than 10 employees, often lacking dedicated IT security resources
• High-value intellectual property: Client lists, tax planning strategies, and financial advisory relationships represent significant competitive intelligence
• Regulatory pressure to pay: The threat of IRS penalties, PTIN suspension, and malpractice liability creates pressure to pay ransoms quickly to resume operations

The IBM Cost of Data Breach Report 2026 found that breaches in the financial services sector (which includes tax preparation under GLBA) cost an average of $6.08 million per incident—23% higher than the cross-industry average of $4.88 million.

IRS Security Six Mandate

Understanding IRS Security Six Backup Requirements

The IRS Security Six framework represents the minimum baseline of cybersecurity controls required for tax professionals with a PTIN (Preparer Tax Identification Number). Data backups constitute the fourth pillar of this framework, alongside two-factor authentication, antivirus protection, firewalls, drive encryption, and virtual private networks.

The mandate applies universally—there are no exemptions for solo practitioners or small firms. If you prepare tax returns professionally and hold a PTIN, you must implement and document a compliant tax data backup plan.

IRS Publication 4557 Backup Requirements

IRS Publication 4557, "Safeguarding Taxpayer Data," establishes specific requirements for tax preparer backup systems:

• Complete coverage: Back up all systems, applications, and data repositories that store, process, or transmit taxpayer information including tax software, document management systems, email servers, and client portals
• Consistent scheduling: Implement automated backup procedures that run on a defined schedule without requiring manual intervention—daily backups for active client data, weekly for archived records
• Isolated storage: Maintain at least one backup copy that is air-gapped or immutable, preventing ransomware from encrypting both production systems and backups simultaneously
• Encryption requirements: Encrypt all backup data both in transit and at rest using FIPS 140-2 validated cryptographic modules with AES-256 encryption
• Access controls: Restrict backup system access to authorized personnel only, implementing role-based access control (RBAC) and multi-factor authentication for administrative functions
• Regular testing: Conduct documented restore tests at least quarterly to validate backup integrity and measure recovery time objectives (RTO)
• Written documentation: Maintain current written procedures detailing backup frequency, retention periods, storage locations, encryption methods, responsible parties, and testing schedules

These requirements align with CISA's Cyber Essentials guidance and the NIST Cybersecurity Framework 2.0, specifically the Protect (PR.IP-4) and Recover (RC.RP-1) functions.

How Immutable Backups Protect Against Ransomware

Immutable backups have become the gold standard for ransomware protection in tax practices. Object lock technology, available in enterprise backup solutions and cloud storage platforms, creates backup copies that cannot be modified, encrypted, or deleted for a specified retention period—even by administrators with full system access.

When ransomware operators compromise a tax practice's network, they typically spend days or weeks in reconnaissance mode, identifying backup systems and attempting to delete or encrypt them before deploying the encryption payload. Traditional backup systems that allow deletions or overwrites provide no protection in this scenario because attackers can destroy backups before revealing their presence.

Immutable backups with object lock create an unbreakable recovery point. The backup software writes data to storage with a governance or compliance lock that prevents any modification or deletion until the retention period expires. Even if attackers obtain administrator credentials to your backup system, they cannot delete or encrypt locked backup objects.

Implementing Object Lock for Tax Data

For tax professionals implementing immutable backups:

• Retention periods: Set object lock retention to match IRS recordkeeping requirements—typically 7 years for individual returns per IRS Publication 583, though three years covers most scenarios
• Compliance vs. governance mode: Use compliance mode for strongest protection (even AWS root account cannot delete), or governance mode for operational flexibility with audit trails
• Cost considerations: Immutable storage typically costs $20-50 per TB per month for tax practices, a small premium over standard cloud storage that provides vital ransomware protection
• Restore testing: Verify you can restore from immutable copies quarterly—object lock prevents deletion but doesn't guarantee data integrity without testing

Tax Software-Specific Backup Requirements

One of the most vital—and commonly overlooked—aspects of tax data backup is understanding where your tax preparation software actually stores client data. Many tax professionals assume that backing up their Documents folder or desktop provides adequate protection, when in reality, most professional tax software stores live databases in custom program directories that standard file backups completely miss.

Understanding Tax Software Data Storage Locations

Professional tax software platforms rarely store working data in user-accessible locations like Documents or Desktop folders. Instead, they maintain proprietary database files in protected system directories that require specific backup procedures:

• Intuit ProSeries and Lacerte: Store client data in C:\Users\Public\Documents\Intuit\ProSeries [Year] or C:\ProgramData\Intuit\Lacerte\[Year]. These locations are outside standard user backup paths and require explicit inclusion in backup policies.
• Drake Tax Software: Maintains client data in C:\Drake[Year]\Data directory by default, though custom installations may vary. Drake uses indexed database files that require consistent backup of the entire Data directory.
• Thomson Reuters UltraTax CS: Stores data in SQL Server databases or local file-based storage at C:\CSA\Practice CS\[Year]. For SQL Server implementations, database-level backups are required.
• CCH Axcess Tax: As a cloud-based platform, client data resides on CCH servers. However, firms should still back up locally downloaded returns and custom templates.
• Intuit QuickBooks: Company files (.QBW) are typically stored in C:\Users\Public\Documents\Intuit\QuickBooks\Company Files, but multi-user configurations may store files on network shares.

Cloud-Based Tax Software Backup Considerations

Cloud-based platforms like Intuit ProConnect Tax, TaxDome, and CCH Axcess shift primary data storage responsibility to the vendor, but tax professionals still have backup obligations:

• Export client data regularly: Most cloud platforms offer data export features—schedule monthly exports of all client files to local storage and include in your backup routine
• Verify vendor backup policies: Review your software provider's SLA to understand their backup frequency, retention periods, and restore procedures
• Maintain offline copies of completed returns: Download and archive PDF copies of all completed returns to local storage included in your backup plan
• Back up supporting documentation: Source documents, client communications, and engagement letters uploaded to cloud platforms should be redundantly stored in your local backup system

Cloud Backup Solutions for Tax Professionals

Cloud-based backups can absolutely satisfy IRS compliance requirements when properly configured. However, not all cloud backup services meet the specific security and encryption standards required for taxpayer data protection.

Requirements for IRS-Compliant Cloud Backups

When evaluating cloud backup providers for tax practice use, verify they meet these requirements:

• Encryption standards: AES-256 encryption at rest and TLS 1.3 in transit with FIPS 140-2 validated cryptographic modules
• Data sovereignty: Ability to specify geographic storage location and confirm taxpayer data remains within US jurisdiction
• Access controls: Support for multi-factor authentication, role-based access control, and IP address restrictions
• Immutability options: Object lock or immutable backup features that prevent deletion or modification for defined retention periods
• Audit logging: Detailed logs of all backup, restore, and administrative operations with tamper-evident storage
• Recovery capabilities: Granular file-level restore, full system restore, and point-in-time recovery options
• SOC 2 Type II certification: Independent audit verification of security controls and operational effectiveness

Hybrid Backup Strategies

Most tax practices benefit from a hybrid approach combining local and cloud backups:

• Local NAS for fast recovery: Network-attached storage in your office provides rapid restore for common scenarios like accidental file deletion—restore times measured in minutes rather than hours
• Cloud for disaster recovery: Cloud backups protect against office-wide disasters like fire, flood, theft, or ransomware that compromises all on-premises systems
• Automated replication: Configure local backups to automatically replicate to cloud storage, maintaining the 3-2-1-1-0 rule without manual intervention
• Cost optimization: Store recent backups (30-90 days) in hot storage for fast access, automatically tier older backups to cold storage for long-term retention at lower cost

Cloud backup costs for tax practices typically range from $30-150 per month depending on data volume. A practice with 500GB of client data might pay $40-60 monthly for enterprise-grade cloud backup with immutability features—a minimal investment compared to the cost of permanent data loss.

Backup Plan Documentation Requirements

The IRS and FTC require written documentation of your tax data backup plan. During Security Summit inspections or FTC investigations, regulators will request your backup policy documentation. Your written plan should include:

• Purpose and scope: Statement that the plan protects taxpayer data in compliance with IRS Publication 4557 and FTC Safeguards Rule, listing all systems and data types covered
• Backup schedule: Specific frequency for different backup types (daily incremental, weekly full, monthly archival) with exact timing to minimize impact on business operations
• Technology and methods: Detailed description of backup software, storage hardware, cloud services, and encryption methods used
• Storage locations: Physical and logical locations of all backup copies including geographic regions for cloud storage
• Retention periods: How long different backup types are retained, aligned with IRS recordkeeping requirements
• Access controls: Who has access to backup systems, authentication requirements, and authorization procedures
• Testing procedures: Frequency and methodology for restore testing, documentation requirements, and acceptance criteria
• Roles and responsibilities: Named individuals responsible for backup administration, monitoring, testing, and incident response
• Recovery procedures: Step-by-step instructions for restoring data in various scenarios with decision trees and contact information
• Review and update schedule: Requirement to review plan annually and after any significant IT infrastructure changes

This documentation serves multiple purposes: it demonstrates compliance to regulators, provides operational guidance to staff, and ensures business continuity when key personnel are unavailable. For firms needing assistance with WISP development, our free WISP template includes a complete backup policy section.

Cost Considerations for Tax Practice Backups

Implementing a compliant tax data backup plan requires investment, but costs are scalable based on practice size and complexity:

These investments pay for themselves during the first prevented data loss incident. The average cost of recreating lost tax returns from source documents ranges from $150-300 per return in staff time and client inconvenience—a single ransomware attack affecting 200 client files could cost $30,000-60,000 to remediate without proper backups.