The legal requirement to notify affected individuals, regulators, and sometimes law enforcement when personal data is exposed in a security incident.
Data breach notification refers to the legal obligations that arise when a firm experiences unauthorized access to, or disclosure of, personal information. All 50 US states have breach notification laws with varying requirements for who must be notified, within what timeframe (typically 30-72 days), what information must be included in the notification, and whether the state attorney general or other regulatory bodies must also be informed. For CPA firms, breaches involving taxpayer information may also trigger IRS reporting requirements.
Failure to notify within the required timeframe can result in per-record penalties, class action lawsuits, and regulatory enforcement actions on top of the breach itself. The requirements vary significantly by state. For example, some states require notification within 30 days while others allow 60 or 90. A firm with clients in multiple states must comply with the strictest applicable deadline. Having a pre-built incident response plan with state-specific notification templates dramatically reduces the risk of missing a deadline.
The Incident Response Plan Generator module handles this for your firm, personalized to your software, team size, and state requirements.
See Plans & PricingA documented set of procedures your firm follows when a data breach or security incident occurs.
A federal regulation requiring financial institutions, including tax preparers, to develop and maintain a comprehensive information security program.
A documented set of policies and procedures describing how your firm protects sensitive client data.
Plans starting at $99/mo · Billed annually
We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy