Data Backup and Recovery Checklist

List every system that holds client data — tax prep (UltraTax, Lacerte, ProSystem fx, Drake), GL (QuickBooks Online, Xero, Sage Intacct), document management (SmartVault, TaxDome, ShareFile, Liscio), and payroll (Gusto, ADP, Paychex). Note where each stores SSNs, EINs, and bank account numbers; this classification drives the WISP and the encryption requirements downstream.

IRS Publication 4557 and the FTC Safeguards Rule require paid preparers to retain and protect client records. Most firms hold 7 years for federal returns and longer for fixed-asset basis schedules and shareholder basis (Form 7203). Cross-check state-board retention rules and any engagement-letter commitments before setting expiration policies.

RPO (recovery point objective) caps tolerable data loss; RTO (recovery time objective) caps tolerable downtime. During tax season, tax-software RPO/RTO should be tighter (1 hour / 4 hours) than off-season. Document targets per system so the backup schedule is driven by a number, not a guess.

Configure tax and GL platforms for off-hours backup. UltraTax and Lacerte have built-in backup utilities; QBO Advanced has native backup, lower tiers do not. For QuickBooks Desktop, schedule QBB backups outside business hours and confirm they aren't blocked by company-file locks left open by overnight users.

Pull a random recent backup and restore it to a sandbox. A backup that runs nightly without errors but can't restore is the most common DR failure mode — corrupt files, missing media, expired credentials. Log the test result before moving on.

Use AES-256 at rest and TLS 1.2+ in transit. The FTC Safeguards Rule requires encryption of customer information, and state laws (MA 201 CMR 17.00, NY SHIELD Act, TX BC §521) layer additional standards on top. Store keys in a separate vault from the backup itself — encryption is meaningless if the key sits next to the ciphertext.

Off-site means a different metro area or cloud region — a NAS in the same building as the office is not off-site. Common patterns are AWS S3 cross-region replication, Backblaze B2 with geographic redundancy, or a paid Datto/Axcient image-replication service.

Write a per-system runbook: how to restore UltraTax client files from backup, how to recover a QBO company from a backup, how to rehydrate a SmartVault portal. Reference exact menu paths; keep credentials in the password vault and reference the vault entry, never the password itself.

Name a recovery coordinator (usually the managing partner or IT director), a tax software lead, a GL/bookkeeping lead, and a client communications lead. During tax season the coordinator role should rotate to a backup if the managing partner is mid-return on April 14.

Walk the team through a realistic incident — ransomware on a tax workstation March 1, or a flooded server closet April 10. Time how long each role takes to execute their part of the runbook. Capture gaps so they can be fixed before the live test or the next tax season.

Spin up an isolated VM or cloud sandbox. Restore the most recent backup of the largest tax-software dataset and confirm clients open without error. Never test against production — a botched restore can overwrite live engagement data mid-season.

Reconcile a sample of restored returns or trial balances against production. For tax data, compare e-file confirmations and refund amounts on three sampled returns; for GL data, compare trial balance totals at a known prior month-end. Attach the validation workpaper.

For a tabletop or test, identify what would have failed in a real incident. For an actual incident, run a 5-Whys against the failure mode. Keep the review no-blame so staff surface the real causes — it's the only way the WISP improves.

State breach-notification laws (MA 93H, NY SHIELD, CA CCPA, TX BC §521 — roughly all 50 states) trigger when client PII is accessed without authorization. Even if the backup itself wasn't breached, a recovered system that was compromised pre-backup may have already exposed SSNs. Consult counsel before deciding.

Send notice within the state-specific window — typically 30 to 60 days from discovery. Include what data was affected, when, and remediation offered (credit monitoring is standard for SSN exposure). Many states also require notice to the state Attorney General and the three consumer reporting agencies above defined thresholds.