Data Security & Confidentiality Guidelines

Purpose:

To ensure all client information is handled with the highest level of confidentiality, security, and compliance with applicable laws (e.g., IRS Publication 4557, FTC Safeguards Rule, and state privacy laws).

1. Confidentiality Commitment

• All client information—financial, personal, or business—is strictly confidential.
• Information will not be disclosed to third parties without written client consent, except as required by law or court order.
• Employees, contractors, and subcontractors must sign a Confidentiality Agreement before accessing client data.

2. Data Access Controls

• Access to client data is role-based and granted only to personnel directly involved in the engagement.
• All systems containing client data require unique, strong passwords and multi-factor authentication (MFA) where available.
• Client files are stored in secure, encrypted platforms such as:
  • SecureFilePro (document portal)
  • QuickBooks Online (accounting platform)
  • Encrypted local storage (where necessary)
• No client files or data may be stored on personal, non-encrypted devices.

3. Data Transmission

• All file transfers must be conducted via SecureFilePro or other approved encrypted platforms—never by unsecured email.
• Sensitive information in emails must be encrypted or transmitted through secure portals.
• When sending passwords, they must be transmitted separately from usernames and other identifying information.

4. Physical Security

• Paper documents containing client data must be stored in locked file cabinets in restricted-access areas.
• Printed materials should only be produced when necessary, and should be shredded when no longer required.
• Workspaces must be cleared of client materials when unattended (clean desk policy).

5. Data Retention & Disposal

• Client records are retained for 7 years unless otherwise agreed or legally required.
• After the retention period, data will be securely destroyed:
  • Digital data: Permanently deleted and wiped from devices.
  • Paper records: Cross-cut shredded or professionally destroyed.
• A Destruction Log will be maintained for record-keeping.

6. Remote Work Protocols

• Public Wi-Fi may only be used when connected to a secure VPN.
• Devices used for client work must have up-to-date antivirus and firewall protection.
• Screen locks must be enabled when devices are unattended.

7. Incident Response

• Any suspected data breach, unauthorized access, or accidental disclosure must be reported immediately to the Managing Member of Mac Neal LLC.
• An investigation will be initiated within 24 hours to assess the scope and impact.
• Clients will be notified promptly if their data is affected, in accordance with applicable breach notification laws.

8. Compliance & Training

• All staff must complete annual data security training covering phishing prevention, password security, and safe handling of sensitive data.
• Mac Neal LLC will conduct periodic security audits to ensure ongoing compliance.

9. Client Responsibilities

• Clients are encouraged to:
  • Use strong passwords and enable MFA on their accounts.
  • Submit documents only via approved secure methods.
  • Notify Mac Neal LLC immediately of any suspected compromise of shared accounts or credentials.

Acknowledgment

All employees, contractors, and vendors working with Mac Neal LLC must sign to acknowledge understanding and compliance with these guidelines.