The Texas Attorney General publishes data security breach notices for incidents affecting Texans. A search of that public database surfaces several CPA and tax firms — businesses that hold taxpayers’ most sensitive financial records.
Texas CPA & Tax Firms in the OAG Breach Database
| Firm | City | Texans Affected | Date Published |
|---|---|---|---|
| Keith Gardner CPA PLLC | Houston | 1,500 | 06/12/2025 |
| Carranco & Lawson, P.C. | Laredo | 447 | 01/13/2026 |
| AA CPA Tax Strategies LLC | Austin | 750 | 01/27/2026 |
| Dana Lee CPA LLC | Spring | 150 | 03/27/2026 |
The exposed data across these notices includes names, addresses, Social Security numbers, driver’s license numbers, and financial account information — exactly the data a tax preparer holds for every client.
Why This Matters for CPA & Tax Firms
The IRS (Publication 4557) requires every tax professional to maintain a written information security plan (WISP) to keep a PTIN, and the FTC Safeguards Rule backs it with civil penalties up to $50,120 per violation, per day. A breach of taxpayer data is both a regulatory and a reputational event few small practices survive.
Check your firm’s email and domain security at audit.emailmenow.com/?industry=cpa-firms.
Recommendations
- Enforce DMARC (
p=reject), strict SPF (-all), and DKIM signing. - Add MTA-STS and website security headers; require MFA on anything touching client returns.
- Document your WISP and run recurring security awareness training before filing season.
Protect your firm and your clients. Contact EmailMeNow IT Consulting for your IRS-ready written security plan and email hardening.