← Back to the Library
Library · Guide

Lesson 9: State Law Layer

← Study Guide home · Lesson 9 of 12

Additional obligations depending on where you and your clients are

Learning Objectives

After completing this lesson, you will be able to:

Why State Law Matters: §7216 Is a Floor, Not a Ceiling

Federal law, §7216, the FTC Safeguards Rule, creates minimum standards. State law can and does add requirements that apply independently. Key principles:

  1. Your state's CPA licensing rules apply to how you handle client data, regardless of whether federal law also applies.
  2. Your clients' state laws may apply to you, based on where the client resides, not just where you are located.
  3. State data security laws may require specific technical measures that go beyond the FTC Safeguards Rule's general principles.

Georgia (Primary Focus)

Georgia Rule 20-12-.11: Independent Confidentiality Duty

As covered in Lesson 6, this rule requires client consent before disclosing confidential client information. It applies independently of §7216 and the AICPA Code. A Georgia CPA who uses client information with an AI vendor without either consent or adequate contractual safeguards may be in violation of this rule.

Georgia Rule 20-12-.19: AICPA and SSTS Incorporated

Also covered in Lesson 6. The AICPA Code (including ET §1.700.001 and the TPSP interpretation) and the SSTS are part of your Georgia CPA license obligations. Violations of AICPA standards are Georgia Board violations.

Georgia Breach Notification (O.C.G.A. §10-1-912): Covered in Lesson 5.

Key points for AI context:

Georgia Privilege Statute (O.C.G.A. §43-3-29)

Georgia has a statutory accountant-client privilege covering communications between a CPA and a client "in his professional capacity." (This provision was renumbered effective July 1, 2014; older sources cite it as §43-3-32.) This privilege could be implicated if information shared with an AI vendor constitutes a disclosure that waives the privilege. While this is an unresolved question, it is worth noting that some courts have found that disclosure to a third party in a manner inconsistent with maintaining confidentiality can constitute waiver of the privilege.

California

The California Tax Preparers Act

California Business and Professions Code §17530.5 makes it a misdemeanor for a tax preparer to disclose information obtained in preparing a client's federal or state income tax return, except with the client's written consent (in a separate document) or where otherwise authorized by law. It is independent state law that parallels §7216, covering largely the same conduct. This means:

⚠️ RISK: If you have California individual clients, unauthorized disclosure of their tax data exposes you to both federal §7216/§6713 liability and an independent California misdemeanor under §17530.5. (Note: §17530.5 does not literally cross-reference §7216; the "same conduct" equivalence is the practitioner/CTEC reading, not statutory text. Verify the statute for your situation.)

CCPA Implications for California Clients

The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), apply to businesses that meet certain thresholds and collect personal information from California residents. For most small CPA firms, the direct compliance obligations under CCPA are limited (the thresholds are high and there are exceptions for information collected pursuant to federal law). However:

New York

NY SHIELD Act (Stop Hacks and Improve Electronic Data Security Act)

New York's SHIELD Act (effective March 21, 2020) applies to any person or business that "owns or licenses private information of a New York resident." Unlike New York's prior breach notification law, the SHIELD Act adds affirmative data security program obligations, not just notification duties.

Data security program requirements under the SHIELD Act:

The SHIELD Act requires businesses to implement a data security program that includes "reasonable safeguards" appropriate to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the personal information. For a small tax practice, "reasonable safeguards" includes:

Application to AI tools: The "select service providers with appropriate safeguards" requirement is parallel to the FTC Safeguards Rule's §314.4(f), it requires vetting AI vendors before use with New York client data. A vendor DPA with adequate security commitments is the recommended safeguard.

What "reasonable safeguards" means for AI under SHIELD:

New York's Attorney General has interpreted "reasonable safeguards" to include measures appropriate to the nature of the data. For tax return information, which includes SSNs, financial data, and other high-sensitivity data, reasonable safeguards include:

Massachusetts

201 CMR 17.00: Standards for the Protection of Personal Information

Massachusetts 201 CMR 17.00 is one of the most detailed state data security regulations in the country. It applies to any person or entity that "owns or licenses personal information about a Massachusetts resident", which means if you have even one Massachusetts client with a SSN in your systems, you must comply.

Written Information Security Program (WISP) requirements under 201 CMR 17.00:

Massachusetts requires 12 specific WISP elements, including:

  1. Designate an employee to maintain the program
  2. Identify and assess reasonably foreseeable internal and external risks
  3. Develop security policies for storage and access to personal information
  4. Impose disciplinary measures for violations
  5. Prevent terminated-employee access
  6. Oversee service providers with contractual safeguards
  7. Restrict physical access to records containing personal information
  8. Monitor program effectiveness
  9. Annual review of the security program
  10. Document responsive actions after any breach
  11. Train employees on the security system
  12. Ensure third-party service provider compliance

Technical requirements (Section 17.04):

Massachusetts specifically requires:

Application to AI tools: Sending Massachusetts client data (including SSNs) to a cloud AI vendor over the internet is a transmission of personal information across a public network, triggering the encryption requirement. The vendor's HTTPS encryption may suffice, but you should confirm the vendor encrypts data in transit in a manner compliant with 201 CMR 17.03(3)(a).

📌 PRACTICE TIP: Many small firm WISPs are not written with Massachusetts compliance in mind, even when the firm has Massachusetts clients. If you have any Massachusetts clients, review your WISP against the 201 CMR 17.00 checklist. The 12-element structure is more specific than the FTC Safeguards Rule and requires documentation at a more granular level.

The Key Multi-State Principle

Even if you are in Georgia, if you have clients in California, New York, or Massachusetts, their state's data protection laws apply to your handling of their data:

State Key Law Trigger Key Obligation
Georgia Rule 20-12-.11; O.C.G.A. §10-1-912 Any GA client data Consent for disclosure; breach notification
California BPC §17530.5; CCPA Any CA individual return Independent disclosure misdemeanor that parallels §7216; service-provider DPA
New York NY SHIELD Act Any NY resident's private information Reasonable safeguards program; vendor vetting
Massachusetts 201 CMR 17.00 Any MA resident's SSN or financial account Full 12-element WISP; encryption of transmissions

Key Takeaways

Quick Review

Q1: A CPA in Augusta, Georgia prepares federal and Georgia returns for a client who recently moved to Massachusetts. The CPA uses a cloud AI tool to assist with the return preparation. Which state's data protection laws apply?

Answer: Both Georgia and Massachusetts laws apply. Georgia Rule 20-12-.11 and O.C.G.A. §10-1-912 apply because the CPA is licensed in Georgia. Massachusetts 201 CMR 17.00 applies because the client is now a Massachusetts resident whose personal information (SSN, financial account) is being processed. The CPA must satisfy both, which means the stricter Massachusetts requirements (12-element WISP, encryption of transmissions) must be met.

Q2: A Georgia EA prepares California returns for several entertainment industry clients who are California residents. The EA uses ChatGPT Plus (consumer tier) with their client data without a §7216 analysis and without consent. What state law issues does this create?

Answer: The same unauthorized disclosure that violates §7216 (cloud AI consumer tier, no exception, no consent) will, in practice, also violate California Bus. & Prof. Code §17530.5, an independent state misdemeanor for unauthorized disclosure of tax return information. The EA faces potential enforcement by both the IRS (§7216/§6713) and California authorities. (The two statutes prohibit parallel conduct; §17530.5 does not literally cross-reference §7216.) Additionally, if any clients are New York residents, the NY SHIELD Act may also apply.

Q3: A Georgia CPA firm with mostly local clients has two clients who are New York residents. The firm uses Microsoft 365 Copilot (enterprise tier, signed DPA, US data residency) with all client data without distinguishing New York from Georgia clients. Does the NY SHIELD Act create any special obligation?

Answer: Yes. New York's SHIELD Act applies to the New York resident clients' personal information. The firm must ensure it has "reasonable safeguards" appropriate to the sensitivity of the data. For a tax practice processing SSNs, financial data, and similar high-sensitivity information, this means vetting the service provider (Microsoft's enterprise tier with a signed DPA is likely adequate) and having a data security program in place. If the firm's existing WISP covers these elements, it may satisfy the SHIELD Act for the New York clients. But the firm should confirm its WISP explicitly addresses the SHIELD Act requirements.

← Lesson 8: Circular 230 · Study Guide home · Lesson 10: Local AI Models: The Compliance Shortcut and Its Limits →

The AI Lab for Accountants · An educational resource, not legal or tax advice.