In 2024, Chicago-based Legacy Professionals LLP discovered that hackers had stolen data from their systems. The breach wasn't small. It affected 216,752 individuals, exposing names, Social Security numbers, driver's license numbers, medical treatment information, and health insurance details. By the time the firm finished investigating, the stolen data had already been published on the dark web. Five class-action lawsuits followed.
The firm didn't detect the breach themselves. They discovered it months after the data theft when notification requirements kicked in. Individual letters didn't go out until February 2025, ten months after attackers had accessed and exfiltrated the client files.
Legacy Professionals isn't an outlier. In 2024, the IRS received over 250 reports of data breach incidents from tax professionals, impacting more than 200,000 clients. Attacks on accounting practices have jumped 300% since 2020. Accounting firms now face an average of 900 cyberattack attempts during tax season alone.
The pattern is clear: accounting firms hold concentrated financial data that criminals can quickly monetize. Tax applications, bank accounts, Social Security numbers, investment portfolios. Everything an identity thief needs lives in your client files.
Now consider how accounting firms are actually using AI. Draft engagement letters. Summarize financial statements. Generate tax planning recommendations. Respond to client inquiries. Every one of these workflows touches data that, if exposed, triggers regulatory action, professional liability claims, and catastrophic client trust collapse.
Is Copilot safe for accounting firms? The short answer: consumer Copilot should never touch client data. Enterprise tiers can support accounting workflows with proper configuration. The distinctions matter.
The short version: If you need to redact sensitive documents before they reach AI systems, PaperVeil handles that layer. The rest of this article explains where it fits in the broader governance architecture.
What "Safe" Actually Means for Accounting
Accounting firms operate under layered obligations that AI tools must satisfy.
AICPA confidentiality requirements. The American Institute of Certified Public Accountants defines confidential client information as any information obtained from the client that is not available to the public. Rule 1.700.001 prohibits disclosure without proper consent, except when required by law. When client data flows through AI systems, those systems become part of your confidentiality framework.
SOC compliance obligations. Many accounting firms that serve enterprise clients must maintain SOC 2 compliance. This framework, developed by AICPA itself, evaluates controls across five trust principles: security, availability, processing integrity, confidentiality, and privacy. Adding AI tools to your workflow means ensuring those tools don't undermine your SOC posture.
Professional liability exposure. Unlike general business data breaches, accounting firm breaches create direct professional liability. Wojeski & Company, an Albany CPA firm, settled with New York Attorney General Letitia James for $60,000 after two data breaches exposed personal information for 4,700 people. The exposed data included names, dates of birth, Social Security numbers, financial account numbers, and medical benefits information.
Client trust dependencies. A 12-person Midwest accounting firm was quietly breached in 2024. Attackers exfiltrated three months of client data without detection. The breach was discovered when clients reported fraudulent tax returns filed in their names. By 2025, the firm had dissolved. Not from direct financial loss, but because trust evaporated and business dried up.
For an AI tool to be "safe" for accounting, it needs to handle client data without creating exposure under any of these frameworks.
Accounting Data at Risk
Client files contain information that creates cascading harm when exposed:
Tax identification data. Social Security numbers, EINs, ITINs. The core identifiers that enable tax fraud, identity theft, and account takeover. A single compromised return contains enough information to file fraudulent returns for years.
Financial account details. Bank account numbers, investment account information, routing numbers. Direct access to client money that attackers can exploit immediately.
Income and compensation data. Salary information, bonus structures, equity grants, partnership distributions. Competitive intelligence that clients expect to remain strictly confidential.
Business financial statements. Revenue figures, profit margins, cash flow details, debt structures. Information that could affect client negotiations, acquisitions, or competitive positioning if disclosed.
Tax planning strategies. Recommendations that reveal client financial positions, estate structures, and business arrangements. Documentation that could create legal exposure if obtained by opposing parties in litigation.
When an accountant pastes client information into an AI tool to help draft a tax memo, they're potentially transmitting all of these data types to a system they don't control.
How Copilot Handles Accounting Data
Microsoft offers multiple Copilot products with different security characteristics. The distinctions determine whether your use is compliant or catastrophic.
Consumer Copilot (free tier, Bing integration). By default, Microsoft may use conversation data for service improvement. No enterprise controls exist. No audit logging. No data residency options. Consumer Copilot should never be used with client information. A staff member using Bing Copilot to help with a client memo has just created potential disclosure outside your confidentiality framework.
Microsoft 365 Copilot (Business/Enterprise). For commercial customers, Copilot operates within your Microsoft 365 tenant. Microsoft states clearly that prompts, responses, and data accessed through Microsoft Graph are not used to train foundation models. The service inherits your existing Microsoft 365 security configuration.
Microsoft 365 Copilot is compliant with existing privacy, security, and compliance commitments including GDPR and EU Data Boundary. The data stays within your Microsoft 365 service boundary with enterprise data protection applied.
Microsoft Security Copilot. This specialized product achieved SOC 2 certification, providing independent verification of security, availability, and confidentiality controls. It also holds ISO certifications for information security management (27001), personal data protection in the cloud (27018), cloud-specific security controls (27017), privacy information management (27701), IT service management (20000-1), quality management (9001), and business continuity management (22301).
Copilot Studio. The platform for building custom Copilot solutions has been audited for SOC compliance, with audit reports available from the Microsoft Service Trust Portal. It's also covered under HIPAA Business Associate Agreement provisions for firms handling health-related financial data.
The pattern is consistent: enterprise and specialized tiers provide the contractual commitments and technical controls that professional services require. Consumer versions provide none of these safeguards.
Where Copilot Falls Short for Accounting
Even with enterprise tiers, gaps remain between Copilot capabilities and accounting firm requirements.
The Data Access Problem
Microsoft 365 Copilot pulls data from across your Microsoft 365 environment. When you ask Copilot a question, it may access emails, documents, Teams chats, and SharePoint sites to formulate a response.
This creates a minimum necessary challenge. If Copilot can access client data stored anywhere in your Microsoft 365 environment, every Copilot interaction potentially touches confidential information even when the user's intent doesn't involve specific client work.
For firms maintaining client confidentiality walls, the broad data access model may need additional configuration to prevent inadvertent disclosure between client matters.
The Audit Trail Gap
AICPA standards require documentation of how client information is handled. When client data flows through AI interactions, you need records of what information was processed and what outputs were generated.
Microsoft 365 provides usage analytics for Copilot, but the granularity may not match what your professional standards require. If a client challenges how their information was used, or if a regulator investigates your data handling practices, can you produce evidence of every AI interaction involving that client's data?
Building comprehensive audit infrastructure typically requires additional logging beyond what Copilot provides natively.
The Shadow AI Risk
The biggest risk isn't your official Copilot deployment. It's staff members using consumer AI tools through personal accounts, browser integrations, or mobile apps.
Research shows 74% of breaches involve the human element: phishing, stolen credentials, or misused accounts. An accountant who uses consumer ChatGPT to help draft a client letter because it's faster than the approved workflow has just bypassed every control you've implemented.
Without technical controls that block unauthorized AI access, policy alone won't prevent confidentiality breaches.
The Professional Standards Complexity
The role of regulation and standard-setting bodies in shaping AI data security is evolving rapidly. New rules and guidelines are being introduced to address risks associated with AI in professional services.
Accounting firms face compliance with multiple frameworks simultaneously: AICPA ethics rules, state board regulations, FTC Safeguards Rule requirements, and potentially SOC 2 or other framework attestations. AI tools don't come with accounting-specific compliance documentation. Building that framework requires significant effort that falls on the firm, not the vendor.
Making Copilot Safe for Accounting Workflows
The path to safe AI usage follows a familiar pattern: understand your data, control its flow, and document everything.
Step 1: Classify Client Data by Risk
Before any AI touches client information, classify it:
Tier 1 (Never external AI). Social Security numbers, bank account details, tax returns, full financial statements. These should never reach consumer AI tools under any circumstances.
Tier 2 (Requires de-identification). Client questions, engagement letter drafts, general tax planning scenarios. Can be processed by AI if identifying information is stripped first.
Tier 3 (Lower risk). Tax code research, general accounting guidance, industry benchmarking questions. Can be processed with appropriate enterprise agreements in place.
Step 2: Implement Pre-Processing Redaction
For Tier 2 data, strip identifying information before AI processing:
Convert client names to placeholders like "[CLIENT-A]" or "[COMPANY-1]". Remove specific dollar amounts or replace with ranges. Strip dates, addresses, and account numbers. Replace identifying details with generic markers.
The redacted content goes to Copilot. The AI generates its response based on de-identified data. You re-associate identifiers internally within your practice management system. The AI never sees actual client information.
Step 3: Deploy Enterprise Controls
For approved use cases:
Implement Microsoft 365 Copilot within your enterprise tenant. Configure data access to respect client confidentiality walls where required. Enable audit logging and integrate with your compliance documentation systems. Establish access controls limiting who can use AI for which categories of client work.
Step 4: Block the Alternatives
Shadow AI represents your biggest confidentiality risk. Your governance framework only works if staff actually uses it.
Block access to consumer AI interfaces from firm devices and networks. Implement endpoint controls that prevent unauthorized AI applications. Establish clear policies with consequences for using non-approved AI tools with client data. Make the compliant workflow easier than the workaround.
Step 5: Update Your Documentation
Professional standards require documentation of your data handling practices. Update your records:
Add AI tools to your information security policies. Document your vendor due diligence for AI providers. Update engagement letters to address AI processing if appropriate. Maintain records of AI-assisted work products for client matters.
Step 6: Train Your Team
Staff need to understand what client data looks like in AI prompts. A question about "how to handle a client with $2M in unreported income" contains confidential information even without naming the client.
Training should cover which tools are approved, what data categories can be processed through AI, how to use redaction workflows, and what to do if someone accidentally exposes client information.
The Regulatory Direction
The FTC penalized a tax preparation company in 2024 for failing to encrypt client data under the Safeguards Rule. Financial services breaches now cost an average of $6.08 million, 22% above the global mean according to IBM's Cost of a Data Breach 2024 report.
Small-to-mid-sized firms are now the primary attack vector because they handle valuable data with often-limited security resources. Cybercriminals know that a breach can drive a smaller accounting practice out of business faster than almost any other professional service firm.
The firms that survive and thrive will be those that build AI adoption on proper foundations rather than hoping that convenience doesn't create catastrophe.
The Bottom Line
Is Copilot safe for accounting firms? Consumer Copilot is never safe for client data. The lack of enterprise controls, audit capabilities, and contractual commitments makes it inappropriate for any client-facing work.
Microsoft 365 Copilot and specialized products like Security Copilot can support accounting workflows when properly configured. But "properly configured" means implementing data classification, access controls, audit logging, and staff training that matches professional standards requirements.
The practical path forward:
- Treat consumer AI as completely off-limits for client data
- Classify information by sensitivity and establish clear processing rules
- Implement redaction workflows for sensitive data before AI processing
- Deploy enterprise Copilot with appropriate controls and logging
- Block unauthorized AI tools through technical controls, not just policy
- Train staff until the compliant pathway is second nature
- Document everything for professional standards compliance
The 216,752 individuals affected by the Legacy Professionals breach didn't choose that firm because they wanted their Social Security numbers on the dark web. They trusted their accountants with sensitive information. The firms that honor that trust while capturing AI productivity benefits are building competitive advantage. The ones that don't are building toward the next headline-grabbing breach.
PaperVeil lets you redact sensitive information from documents before they touch any AI system. Detect and remove client identifiers, financial data, and tax information automatically. Generate the audit trails that accounting compliance requires. The redaction layer that makes AI document processing actually safe for accounting firms.