Experts at the American Bar Association’s May Tax Meeting in Washington, D.C., and in interviews with Reuters, say that as accounting firms use more AI tools, their data privacy and cybersecurity responsibilities are becoming more complicated. 

Tax practitioners already navigate an expanding set of federal, state, and international privacy regulations, such as the Gramm-Leach-Bliley Act and the FTC’s Safeguards Rule, which require formal written information security plans. Experts noted that these obligations now intersect with new concerns related to AI adoption, vendor management, and employee use of consumer-grade technology. 

Professor Annette Nellen of San José State University said that proposed updates to Circular 230 would expand the meaning of competence. It would now include “understanding the benefits and risks associated with relevant technology that is used by the practitioner to provide services to clients or to store and transmit tax return and other confidential information.” 

Experts also warned that firms might not realize how privacy laws like the European Union’s General Data Protection Regulation can apply to U.S. firms working with international client data. At the same time, cybersecurity threats against accounting and law firms are increasing. Matt Harvey of CrowdStrike said these firms are attractive targets because they hold sensitive information from many clients and industries.