Click Here for a free estimate!

25 East Spring Valley Avenue
Maywood, NJ 07607
1 (877) CPA-GOLD

Using the engagement letter to reduce cyber liability exposure


By Nick Matarazzo

In this digital age, accountants are being forced to deal with all sorts of cyber threats. A well-worded engagement letter can help guard you against a cyber-related liability claim from your client and minimize your overall firm liability.

Even if you are careful about your clients’ data, you may still be held legally liable for any personal or financial data lost during a cyber breach. As your clients will unlikely be able to locate and sue the hackers, they will most definitely seek to hold you accountable, even if it’s something you could not have prevented. After all, accountants are responsible for their client’s sensitive financial and personal information. They place their trust in you as a professional, and when a client’s personal information is exposed, this trust diminishes.

Although no amount of discussion will effectively eliminate cyber-attacks, relaying the importance of enhanced cyber security measures (including, but not limited to, encrypted email) will demonstrate your expertise, and increase the client’s confidence in your firm. For instance, if email is the preferred method, unencrypted email is not as secure as encrypted. Encrypted email requires more steps, and is generally more time consuming; however, the investment of time and effort is worth the peace of mind.

Once you and the client have discussed and verbally agreed to a cyber security protocol, be sure to formalize the policy in the engagement letter. Doing so will not only establish client expectations and preferred practices, but also (potentially) mitigate misguided, cyber-related claims made by the client against the firm.

Consider the following example:

Our accountants may communicate with you via email, facsimile, transmitting data over the Internet, store data on computer software applications on the Internet, or allow access to data through third-party vendors’ secured portals or clouds.  Electronic data that is confidential may be transmitted or stored using these methods.  Our firm makes reasonable efforts to keep such communications and data access secure in accordance with applicable laws and professional standards.  You accept that we have no control over the unauthorized interception or breach of communications once it has been sent or has been subject to unauthorized access, notwithstanding all reasonable security measures employed by us or our third-party vendors.  

After adding the above paragraph to your engagement letter, consider asking clients in separate letter respond to a couple of questions, such as:

  1.  Do you authorize us to communicate with you through unencrypted email?                Yes ___ No ___
  2. Do you have any specific concerns in respect to our use of electronic communications or storage of electronic data?  Yes    ___ No    ___

If after your correspondence, that the client requires extra protection, include in writing, the specific measures that will be put in place to protect them.  For example:

After our discussions, we agree that we will utilize encryption when communicating electronically with you regarding the following: (list some specific documents) .

Should these extra security measures lead to additional expense for the firm, you should alert the client and inform them of the anticipated cost and who is responsible for payment.

Another approach would be to include an absolute liability waiver for any claims related to loss of personal data as a result of any cyber-attack. For instance:

We specifically disclaim any liability for an unauthorized interception or unintentional disclosure, and you agree we shall have no responsibility for any loss or damage to any person or entity resulting from any electronic transmission.

Limitation of liability clauses like the above are not always legally enforceable, and often the overall success or failure will vary by jurisdiction.

This type of limitation of liability may or may not be legally enforceable, but it can provide a defense, specifically if you have documentation either in the contract or another documented communication, that you have taken reasonable measures to secure the client’s data, that the client agreed to, understood and approved of this process.

In our new world of digital technology, the best and brightest accountants understand the risk of electronic communication and pass that knowledge onto their clients. Be sure your client is aware that you are looking out for their best interests.  This will make for a better relationship, build trust and reduce your chances of a claim.


Jorgensen & Company are not attorneys and do not offer any form of legal advice. Consult with appropriately qualified local counsel for more assistance. Nick Matarazzo is Client Service Executive for the CPAGold™ program and may be contacted at (201) 345 2453 or

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>