Your Vendor Broke the Rules — And Nobody Checked
What would you do if you found out a vendor you trusted with your clients' most sensitive data had been quietly handing it off to a subcontractor overseas — for months — in direct violation of your agreement?
That's exactly what happened to Australia's federal court system. And the way it unfolded should concern every CPA firm owner who relies on outside vendors to handle client information.
A Vendor With a Secret Subcontractor
In February 2026, an investigation by ABC News Australia revealed that VIQ Solutions — a publicly traded Canadian company contracted to provide transcription services to Australian courts — had been subcontracting work to e24 Technologies, a firm based in Chennai, India. The problem? VIQ's contracts with the Australian Commonwealth explicitly prohibited offshoring court data. They also prohibited the use of AI-based transcription software.
VIQ did both.
The result was that thousands of highly sensitive court files — from the Federal Circuit and Family Court, which handles domestic violence and child abuse cases, and the Federal Court, which hears national security and major corporate matters — were accessed by workers in India using personal email addresses. Files from courts across New South Wales, Victoria, Queensland, Western Australia, and South Australia were affected.
These weren't routine administrative documents. They included witness testimony, protected identities, covert officer information, and details about vulnerable families in crisis. The kind of data where a single exposure can put someone's physical safety at risk.
The Warning Signs Were There — Management Ignored Them
Here's the part that turns a bad situation into a governance failure.
VIQ employees raised concerns about the offshoring as early as August 2025. Staff noticed that e24 workers were accessing court data outside of Australian business hours and completing transcripts faster than humanly possible — with noticeable errors that suggested AI tools were being used. They reported these observations to management.
The response? Employees were told their concerns were "not relevant" and were instructed to stop spreading "rumours."
For roughly six months, the practice continued. It took an external media investigation — not an internal audit, not a compliance review, not a management inquiry — to bring it to light. On February 20, 2026, VIQ Solutions issued a press release acknowledging "data privacy incidents" in Australia and announcing an internal investigation with a cybersecurity firm. The company characterized the incidents as potentially "material."
Why This Matters to Your CPA Firm
You might think this is an Australian government problem that has nothing to do with a 25-person accounting firm in Ohio. But strip away the specifics, and the pattern is one that plays out in firms of every size.
CPA firms routinely share sensitive client data with outside vendors: cloud-based tax preparation platforms, document management systems, IT service providers, payroll processors, client portal software. Each of those vendors has access to Social Security numbers, financial statements, bank account details, and tax returns. And each of those vendors may have their own subcontractors you've never heard of.
The FTC Safeguards Rule — which applies to every CPA firm as a "financial institution" under the Gramm-Leach-Bliley Act — doesn't just require you to protect data inside your own walls. Section 314.4(f) specifically requires firms to "oversee service providers" by taking reasonable steps to select providers that maintain appropriate safeguards and requiring them by contract to implement those safeguards.
In other words, if your vendor mishandles your clients' data, regulators won't just ask what the vendor did wrong. They'll ask what you did to prevent it.
Why Contracts Alone Aren't Enough
VIQ Solutions had a contract that explicitly prohibited offshoring. That contract didn't prevent anything. It was violated for months, and the client — the Australian government — had no idea until journalists uncovered it.
A contract creates a legal obligation. It doesn't create compliance. The gap between those two things is where governance lives.
For CPA firms, the lesson is that signing a vendor agreement and filing it away isn't vendor management. Vendor management means actively verifying that your providers are doing what they said they'd do. It means having a process — even a simple one — to periodically check in, ask questions, and document the answers.
Your IT provider or MSP plays an important role here. They can help you evaluate the technical security of your vendors' platforms, verify encryption standards, and flag changes to how data is stored or transmitted. But the decision about which vendors to trust, what questions to ask them, and whether to keep working with them when something feels off — that's a leadership decision, not a technical one.
What You Can Do Today
You don't need a procurement department or an expensive software tool to track vendor compliance. But you do need a process — and it can be straightforward.
-
List your vendors who touch client data. Write down every third party that receives, stores, processes, or can access your clients' sensitive information. Include your tax software provider, your cloud storage, your client portal, your IT provider, your payroll service, and any outsourced bookkeeping. Most firms are surprised by how long this list gets.
-
Check your contracts for subcontracting clauses. Do your vendor agreements address whether the vendor can share your data with subcontractors? If the contract is silent on this, you have a gap. The FTC expects you to have contractual provisions requiring your service providers to maintain appropriate safeguards — and that includes controlling who else gets access.
-
Ask your vendors directly: "Do you use subcontractors to process our data?" This is a simple question that most firm owners have never asked. The answer may surprise you. If a vendor can't give you a clear, direct answer about where your data goes and who touches it, that tells you something important.
-
Create a simple annual vendor review. Once a year, revisit each vendor on your list. Confirm that their security certifications are current, ask whether anything has changed in how they handle data, and document the conversation. A 30-minute annual check-in per vendor is manageable for any firm — and it's the kind of evidence regulators want to see.
-
Make it safe to raise concerns internally. VIQ's employees saw the problem six months before anyone else did. They were silenced. If someone on your team notices something unusual about a vendor — unexpected emails, unfamiliar people accessing files, changes in how work is delivered — you need them to feel comfortable reporting it. That means responding to concerns with curiosity, not dismissal.
The Bottom Line
The VIQ Solutions breach wasn't a hack. No one broke through a firewall or guessed a password. A vendor simply decided to cut corners, and the organizations that trusted them had no system in place to catch it. Employees who noticed were told to be quiet. The violation continued for months until a news reporter did what an internal governance process should have done.
For CPA firm owners, this is a wake-up call about a risk that's easy to overlook: what your vendors do with your clients' data after you hand it over. The FTC doesn't expect you to audit every line of code your software vendor writes. But it does expect you to ask the right questions, put protections in your contracts, and verify — not just trust — that your providers are holding up their end.
If you're not sure whether your vendor agreements, oversight processes, and documentation meet what the FTC Safeguards Rule requires, SafeGuardGRC can help you build a vendor management framework that fits your firm — including contract review checklists, annual vendor assessment templates, and the documentation trail that proves you're doing your due diligence.
A contract is a promise. Governance is how you make sure the promise is kept.