A client emails your front desk asking for a copy of last year’s tax return. Someone on your team replies with a PDF attachment - just like they have a hundred times before. No one thinks twice about it. That routine moment is one of the most common ways CPA firms expose sensitive client data.

The Problem: Your Default Workflow Is a Security Gap

Most accounting firms did not choose their file-sharing method deliberately. It evolved. Email was always there. Dropbox was easy. Google Drive was free. And at some point, sharing a client’s W-2 or financial statement became as casual as sending a meeting invite.

Email was built for communication - not for transmitting Social Security numbers, bank account details, and income history. An unencrypted attachment travels through multiple servers before reaching the recipient. Any one of those handoffs is a potential interception point.

Consumer-grade platforms carry their own risks. A personal Dropbox account or free Google Drive folder may be convenient, but they lack the access controls your clients’ data demands. Who has access to that folder? Has it been shared with a third party by accident? Is there an audit trail showing who downloaded what, and when? For most firms using these tools, the honest answer to all three questions is: “We don’t know.”

The problem compounds when staff leave. If a former employee’s personal account was used to share client files, you may have no way to revoke their access to documents already downloaded to their device.

And it only takes one misdirected email - the wrong client’s return sent to the right client’s address, or vice versa - to trigger a conversation you do not want to have.

Why This Matters for CPA Firms

This is not just a best-practices conversation. Two regulatory frameworks speak directly to how your firm must handle transmitted client data.

IRS Publication 4557 - Safeguarding Taxpayer Data directs tax professionals to encrypt taxpayer data in transmission, implement access controls, and maintain a Written Information Security Plan (WISP). If your WISP does not address file transmission - or if you do not have one at all - you are already out of compliance.

The FTC Safeguards Rule, which applies to tax preparers and accounting firms that qualify as financial institutions under the Gramm-Leach-Bliley Act (GLBA), goes further. It requires covered firms to implement MFA, encrypt customer information in transit and at rest, and maintain defined access controls. Fines can reach $100,000 per instance for the firm and $10,000 personally for officers.

Beyond fines, there is the malpractice dimension. A breach caused by an insecure file transfer could expose your firm to professional liability claims. Your errors and omissions (E&O) insurance policy may not cover incidents tied to negligent data handling - some carriers are already adding exclusions for firms that cannot demonstrate basic security controls.

The gap between what these regulations require and what the average firm actually does is significant. Closing it does not have to be complicated.

How to Build a Safer File-Sharing Workflow

Fixing this does not require a complete technology overhaul. It requires choosing the right tools and applying them consistently.

Stop using unencrypted email for document exchange. Attaching a tax return to a standard email is the equivalent of mailing it in a clear envelope. Any document containing taxpayer information should travel through an encrypted channel. Do not assume your email platform handles this automatically - confirm it.

Move to a purpose-built client portal. Portals built into platforms like Thomson Reuters Practice CS, Wolters Kluwer CCH Axcess, or standalone tools like ShareFile or TaxDome give you encrypted document exchange, access controls, and audit trails out of the box. Clients log in with MFA, download their documents, and your firm has a timestamped record of every transaction.

Document your file-sharing policy. Your WISP should name the approved tools, prohibit unapproved ones (including personal cloud accounts), and describe consequences for violations. If staff are still emailing attachments because no one told them not to, the problem is process, not just technology.

Apply access controls based on role. Not everyone on your team needs access to every client file. Segment permissions by role and review them when someone’s responsibilities change or when they leave.

Train your clients, too. Clients will take the path of least resistance. A short onboarding note explaining how to use your portal - and why it matters - redirects the “I’ll just text you a photo of my W-2” habit before it starts.

What to Look for in an IT Partner

If you are evaluating managed IT providers to help with this, ask specific questions before you commit.

  • Do you know IRS Publication 4557 and the FTC Safeguards Rule? General IT providers may not. You need a partner who does.
  • Can you help us build and document a WISP? This is a regulatory requirement. A qualified provider should support this process directly.
  • What file-sharing platforms do you recommend, and why? Ask for reasoning that connects the recommendation to your compliance obligations - not just a product name.
  • How do you handle offboarding? When someone leaves, access should be revoked across all systems immediately. This should be a defined, documented process.
  • Do you provide security awareness training? The best tools fail when your team works around them.

The Bottom Line

The way most CPA firms share files today - email attachments, personal cloud accounts, informal workarounds - creates real regulatory, financial, and reputational exposure. Secure file sharing for CPA firms is not complicated or expensive. It requires intentional tool selection, a written policy, and consistent enforcement. The cost of getting this right is small. The cost of getting it wrong is not.

Frequently Asked Questions

What is the safest way to send tax documents to clients?

The safest method is a client portal that encrypts documents in transit and at rest, requires MFA for access, and maintains an audit trail of all activity. Platforms built into practice management software - or standalone tools like ShareFile or TaxDome - meet these requirements. Unencrypted email attachments, including password-protected PDFs, do not provide the same level of protection.

Does the FTC Safeguards Rule apply to my CPA firm?

The FTC Safeguards Rule applies to financial institutions as defined under GLBA, and tax preparers are explicitly included in that definition. If your firm prepares tax returns or provides financial planning services, you are likely covered. Consult a compliance advisor or attorney to confirm your firm’s specific obligations.

What is a WISP, and does my firm need one?

A Written Information Security Plan (WISP) is a documented policy describing how your firm collects, stores, protects, and transmits client data. IRS Publication 4557 directs tax professionals to maintain one, and the FTC Safeguards Rule requires covered firms to have a formal written information security program. The IRS provides a sample WISP template for small tax practices to help firms get started.

What happens if a client’s tax return is accidentally sent to the wrong person?

A misdirected tax document is a data breach under most state notification laws and potentially under the FTC Safeguards Rule. Your firm may be required to notify the affected client and, in some states, the relevant regulatory agency. Beyond compliance obligations, you face potential malpractice exposure and damage to client trust that is difficult to repair.

One82 provides managed IT, cybersecurity, compliance, and AI integration services exclusively for professional services firms in the San Francisco Bay Area. Schedule a 15-Minute Discovery Call to discuss your firm’s secure file sharing posture.