At a meeting of local CPAs last month, one of the attendees said something about a legal or ethical requirement to password protect and encrypt copies of tax returns that are emailed to a client. I have not been doing that. My practice has been to tell clients that I would like to email the taxpayer copy of their return to them and obtain their permission to do so. If they had a concern, I would mail them a paper copy of the return. This news that I might not be doing enough to comply with the law was an immediate concern.
Being a Texas CPA, I checked the websites for the Texas Society of CPAs and the Texas State Board of Public Accountancy for information concerning ethical requirements for CPAs pertaining to email communications. I found nothing on this topic. Similarly, I could not find any information on the American Institute of Certified Public Accountants website or in the AICPA Code of Ethics. I called the Texas Society of CPAs and received a call back from a very helpful committee member who spent considerable time following up on my request. The conclusion, for now, appears to be that Texas does not have any ethical or legal requirement for CPAs to password protect or encrypt electronic copies of tax returns that a CPA emails to clients.
The US Internal Revenue Code includes a provision (Section 7216 for you Code-heads) that empowers the IRS to impose a criminal penalty for knowingly and recklessly disclosing or using tax information for a purpose other than preparing a tax return. The regulations under this provision require data protection after January 1, 2009 on Form 1040 tax information disclosures to tax return preparers located outside of the United States. However, these data protection standards are not applicable to communications between the return preparer and his or her client.
Certainly, the IRS and other regulatory bodies recommend using password protection and encryption to protect sensitive client information, but there are currently no ethical or legal requirements requiring these measures that I can find. I'm going to look into this further. I'd love to hear from any fellow tax return preparers if you have suggestions on securing client communications or on some legal requirements that I might have overlooked in my investigation of the matter. Please leave a comment or send me an email.
7 comments:
Our firm developed software for clients to log in and access their reports. We upload the report to a secure server that automatically sends the client an email with a link, userid, and password. This is a costly option, though.
I am no longer in public accounting, but I vaguely remember that ProSystems had an product similar to the above. I don't know the price.
An inexpensive option would be WinZip which allows one to password protect a zip file. This was my preferred method several years ago. There may be free, open source software today. You would just have to be care that the client would not need to install additional software.
Finally, YouSendit offers secured document delivery. I have used it for large files and it worked well for that. There is a fee for secured delivery, though.
I use Primopdf to send password protected encrypted files containing tax returns and payroll data to my clients. It's free.
I have regularly emailed PDF tax returns to clients. If any emailed document contained an SSN, I would be certain to password protect the PDF. Our firm is currently implementing Prosystem Document. This system includes a "client portal," which allows clients to log in and access documents that have been "published" to the portal. This promises to be a pretty slick solution. We just have to work through all the implementation bugs. Will let you know how it turns out.
The full version of Adobe Acrobat came with my Fujitsu Scansnap scanner, so I'm pretty sure that I can password protect PDF files with that. Do clients have a hard time opening the passworded PDF? Do you have much trouble supporting lost passwords or other technical problems with clients? I've not adopted a dedicated document management software platform because I run mostly Apple computers with Windows in Parallels or VMWare and I do most of my scanning in OSX.
We use the full version of Adobe to occasionally password protect a client's copy of the tax return before emailing. It's easy to do. We use the last four digits of the client's SSN and that seems to alleviate any concerns they have about security.
Thank you for several great suggestions. I do use Adobe Acrobat Professional but my PDF's are usually created right out of Thomson's Go-System product. I'm going to see whether I can password protect the PDF from that system. It would be extra work for me to have to open the file in Acrobat and save it with a password.
While the IRS does not require anything specific re: security of emailed returns- please look to the FTC for guidance http://www.ftc.gov/bcp/edu/microsites/idtheft/business/safeguards.html
Post a Comment