Skip to content

Free 15-minute cybersecurity consultation — no obligation

Book Free Call
Tax32 min readDeep Dive

Secure Email for Tax Professionals: Client Communication Guide

Learn how to secure client email communications as a tax professional. IRS Publication 4557 requirements, encrypted email options, and WISP documentation explained.

Secure Email for Tax Professionals: Client Communication Guide - secure email for tax professionals client communication

Why Secure Email Matters for Tax Client Communication

Tax professionals handle some of the most sensitive personal and financial data in existence, Social Security numbers, employer identification numbers, income records, bank routing details, and years of financial history. When that data moves through standard, unencrypted email, it becomes an accessible target for cybercriminals who specifically target accounting firms and tax preparers throughout filing season.

The IRS has been direct about this: protecting client data is a legal obligation, not a best practice. IRS Publication 4557 requires every tax professional who prepares returns for others to implement written data security safeguards, including safeguards for how client data is transmitted electronically. That means your email practices are under regulatory scrutiny whether or not you have approached them in those terms before.

This guide explains what secure email for tax professionals means in concrete terms, which compliance requirements govern client communication, what features to look for when choosing a solution, and how to implement a setup that satisfies both your clients and the IRS.

Tax Professional Email Risk by the Numbers

$4.88M
Average Data Breach Cost

IBM Cost of Data Breach Report 2024

68%
Breaches Involve Human Element

Verizon Data Breach Investigations Report 2024

11+
Returns Trigger Mandatory WISP

IRS Publication 4557: tax preparers filing 11 or more returns must maintain a Written Information Security Plan

Why Standard Email Is Not Safe for Client Tax Data

Most email services, including consumer Gmail, Yahoo Mail, and Microsoft Outlook without additional configuration, do not provide end-to-end encryption. What they offer is TLS (Transport Layer Security) encryption, which protects messages in transit between mail servers but leaves messages readable by the email provider and fully exposed if an account is compromised.

The Verizon Data Breach Investigations Report 2024 found that 68% of breaches involved a human element, most often phishing or use of stolen credentials. For tax professionals, a successful phishing attack against your account or a client's account is a direct path to client data, because email inboxes contain not just messages but tax documents, scanned identification, and prior-year returns sent as attachments over years of client relationships.

Standard email creates three specific risks for tax professionals:

  • Account compromise: If phishing succeeds against your account or a client's account, all stored email, including historical messages with sensitive attachments, is accessible without any additional decryption step.
  • Inconsistent server-to-server encryption: TLS protection between mail servers is not guaranteed when the receiving domain does not enforce it, leaving messages potentially exposed in transit.
  • Uncontrolled data retention: Tax data sent via unencrypted email may remain in inbox archives indefinitely, compounding exposure risk across multiple filing seasons.

Addressing these risks is not discretionary under irs publication 4557 safeguarding taxpayer data wisp requirements. Your Written Information Security Plan (WISP) must document how electronic transmissions of client data are secured, and standard email without documented controls is a direct compliance gap.

Regulatory Requirement

Under IRS Publication 4557 and the Gramm-Leach-Bliley Act (GLBA), tax professionals who prepare federal returns must safeguard taxpayer data, including how it is transmitted electronically. Failure to implement adequate data security measures, including secure email practices, can result in IRS sanctions and FTC enforcement action under the Safeguards Rule.

What Secure Email for Tax Professionals Must Include

Not all email security products are equivalent. Marketing terms like "encrypted email" cover a wide range of implementations, some of which still leave significant gaps. When evaluating solutions for tax client communication, specific capabilities matter for both security and IRS compliance.

End-to-End Encryption

True end-to-end encryption (E2EE) means the message content is encrypted on the sender's device and can only be decrypted by the intended recipient, not by the email provider, not by anyone intercepting traffic between servers. Standards for E2EE email include S/MIME (Secure/Multipurpose Internet Mail Extensions) and PGP (Pretty Good Privacy). Many purpose-built secure email platforms implement proprietary E2EE that does not require recipients to manage cryptographic keys, simplifying the client experience while maintaining strong protection.

Multi-Factor Authentication

Even with encrypted content, a compromised account can expose all stored messages. Multi-factor authentication (MFA) is a non-negotiable control for any email system handling client tax data. The IRS explicitly includes MFA in its Security Summit recommendations for tax professionals, and the FTC Safeguards Rule requires MFA for systems processing client financial data.

Audit Logging and Message Control

Your WISP must document how client data is transmitted and accessed. Email systems that maintain immutable audit logs, recording who sent what, to whom, and when, provide the evidence trail that satisfies IRS and FTC documentation requirements. Message expiration controls add an additional layer of data minimization, limiting how long sensitive information remains accessible after the immediate filing need has passed. This is especially valuable during incident response, when you need to establish precisely what data was exposed.

Core Capabilities of a Compliant Secure Email Solution

End-to-End Encryption

Message content encrypted on the sender's device and decryptable only by the intended recipient, not the provider or anyone intercepting traffic between servers.

Multi-Factor Authentication

Required for all staff accounts. Prevents unauthorized access even when credentials are stolen through phishing or credential-stuffing attacks.

Audit Logs and Reporting

Immutable records of message access, delivery, forwarding, and file downloads, essential for WISP documentation and incident response timelines.

Message Expiration and Recall

Set time limits on message access or revoke a sent message entirely, limiting data retention risk beyond the immediate client communication need.

Anti-Phishing Protection

Inbound filtering that identifies spoofed sender addresses, malicious links, and impersonation attempts targeting your practice and your clients.

Large File Transfer

Secure channel for sending complete tax returns, supporting schedules, and K-1s without unencrypted file-sharing links or attachment size constraints.

IRS and FTC Requirements That Govern Tax Professional Email

Three regulatory frameworks directly shape email security obligations for tax professionals in the United States.

IRS Publication 4557 and the WISP Requirement

Any tax preparer who files 11 or more returns is required to maintain a Written Information Security Plan under tax safeguard compliance 4557 guidance. The WISP must document all systems that touch client data, including email, and specify the controls in place for each. A WISP that lists email as a communication channel without corresponding encryption controls is an incomplete document that would not withstand IRS scrutiny following a breach or audit. A complete starting point is available in our irs publication 5708 wisp template, which includes email security control documentation.

FTC Safeguards Rule

Tax preparation firms are classified as financial institutions under the FTC Safeguards Rule. The rule requires covered entities to implement MFA, encrypt customer data in transit and at rest, maintain access logs, and designate a qualified individual responsible for information security. The FTC has authority to pursue enforcement action against firms that fail to comply. See our detailed breakdown of the FTC Safeguards Rule for tax preparers for a compliance checklist your practice can act on.

Gramm-Leach-Bliley Act

The GLBA Safeguards Rule is the underlying statute that the FTC enforces for financial services firms, including tax preparers. GLBA requires a thorough information security program that addresses electronic transmission of nonpublic personal information (NPI). Client tax data, names, SSNs, income figures, and account numbers, qualifies as NPI under the statute, making encrypted email a compliance requirement rather than an optional control. For sole-proprietor practices building their first compliance program, the wisp template for sole proprietor provides a documented framework addressing all three of these regulatory requirements.

How to Implement Secure Email in Your Tax Practice

1

Audit Current Communication Practices

Document every channel used to send or receive client data: standard email, text messages, unencrypted file-sharing links, or fax. Identify which channels lack encryption and which require remediation under your WISP.

2

Choose a Compliant Email or Portal Solution

Evaluate purpose-built secure email platforms, such as ProtonMail for Business, Zix, or Tutanota, or tax-specific secure client portals that include encrypted messaging. Confirm the solution provides E2EE, MFA, audit logs, and message expiration before purchasing.

3

Update Your Written Information Security Plan

Revise your WISP to document the new email security controls, including encryption standards used, authentication requirements, and message retention policies. Record the date of implementation and the specific product or protocol deployed.

4

Enable MFA on All Staff Accounts

Configure MFA on every staff email account before migrating clients to the new system. Prefer authenticator app codes over SMS-based codes for stronger protection. Set role-based access controls so each staff member accesses only the client files relevant to their work.

5

Notify and Onboard Clients

Send clients a clear explanation of the new secure communication channel: what it is, how to access it, and why you are making this change. Include step-by-step first-access instructions to reduce friction and support calls during the transition.

6

Conduct Staff Security Awareness Training

Train all staff on phishing recognition, proper use of the secure email system, and the firm's written policy for handling sensitive data requests received through unapproved channels. Document training completion in your security records.

7

Test, Verify, and Document

Send test encrypted messages to confirm delivery and readability. Test MFA workflows for both staff and client-facing access. Verify that audit logs capture expected events. Record the test date and results in your WISP documentation.

Secure Email vs. Secure Client Portals: Which Fits Your Practice?

Tax professionals typically face a choice between two fundamentally different approaches to secure client communication: encrypted email add-ons that work within existing inboxes, and purpose-built secure client portals that replace email for document exchange and messaging. Both can satisfy IRS and FTC requirements when properly implemented; the right fit depends on practice size, client volume, and workflow preferences.

Encrypted email add-ons integrate with existing platforms like Microsoft 365 or Google Workspace, typically adding a "send securely" option that encrypts the message and delivers it through a secure viewer or requires recipient authentication before reading. The advantage is minimal workflow change for staff. The tradeoff is variable client experience, some systems require clients to create accounts or navigate to a web-based reader, which can generate support calls during tax season when clients are already managing multiple deadlines.

Secure client portals, platforms like TaxDome, Canopy, or SmartVault, provide a dedicated space for all client communication, document exchange, e-signatures, and messaging. These systems typically include stronger audit trails and are designed specifically for the tax preparation workflow. Our detailed analysis of the security of tax client portals for sensitive data covers the specific controls to evaluate when comparing portal options.

For practices handling 50 or more active clients or managing multiple staff members with client data access, a full secure portal generally provides stronger compliance documentation, more consistent audit logging, and better overall client experience than encrypted email alone. Smaller sole-proprietor practices may find encrypted email sufficient when properly configured and fully documented in the WISP.

Regardless of which path you choose, the decision should follow from documented risk assessment and be recorded in your WISP. Both approaches address the same underlying requirement: ensuring taxpayer data in transit is protected from unauthorized interception or access. For a broader view of the threats targeting tax preparers today, including the threat actors most likely to target email, see our overview of tax preparer security threats.

Email Security Best Practices for Tax Professionals

Choosing the right secure email solution is step one. Operating it correctly is what actually protects your clients and your practice. These practices apply regardless of which platform you use.

Never Include SSNs or EINs in Email Subject Lines or Preview Text

Even when using a secure email platform, train all staff never to include full Social Security numbers or Employer Identification Numbers in message subject lines, preview text, or notification emails, elements that may bypass the encryption layer or appear in mobile push notifications. Sensitive identifiers belong inside document attachments transmitted through the encrypted channel, not in message metadata that travels outside the secure envelope.

Establish a Written Policy for Inbound Client Data

Clients will sometimes send sensitive documents to your standard inbox regardless of what system you set up. Your firm needs a documented procedure: acknowledge receipt, transfer the data to your secure system immediately, delete the original from the standard inbox, and redirect the client to your approved secure channel going forward. This procedure should appear explicitly in your WISP, not just as a practice, but as a documented control with a staff owner responsible for following it.

Configure DMARC, DKIM, and SPF on Your Domain

Email authentication protocols, specifically DMARC (Domain-based Message Authentication, Reporting and Conformance)DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework), prevent attackers from sending emails that appear to originate from your firm's domain. Without these records, a threat actor can send phishing emails to your clients under your firm's name, a tactic used specifically to harvest client credentials or redirect tax refunds. Your domain registrar or IT provider can configure all three, and the records should be documented as a control in your WISP.

Review Access Logs After Each Filing Season

Audit logs exist to be reviewed, not just collected. After each filing season, review email system access logs for anomalous patterns: unexpected login locations, large file downloads, access outside normal business hours, or forwarding rules you did not set. Document each review with the date, what was checked, and any findings or changes. For practices without in-house IT staff, this monitoring is a core function of a managed security provider experienced with cybersecurity for tax professionals. If you are evaluating whether to retain a managed service provider or a dedicated cybersecurity firm, our guide on cybersecurity company vs msp explains what each model provides for practices of different sizes.

Secure Your Tax Client Email Communications

Bellator Cyber Guard helps tax professionals implement IRS-compliant email security, complete WISP documentation, and ongoing security monitoring, without requiring in-house IT staff. Get a free assessment today.

Frequently Asked Questions

Standard Gmail and Outlook without additional encryption add-ons are not sufficient for sending sensitive tax data. Both use TLS encryption in transit, but messages are not end-to-end encrypted, the provider can access message content, and a breached account exposes all stored messages and attachments without any additional decryption step. IRS Publication 4557 compliance requires documented encryption controls that standard consumer or business email does not provide by default.

Your Written Information Security Plan must document: the email system or secure portal you use, the encryption method in place (TLS vs. E2EE), how user authentication is handled including MFA requirements, access logging practices, your data retention and deletion policy for client email, and your procedure for handling client data sent through unapproved channels. The IRS does not mandate a specific product, but the documented controls must be adequate to protect taxpayer data and withstand scrutiny after an incident.

TLS (Transport Layer Security) encrypts email in transit between mail servers, but the email provider can read message content on their servers, and the message is stored in a form the provider can access on the receiving server. End-to-end encryption (E2EE) encrypts the message on the sender's device so that only the intended recipient can decrypt it, not the email provider and not anyone who intercepts the message in transit. For tax professional compliance, E2EE provides significantly stronger protection than TLS alone and is the standard your WISP should specify.

Either approach can satisfy IRS and FTC requirements when properly implemented and documented in a WISP. Encrypted email add-ons for Microsoft 365 or Google Workspace work well for smaller or sole-proprietor practices with lower client volume. Purpose-built secure client portals provide stronger audit trails, better document lifecycle management, and cleaner compliance documentation, making them a better fit for practices with multiple staff members or high client volume. The right choice should reflect your operational risk profile and be fully documented in your WISP.

Standard SMS text messaging is not encrypted and should not be used to send sensitive client data, including SSNs, EINs, income figures, or tax documents. Some platforms such as Signal provide E2EE messaging but lack the audit logging and compliance reporting required for WISP documentation in a business context. Your WISP should specify which communication channels are approved for which types of information and explicitly prohibit transmission of nonpublic personal information through unapproved channels.

When a client sends sensitive data through an unsecured channel, take three immediate steps: acknowledge receipt to the client, transfer the data to your secure system and delete it from the standard inbox, and redirect the client to your approved secure channel for all future transmissions. This procedure should be documented in your WISP as your standard protocol for handling nonpublic personal information received through unapproved channels. If this occurs frequently, it typically indicates your secure channel onboarding process needs clearer client instructions or a simpler access flow.

DMARC (Domain-based Message Authentication, Reporting and Conformance), along with DKIM and SPF, prevents attackers from sending emails that appear to originate from your firm's domain. Without these records, a threat actor can send phishing emails to your clients under your firm's name, a technique specifically used during tax season to harvest client credentials or redirect refunds. Your domain registrar or IT provider can configure all three protocols, and their implementation should be documented as a security control in your WISP.

Review your email security controls at minimum annually as part of your required WISP review cycle. Additional reviews are warranted after any staff departure (revoke access immediately), after any security incident involving email, when you change email providers or portal platforms, and at the start of each filing season to verify all controls are active and properly configured. Document each review, including the date, what was checked, and any findings or changes, to create an auditable security management record your firm can rely on if the IRS or FTC ever inquires about your security program.

Share

Share on X
Share on LinkedIn
Share on Facebook
Send via Email
Copy URL
(800) 492-6076
Share

Schedule

Need help with IRS compliance?

Our tax cybersecurity specialists can review your security posture and help you get compliant.

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.