Data Encryption for Tax Preparers
Security Six requirement #4: All client data must be encrypted at rest and in transit. This means tax returns, SSNs, financial records, and backups — everywhere they exist.
Encryption at rest vs. in transit
Encryption at Rest
Data stored on your devices, servers, and backups. Use full-disk encryption (BitLocker on Windows, FileVault on Mac) and encrypted cloud storage. If a device is stolen, encryption makes the data unreadable.
Encryption in Transit
Data being sent between systems — emails, file uploads, web connections. Use TLS/SSL for web traffic, encrypted email (TLS or S/MIME), and SFTP for file transfers. Never send client data over unencrypted channels.
The FTC Safeguards Rule explicitly requires encryption of "all customer information" in both states. This is one of the 9 mandatory elements — not a recommendation. If an auditor or breach investigation finds unencrypted client data, you’re in violation.
Where encryption is required in your practice
Computer hard drives
Enable BitLocker (Windows) or FileVault (Mac) on every device. Full-disk encryption protects data if a device is lost or stolen.
Email communications
Use encrypted email services or ensure TLS is enabled. Never email unencrypted tax documents — use secure portals or encrypted attachments.
Cloud storage
Verify your cloud provider encrypts data at rest and in transit. ShareFile, SmartVault, and most business cloud services include this.
Backup files
Backups contain all your client data. They must be encrypted too — an unencrypted backup is a single point of failure for your entire practice.
Encryption FAQ for tax preparers
No. PDF password protection is weak and easily bypassed. True encryption uses AES-256 or similar standards to make data mathematically unreadable without the encryption key. Full-disk encryption (BitLocker, FileVault) and encrypted cloud storage provide real protection. Password-protected PDFs are not sufficient for IRS or FTC compliance.
You should never send unencrypted tax documents via email. The best practice is to use a secure client portal (ShareFile, SmartVault) for document exchange. If you must email documents, use encrypted email services or encrypted attachments with the password shared via a separate channel (phone or text).
The IRS and FTC don’t specify a single standard, but AES-256 is the industry benchmark and the minimum you should use. For data in transit, TLS 1.2 or higher is required. Most modern software and cloud services use these standards by default — verify with your vendors and document it in your WISP.
Protect Your Tax Practice Today
Schedule a free consultation with our cybersecurity experts. We'll review your current security posture and help you achieve full IRS compliance.
Protect your tax practice from cyber threats
Schedule a free consultation to assess your firm's security posture.