VPN for Tax Preparers
Security Six requirement #6: Any remote access to your office network or client data must go through a VPN. Working from home, on the road, or at a client’s office — a VPN encrypts your connection.
Why tax preparers need a VPN
When you access client data from outside your office, that data travels over networks you don’t control — your home ISP, hotel Wi-Fi, coffee shop hotspots. A VPN creates an encrypted tunnel between your device and your office network, making it impossible for anyone on those networks to intercept your data.
IRS Publication 4557 requires VPN use for any remote access to client data. This isn’t just for "working from home" — it applies anytime you access tax software, email, or files from outside your primary office location.
Business VPN vs. consumer VPN
Consumer VPNs (NordVPN, ExpressVPN) route traffic through their servers for privacy. Business VPNs create a direct encrypted connection to your office network. For IRS compliance, you need a business VPN that connects to your own infrastructure, provides access logging, and supports MFA at the connection level.
VPN best practices for tax offices
Always-on VPN
Configure devices to automatically connect to VPN when outside the office. Manual connection leads to forgotten sessions on unsecured networks.
MFA on VPN access
Require multi-factor authentication to establish VPN connections. This prevents stolen VPN credentials from being used by attackers.
Split tunneling caution
Split tunneling routes only office traffic through VPN. While convenient, it can expose client data on the non-VPN connection. Disable it for maximum security.
Log all connections
The FTC Safeguards Rule requires activity monitoring. Your VPN should log who connected, when, and from where. Review logs regularly.
VPN FAQ for tax preparers
If you never access client data from outside your office and no one on your team works remotely, a VPN isn’t strictly required for the Security Six. However, it’s still a best practice for any cloud-based services you access, and it provides an extra layer of encryption for all your internet traffic. Most tax practices have at least some remote access needs.
Free consumer VPNs are not suitable for tax practice use. They often sell user data, lack proper encryption, don’t provide access logging, and route traffic through shared servers. For IRS compliance, you need a business VPN that connects to your own infrastructure and provides the logging and MFA support required by the FTC Safeguards Rule.
Cloud-based tax software uses HTTPS encryption for the connection to their servers, which provides encryption in transit. However, a VPN adds an additional layer by encrypting all your traffic at the network level, preventing your ISP or anyone on your local network from seeing which services you’re accessing. The IRS recommends VPN use even with cloud software when working outside your primary office.
Protect Your Tax Practice Today
Schedule a free consultation with our cybersecurity experts. We'll review your current security posture and help you achieve full IRS compliance.
Protect your tax practice from cyber threats
Schedule a free consultation to assess your firm's security posture.