Client Data Security for the Tax Practitioner

By Barton Black, CPA

Editors: Steven F. Holub, CPA and Jane T. Rubin, CPA

The safety and accessibility of client data is a high-priority issue for tax practitioners, who handle a vast amount of data in processing tax forms for individuals, businesses, trusts, and estates. How practitioners safeguard and transmit this data can have a significant impact on the reputation of CPAs in general and of individual practitioners in the local community.

Many practitioners may have developed a backup system that seems to work well but may not measure up to current technology. Over the years, they may have become accustomed to routinely emailing information to clients. With the increased use of laptops comes the responsibility of protecting the private data stored on them. The emergence of cloud computing (internet-based) technology presents a new set of challenges in data security.

This column takes a brief look at some practices CPAs should consider when handling data security. Proper planning and initial setup are important because changing established protocols may be quite burdensome.


Most practitioners know—from direct or indirect experience—that they must regularly back up their data. Backups provide for a quick recovery when a problem occurs with an office computer. With a complete backup at hand, the office can be up and running in a matter of minutes or a few hours in the event of a computer disaster.

Some practitioners perform a manual backup daily or weekly. This is done with a wide variety of media such as tape, CD/DVD, external hard drive, or online. Some online backup services provide software to handle this chore on a continual basis by automatically backing up each new file as the user creates or amends it.

The tax practitioner should design an overall backup policy for the office and make certain that it is implemented. The policy should cover all aspects of the system, including a detailed list of what should be backed up, who is responsible, the location of backup files, and a time schedule for backups.

Selecting data to back up: Determine what data on which computers should be backed up. In offices where there is a network, the data to be backed up should be stored on one or more network drives. In smaller offices with no network server, the data can be stored in a centralized data folder, with subfolders for each software application on each computer. Tax and accounting software can be configured to save the data to a standard location. This facilitates easy automated backups of the entire inventory of important firm and client data.

Many tax software providers now provide a means of paperless file retention of not only tax forms but also the documents used in their preparation. A similar system can be created in Windows Explorer by creating a main folder, subfolders by category, such as “Corporations” or “Individuals,” and a separate subfolder for each client. Store the tax forms and documents using a standardized file-naming system, and they will be available for easy access. Clients will be impressed that these documents are so accessible during a meeting or phone call. Once this type of filing system is set up, make sure it is included in the inventory of files to back up.

Another set of files to consider backing up is e-mail records. Increasingly, communications with clients are documented in e-mails. E-mail can be used to make legally binding contracts, arrive at major business decisions, and conduct professional meetings. E-mails should be saved in a format that is easily searchable and should be included in the backup inventory. If possible, store the e-mails by client in each client’s electronic “file cabinet” using subfolders.

Timing: In developing and implementing the office backup policy, determine when the backups will take place. Will they be done at night? First thing in the morning? On the weekend? Make a schedule and plan to follow it without exception. The first time a backup is missed may be the only time you have a data problem. Consider using software or a service provider that automates this process to help avoid the “human error” element. Backups should be done at nonpeak times or when the office is closed because the process can cause network slowness.

Location: Where will the backup be stored? Will it live on an external hard drive kept at the office? Will the backup be on media that can be transported offsite? Will the office use an online backup resource? If an online backup solution is used, will there also be an additional backup in-house or off-site? What security measures will be in place to prevent theft, corruption, damage, or other loss from the off-site handling of sensitive firm and client data?

Responsibility: Who will be responsible for performing backups? Will someone be testing the backup system on a regular basis to make sure the data will be easily retrievable when the need eventually arises?

If the backup solution includes the use of an online service and storage on the provider’s server, strongly consider the use of encryption to safeguard the data. Consider the security of the provider’s entire system. Run periodic tests of the system by retrieving test documents. These providers often allow users to schedule the software to automatically back up files at regular intervals. Backups transported off-site by personnel should also be encrypted in case of loss or theft.


Think of e-mails as permanent documents. Everyone has sent an embarrassing or unfortunate e-mail and then felt relief when it was deleted. Be warned: Just because the recipient deletes an e-mail message from his or her inbox and the sender deletes it from his or her sent box does not mean that the e-mail is lost forever. In fact, messages that have been deleted often still exist in backup folders on remote servers for years and can be retrieved by skilled professionals. Be careful about what is put into writing, even in e-mails, because it can come back years later.

There are many aspects of e-mail security to be aware of; this column’s discussion focuses on those that affect the security of clients’ data. Improper use of e-mail in the transmission of data can result in data loss or release of data to unauthorized recipients.

Do not send sensitive data in the text of an e-mail. Hackers can read email and pull out information such as Social Security numbers, credit card numbers, etc. Sensitive data should be put in a file that can be encrypted and attached to the e-mail, if it must be sent at all. If a hacker gets to this e-mail, he or she will need to break the encryption code to get the sensitive information. Most software, such as word processing programs and Adobe Acrobat, enable you to password protect files. When attaching a password-protected file to an e-mail, do not include the password in the text of the e-mail. In a phone call or a related e-mail, tell the recipient the password in a cryptic style. In general, passwords should be at least eight characters long with letters and numbers. Hacking programs can crack passwords that are too simple in a short amount of time. Note that these are merely steps to help reduce the risk of data theft. All data can be hacked; it’s just a matter of how difficult it will be for the potential hacker.

When a client sends sensitive data, such as an accounting software backup file or a document, scan it for viruses or other malware. Some e-mail service providers automatically scan all incoming e-mails; otherwise use local antivirus software to scan each incoming e-mail.

One of the most vulnerable points in an e-mail’s journey is between the computer and the wireless router that connects the computer to the internet. Thus, it is important to secure wi-fi networks. For very important e-mails, establish the standard of digital signatures. Certification providers supply digital IDs that can be used to sign any e-mail or document sent via e-mail.


Laptops and flash drives are by their nature easily lost or stolen. Keeping this in mind, make sure that client data are properly safeguarded. For a thorough review of the security of portable data, see Petravick and Kerr, “Protect Your Portable Data—Always and Everywhere,” 207 Journal of Accountancy 30 (June 2009).

Pick an operating system that offers a secure logon, file-level security, and the ability to encrypt data. Ultimate data security requires resetting the BIOS password, which can involve sending the laptop to the manufacturer for resetting. BIOS is an acronym for Basic Input/Output System. If you need a password to boot your computer, enter the computer’s setup, or change the settings, you have a BIOS password set. The best BIOS password systems lock the hard drive so a thief cannot simply remove the drive and reinstall it on another machine. This may be more security than most need, but it should be considered.

Clearly mark all laptops with the owner’s name, address, and phone number. Asset tags or engraving can make this marking permanent. Consider registering each laptop with the manufacturer. Write down the laptop’s serial number and store it in a safe place: This information is vital if the laptop is ever lost or stolen.

Laptops should be secured with an automatic, password-protected screensaver, set to activate after 10 minutes (or less) of inactivity. If the laptop has an infrared port, disable it or cover it with black electrical tape. The infrared port can be used to gain unauthorized access to the files on the laptop. Most laptops are equipped with a universal security slot, which allows them to be secured with a cable lock. They should be tethered to a strong, immovable object.

The best answer to data security on a laptop is to not keep sensitive data on the laptop. Use encryption and store the files on a USB drive and keep that drive in a secure place.

Cloud Computing

The emergence of cloud computing has already affected tax practitioners. Some tax software providers offer online tax preparation service. The benefits to the practitioner include real-time updates, no software to install on local computers, the ability to prepare tax forms from any computer (allowing home office preparation), a convenient pay-by-use model, and no long-term contracts.

Some offer online software that can be tailored to act as though everything is done in-house. In this scenario, the preparer transmits client data over the internet to the service provider’s server. Make certain that the client data are secure in transmission, and make sure the provider offers data encryption technology.

Tax Tech Support

Sometimes practitioners have questions for their tax software vendor’s support department. In asking questions and working with the support person, it often seems that the best way for the technical support personnel to answer the questions is to look at the client data. Tax software companies have several ways to do this. They can create a temporary virtual private network and access the files, they can remotely log on to the practitioner’s computer from their location, or the practitioner can e-mail them a “packet” of the client data.

In each of these situations, it is important that the practitioner have an agreement in writing with the provider that client data are private and not to be used or disclosed, and the provider gives the practitioner sufficient assurance that the data are safeguarded in transmission and in its processing systems. The confidentiality requirements of the new regulations under Sec. 7216 should always be adhered to in any such situation.


Good business practice, AICPA standards, and federal (and sometimes state) laws dictate that practitioners must be proactive in securing data in their tax offices. Practitioners handle client information that most people would consider to be very private and sensitive. Recent news stories have shown the impact of data security breaches and the resulting negative publicity, which can severely affect a local firm. The cost of implementing data security measures is relatively inexpensive compared to the potential cost of a security breach. As the use of technology increases, tax practitioners must also increase security measures to protect client data.

Editor Notes
Steven Holub is a partner in Cherry Bekaert & Holland, LLP in Tampa, FL, and is former chair of the AICPA Tax Division’s Tax Practice Management Committee. Jane Rubin runs Educational Strategies Co. in St. Louis, MO, and is chair of the AICPA Tax Division’s Tax Practice Improvement Committee. Barton Black is a sole practitioner in Allen, TX, and is a member of the Tax Practice Improvement Committee. The editors wish to acknowledge the assistance of Danny Burke of Cherry, Bekaert & Holland, LLP, in Tampa, FL, for his technical assistance in the preparation of this column. For information about this column, contact Mr. Black at
Tax Insider Articles


Business meal deductions after the TCJA

This article discusses the history of the deduction of business meal expenses and the new rules under the TCJA and the regulations and provides a framework for documenting and substantiating the deduction.


Quirks spurred by COVID-19 tax relief

This article discusses some procedural and administrative quirks that have emerged with the new tax legislative, regulatory, and procedural guidance related to COVID-19.