Hi Everyone,

This is my first tax season and I wanted to get people's opinions on certain security protocols.
Is there a requirement of security for sending documents to clients or is it just recommended?
Other than traditional email messages, is there a better way of sending secure documents?

Thank you.

MD law prohibits sending anything with a SSN in a nonsecure transmission.
I wouldn't do it anyway even if we didn't have the law.

Thank you for the tip.
Would you be able to reference the law?

Sorry, no. It was enacted a number of years ago.
But also look at the IRS requirements.

If you are looking for secure methods of sending tax data to clients, you can try these folks: https://www.sharefile.com/pricing

We used them, and still use GOTOMYPC (same company, different product), but now we use Canopy, which has absolutely worked wonders for us. https://www.canopytax.com/

Canopy also has a Tax Resolution and Transcript package that works wonders; you know, if you're into that sorta thing....and they offer E-Signatures, document/portal storage, scheduling, etc, etc. It's good stuff Maynard!

Congrats on your first year; try not to go insane and hug your family during tax season when you get a chance!

Here's your State's law reference:
https://law.justia.com/codes/maryland/2 ... btitle-35/

And, here, page 44: https://www.bakerlaw.com/files/Uploads/ ... e_Form.pdf

Thank you so much for that information @EADave.
I'm looking to spend as little money as possible this tax season.
If I could find something either free or very cheap that would be great.

I’m with you, the discretionary income will come with some seasons under your belt, as your practice grows. I know Drake offers a service called Secure File Pro; I’m not 100% sure if they offer it to non Drake users. As low as $10 a month for up to 250MB. https://www.drakesoftware.com/products/securefilepro/

This thread belongs in the Business Operations sub-forum.

Sorry about that.
Can a moderator please move this thread over to the Business Operation sub-forum?

Thank you.

Regardless of law, I refuse to transmit anything through unencrypted means if it contains confidential information. That means clients either receive an encrypted e-mail, or a link to an encrypted portal. Is it 100% secure? Nope, nothing is, but it is a heck of a lot better than standard e-mail or other forms of communication that can very easily expose sensitive information.

I even include a link in my e-mail signatures for clients to be able to send me an encrypted e-mail. More and more are starting to utilize it, which is encouraging--it proves they care about security, and appreciate my attempts to protect their information.

Thanks, CornerstoneCPA.
That's a great idea about the link in the signature.
What software do you use to send encrypted emails?

Thanks.

Thanks, CornerstoneCPA.
That's a great idea about the link in the signature.
What software do you use to send encrypted emails?

Thanks.

Encyro. I like it, though they are currently having issues with their MS Outlook integration not being able to send notifications to GMail users. It has been traced to a Microsoft API issue, and it is my understanding there is an update coming out to solve it. In the interim, Encyro has waived my subscription fee for 6 months.

I am willing to give them lenience on the matter despite preferring to utilize the MS Outlook integration, because they are EXTREMELY customer oriented.

Otherwise, I use SmartVault for a secure portal and will insert links to specific docs or folders in a regular e-mail, since they cannot be accessed without logging into SmartVault.

I have a client who works in a tech area at the FBI. He informed me on our first meeting that nothing should ever be emailed, even if encrypted - they will physically pick up everything. I know people use an electronic delivery box on their websites, he said I am not allowed to put any of his documents through such a site. Just so you know.

I still encrypt clients pdfs for email but I recognize it's likely worthless if someone really wanted in the file.

Thanks for the tips.
I've found the free version of Encyro to be useful so far for what I need.

Thanks!

He informed me on our first meeting that nothing should ever be emailed, even if encrypted - they will physically pick up everything.

Who exactly will pick up everything? The FBI? And how exactly will they accomplish getting access to either the sender's e-mail account or the recipient's account? What's the mechanics of this?

He informed me on our first meeting that nothing should ever be emailed, even if encrypted - they will physically pick up everything.

Who exactly will pick up everything? The FBI? And how exactly will they accomplish getting access to either the sender's e-mail account or the recipient's account? What's the mechanics of this?

Look up Room 641A on the internet. Frontline reported on it and Wikileaks released docs proving it. That is from 2004, it's greatly expanded since then. I surmise from the client's comments that if the government has access, private individuals have access. Many of the NSAs hacking tools were stolen in 2016 and put up for sale on the internet. Do you know who Edward Snowden is by chance?

"Physically pick up" meant the client would physically pick up the physical copy.

I have a client who works in a tech area at the FBI. He informed me on our first meeting that nothing should ever be emailed, even if encrypted [...] I still encrypt clients pdfs for email but I recognize it's likely worthless if someone really wanted in the file.

I wonder if there is an accurate understanding here of "encryption". In particular, there needs to be a clear understanding of the difference between Transport-level encryption and End-to-end encryption. It sounds like neither you nor your FBI client are very clear on this topic, especially based on your reference to "room 641A".

https://en.wikipedia.org/wiki/Email_encryption
https://en.wikipedia.org/wiki/End-to-end_encryption

"End-to-end encryption (E2EE) is a system of communication where only the communicating users can read the messages. In principle, it prevents potential eavesdroppers – including telecom providers, Internet providers, and even the provider of the communication service – from being able to access the cryptographic keys needed to decrypt the conversation."

How are you "encrypt[ing] clients pdfs"? Simply adding a PDF password is not necessarily the same thing as encrypting. Encrypting a PDF is the opposite of worthless (assuming industry standard high-strength encryption).