My clients email me all the time with paperwork that has their social on it etc etc. It is their choice to put their data at risk.
My feeling and policy has been to provide a site for them to download and I will not email. In a pinch I'll password a pdf and email if I have to - rare.

I got a nasty push back from a state sales tax auditor about it. They can't use the link etc etc. I must email them the documents etc etc. Their is no such guidance or prohibition on email w2s etc etc. Bit of an Ahole. And yes a sales tax audit in nevada wants payroll info to cross reference state unemployment. That said

I seem to recall the IRS saying we should never email sensitive data - but I can't find that. Does anyone know of that kind of doc?

What is your policy?

I email if my clients want me to - and they all do. Password protect. But it is different when a client wants you to send the client info vs sending client's docs to a third party. Esp if the auditor is a jerk. Perhaps tell the auditor that it is standard operating procedure across the industry not to do what he has requested, that using a secure site is recognized as safer, and that you will FedEx him a CD with the documents he has requested since he is having trouble with the link. Or even better - send him hard copies!!!

mostly at this point I'd love to find an IRS doc that outlines NOT emailing unencrypted files = and beat him over the head with it.

Nevada doesn't have to follow IRS rules. I'd look for a Nevada rule.

Nevada doesn't have to follow IRS rules. I'd look for a Nevada rule.

“What Happens in Vegas, Stays in Vegas”?

Pub 4557 says to encrypt emails. I am not a computer expert but I don’t think a PDF password necessarily reaches that standard. Certainly, the basic password-protect function in Adobe is not secure enough. How do I know this? Here’s a wee story.

A few years ago a Scottish political organization was raising funds. Nobody seriously believed the ostensible reason but we have never been able to prove the real reason to this day. Anyway, an email was sent around the organization’s executive committee that had a password-protected PDF and Excel spreadsheet. The password was also circulated by unencrypted email. The documents were redacted. A mole got access to the emails. Within minutes he had opened the documents and unredacted them. Then he securely sent them to a journalist. The people on the list were either high profile or had good reason to remain anonymous - they were the Duke of Here, the Marquess of There and people with multiple hyphens in their last name. On the day the story broke, there was much spluttering of finest Indian tea into the best China. The Information Commissioner investigated, issued a smallish fine and a longish report, not unadjacent to the sort of calm lecture a child would get from a parent or teacher, where every “Yes but…” is ignored.

I say stand your ground. I like JAD’s idea of paper copies. I would send them by trackable means and require a signature, just to make a point. Then I’d telephone to make sure the auditor had actually received them. You have information security policies for a reason. I would not deviate from them for anyone, no matter how exalted.

My clients email me all the time with paperwork that has their social on it etc etc. It is their choice to put their data at risk.
My feeling and policy has been to provide a site for them to download and I will not email. In a pinch I'll password a pdf and email if I have to - rare.

I got a nasty push back from a state sales tax auditor about it. They can't use the link etc etc. I must email them the documents etc etc. Their is no such guidance or prohibition on email w2s etc etc. Bit of an Ahole. And yes a sales tax audit in nevada wants payroll info to cross reference state unemployment. That said

I seem to recall the IRS saying we should never email sensitive data - but I can't find that. Does anyone know of that kind of doc?

What is your policy?

At a minimum, we password protect the PDF's using Adobe. It's an extra step but necessary in my opinion.

But yes, we use a portal most of the time.

IT consultant told me that Adobe PW protection encrypts the document. The higher levels of Adobe provide 128-bit encryption. I don't know what that means but I am told that it meets various requirements. I agree that anything can be hacked.

I ask clients not to attach anything to their emails to me, instead I provide an upload link to a protected Dropbox folder, and likewise send them the link to another password protected folder for download. Still, nothing 100% secure. But this also prevents documents scattered about my emails during busy times rather than in centralized locations. Head scratcher about those who still will scan and attach an IRS notice and at same time express worries about sending additional documents if I need them. Ah, take a look at that notice that has your confidential information!

The problem with sending the document as an attachment vs a downloadable link that expires is that the former is potentially accessible indefinitely if the email sits in an inbox or folder in someone's email account collecting dust.

Someone could then intercept the file if the email account is breached and crack the encrypted file open, especially if years have passed and the encryption method originally used is now ancient.

Don't have that problem with the download links that expire. Once the link expires, the file is no longer accessible. Problem is many banks and government agencies will not click a link because of internal protocol that's designed to protect against viruses.

In that situation I provide the client with an encrypted and PW protected PDF over the portal and tell them they can pass along at their discretion to whoever they like. It's their call.

I email if my clients want me to - and they all do. Password protect. But it is different when a client wants you to send the client info vs sending client's docs to a third party. Esp if the auditor is a jerk. Perhaps tell the auditor that it is standard operating procedure across the industry not to do what he has requested, that using a secure site is recognized as safer, and that you will FedEx him a CD with the documents he has requested since he is having trouble with the link. Or even better - send him hard copies!!!

Odds are that sending a CD or a thumb drive will not be appropriate given how locked down the state auditor's computer likely is. I think I would also go down the hard copy route, myself, especially if the auditor is being a jerk.

SumWun, I just love your wordsmithing!

Here's a problem: a lot of government agents, lenders, etc., have policies in place that prohibit them from accessing third-party portals, encrypted e-mail systems, etc. BUT, they all generally have encrypted e-mail systems, if not portals, you can utilize to securely transfer information.

If a third-party is asking me to provide confidential information and they cannot use my secure systems, I ask them to provide me a method of securely sending it to them. If they cannot do that, then I place the full burden on the client. No confidential information leaves my company through standard e-mail--it MUST be encrypted at rest and in-transit.

JR1, it's easy to be a wordsmith when one feels passionately about a particular subject. We see it on here all the time. I wish I could write as effortlessly and as regularly as the late Doctor Watson. I always enjoyed his writing, whether it was on tax or another subject entirely.

Fax it to him. That’s what I do with our state unemployment agents. It gets to them eventually.

THANKS Everyone - Love this forum!
Sumwun - Great story! And thanks for that Pub link. I knew there was one out there somewhere. But probably too irritated to actually find it.

sjrcpa - like Nevada has rules - LMAO - no income tax, they don't care, what ever goes. Heck we have a town that is PROUD to not have zoning laws. Build whatever where ever.

I talked to the client - who agrees that I shouldn't put her stuff at risk. So - and I love this client - she has decided to pay me to encrypt/password the PII containing files and then she is going to bill the state for a reimbursement. She has had 2 other sales tax audits and both of those auditors didn't have an issue with a portal so.. She won't get it of course but..

mostly at this point I'd love to find an IRS doc that outlines NOT emailing unencrypted files = and beat him over the head with it.

Are we not required to have (and follow) a written internet security policy by circular 230 or something?

As a practitioner (EA/CPA) are you not bound by that federal policy even when dealing with the state?

mostly at this point I'd love to find an IRS doc that outlines NOT emailing unencrypted files = and beat him over the head with it.

Are we not required to have (and follow) a written internet security policy by circular 230 or something?

As a practitioner (EA/CPA) are you not bound by that federal policy even when dealing with the state?

It is an FCA regulation adopted by IRS and applies to all tax preparers.

There you go, Shawn.

Hand circ 230 to the examiner, and when they reach out to take it, drop in on the floor, turn around, and walk away.

(just as dramatic, but you can't slap folks upside the head with paperwork anymore in 2021)