A CPA's Guide to Encrypting Tax Returns and Client Financial Files
Table of Contents
The IRS Publication 4557 guidelines for tax preparers state that you must "implement appropriate measures to safeguard taxpayer information" — with explicit mention of encryption for data in transit and at rest. The Gramm-Leach-Bliley Act and the IRS Written Information Security Plan (WISP) requirements apply to every paid preparer with even one client.
For solo CPAs, EAs, and small accounting firms, the question is not whether to encrypt but how to do it without paying $40-100 per user per month for enterprise tools. This guide walks through a free, browser-based workflow using free file password protector that satisfies the encryption requirement and runs in under a minute per file.
What the IRS Actually Requires
IRS Publication 4557 ("Safeguarding Taxpayer Data") and the FTC Safeguards Rule (revised 2023) both require tax preparers to maintain a Written Information Security Plan that includes administrative, physical, and technical safeguards. Encryption is explicitly mentioned as a technical safeguard for data both at rest and in transit.
The IRS does not specify an algorithm. NIST recommendations for federal contractors center on AES with at least 128-bit keys. AES-256, which is what our browser tool uses, is the same standard the U.S. government uses for top-secret information. Any auditor reviewing your WISP will accept AES-256 as more than adequate.
The other requirement is that you actually do it — and document that you do it. A WISP that says "we encrypt client files" but lacks any workflow or training record is worse than no WISP at all.
A Workflow That Fits a Tax Season Day
The biggest reason small firms skip encryption is that it adds friction during tax season when every minute counts. A workflow that takes 30 seconds is one your team will actually use.
- Finish the return in your tax software. Export to PDF.
- Open the free file password protector (bookmark it).
- Drop the PDF in. Enter a password — use a passphrase tied to the client (e.g., "smith-2025-tax-return-amber-fox").
- Download the .enc file. Attach to your client portal upload, your secure email, or a Dropbox link.
- Text the password to the client (separately from the file).
Total time: under one minute per return. The client decrypts in their browser using the same tool — no install, no account.
Sell Custom Apparel — We Handle Printing & Free ShippingThree Files You Should Always Encrypt
Tax returns (1040, 1120, 1065). Contain SSNs, dependent information, full income data, and bank account numbers. The single highest-value identity theft target.
K-1s and Schedule C exports. Reveal business income, ownership structures, and partner details. Often shared between multiple parties — a perfect place for encryption to reduce risk.
Source documents (W-2s, 1099s, bank statements). Especially when clients email them to you. Once received, encrypt your local copy before storing it in your client folder. If a workstation is breached, the source documents are useless without the password.
Encrypted Files vs a Client Portal
Many practice management suites (Drake, Lacerte, ProConnect, UltraTax) include a "client portal" feature for secure file exchange. Those are excellent and worth using when available.
Browser-based encryption is for the moments when the portal does not fit: a client who is not tech-savvy and refuses to log in, a quick file you need to send to a CPA at another firm, a document you need to take home on a USB drive, an email you need to send during travel from a hotel laptop. In all those cases, the encrypt-then-send pattern works without extra accounts or installs.
What to Document in Your WISP
If the IRS or a state regulator audits your security plan, they will look for a written description of how files are encrypted. A defensible paragraph for your WISP looks something like:
"All client files containing taxpayer information are encrypted using AES-256-GCM before transmission outside our office network and before storage on portable media. Encryption is performed using a browser-based tool that processes files locally without uploading to any server. Unique passwords are generated for each client engagement and stored in a password manager. Passwords are transmitted to clients through a separate channel from the encrypted file itself."
That paragraph, combined with a short staff training record showing each person knows the workflow, satisfies the documentation portion of every WISP framework I have seen.
Encrypt Tax Files Free
AES-256 encryption in your browser. WISP-friendly. Built for solo CPAs and small firms.
Open File Password ProtectorFrequently Asked Questions
Does this workflow satisfy the IRS Written Information Security Plan (WISP) encryption requirement?
Yes. AES-256 is the strongest commonly used symmetric encryption and exceeds every recommendation in IRS Publication 4557. The fact that the encryption happens locally in the browser (rather than on a third-party server) is an additional security benefit, not a deficit.
Can the recipient open the .enc file in their tax software?
No — they need to decrypt it first using the same tool. The decrypted file (a normal PDF, DOCX, or whatever the original was) opens in any standard application after decryption.
What about retention requirements?
Encryption does not change retention rules. You still keep client files for the period required by your state board and the IRS (typically 3-7 years). Encrypted files satisfy retention while reducing breach risk.