I password protect any pdf that I email to a client, usually using the last 4 digits of their SocSec# as the password. The best deal I've found for creating password protected pdf's is PDF Factory from FinePrint.

Their basic version is about $50, and it works fine. It also gives you the ability to edit the pdf and you can add documents to the pdf which are not a normal part of the return if you wish (W-2 forms, worksheets, disclaimers, etc)

Here's a link:

Encryption

I agree that any documents sent to a client by e-mail should be password-protected. It probably goes without saying, but you then need to provide the password to the client by phone--not within the message itself.

There are many different options out there for encrypting files, with wide variation in the cost, ease of use, and the level of protection that it provides.

I'm not familiar with the program JohnH referred to above. But I question whether password protection at the document level is adequate. And I would never use the last four of the SSN as the password. It's too easy for others to find out and then guess it correctly.

I recommend encrypting files by using a ZIP utility. The problem with this method is that there is no universally accepted standard. Many clients will not have a ZIP utility on their PC at all, and those that do might have one that does not support the type of ZIP encryption that you decide to use.

There is a free, open-source ZIP utility called 7-zip that can be downloaded at no charge. It installs very quickly, is relatively easy to use, and generally does not interfere with other applications, i.e., it does not change default settings in your browser or your e-mail program, or anything else like that.

So one solution is to use this program to encrypt files that you are sending, and then, in the body of the e-mail message, provide a link for the recipient to download 7-zip if they need to.

This method isn't for technophobic users who don't understand the difference between a website and a browser, or the difference between a file and an application. But it doesn't require formal IT training either. If a client is comfortable with basic operations such as installing software, it's kind of a no-brainer...

I'll be happy to provide more details if you're interested. 7-zip is free, open-source software, but it's highly stable, and very reputable. The application is recommended for use by several state universities.

BMK

That's good info. When I get a chance I'll try 7 Zip - sounds like it might work fine for clients to whom I regularly email info. As you pointed out, not so sure it would be useful for those who need to know a little bit more about tech issues.

I do always tell the clients verbally what password to use (the email never has any info about the password, or even that there is one). But I don't worry too much about using part of of their SocSec# since the SocSec# is what we are trying to protect. So if someone already knows that info then they won't gain much more useful data by opening the file. But You do have me thinking if 4 digits are enough - maybe I should expand the passwords in some meaningful way.

Passwords

JohnH wrote:

I guess my concern would be something like... well, let's see, here...

A naive client might not realize that others in the same household can get into their e-mail. If they are using a web-based e-mail service such as gmail or Yahoo, their browser might be set to store both their username and password. If they are using a client such as Outlook or Thunderbird, it might be set up to allow any user of the PC to simply open up the program and read their mail.

I'm not trying to scare you, but if you send an entire tax return as a PDF attachment, what if the client's 16-year old kid just happened to take a peek at his e-mail?

That's why it should be password protected. But the client's own 16-year old might have access to the client's SSN, and might be savvy enough to guess that the password could be the last four, or the entire SSN. Or the birthdate. Or the KID'S birthdate. Or the dog's name.

So I guess what I'm really saying is that just because the client's kid may know Dad's SSN, and Dad may not even see that as a problem, it does not follow that it's okay for the client's kid to be looking at Dad's entire tax return...

At some point, the client bears some degree of responsibility for the security of their own data. I actually think that it's a little far fetched to worry about someone intercepting the e-mail message while it is in transit through the internet. I know it's possible, but other types of breaches are far more likely, such as someone hacking into the client's Yahoo account. (Remember the Palin debacle? Some college kid hacked her Yahoo password because the password recovery security questions were too easy. He found the info in the public domain.)

So I do believe that some sort of password protection or encryption should always be used. Sending sensitive data with no protection at all just isn't a good business practice. If you accidentally send it to the wrong e-mail address... I mean like even a typo, where the correct address is jmsmith@aol.com but you send it to jsmith@aol.com...

The incorrect address could well be a valid address, and if it is, and the file wasn't encrypted, then you have in fact exposed your client's data to an unauthorized party.

I'm sure this sort of thing has actually happened. Whether it resulted in real damages, i.e., identity theft or fraud in which the client was the victim, is a separate question. But it sure would be embarrassing...

BMK

Execusite

I have a web site by Execusite, a CCH company, with a File Share button. The storage is on CCH servers, the same ones that transmit returns electronically, so more secure than my home computer. A client can request space to upload files or permission to download files. I accept (or deny). Only he knows his password. He can upload documents to me or I can upload his return or documents for him. I can also upload documents (my engagement letter, for example) that all clients can view and download.

Thanks for your input

I thought there was more to this than just attaching a file to an e-mail. The solution for this client is going to be, printing the returns to disc and have them pick it up. This person doesn't live that far from me so I think that will work.

There's a free program called Signature 995 which offers 128 bit encryption in a PDF format. Having said this, I think people worry too much about this issue. Most identity theft, I believe, happens because people don't shred their paper documents.

Yes, I agree that one can easily go overboard with security. However, e-mail is known not to be safe and anyone catching a tax return has all the info needed for fraud, often including the account info.

So some sort of encryption or password protection is necessary and it should be easy enough for the clients to use. With my scanner I not have the full PDF program, which allows for password protection. I agree with Burton that the last 4 digits of the SS# is not a good idea.

I use a system of 4 four digits of last name plus a character plus first 4 digits of SS#. That way I always know what the password is.