It is not a mandate in my state. I have my knowledge mainly from someone how I call an expert in this particular field. It is Bob Jennings, who not only is a CPA and tax return preparer since quite a while, but also has embraced technology from the start and everything he talks about, he has applied in his own office. He used to be a speaker for Gear-up and then started his own business.

Protection of client data includes encrypted hard drives (I don't have this since I am a sole practioner). Some of these things are common sense and probably not so much written in stone. It didn't take me much imagination to see someone breaking into my business and stealing my computer. Then putting the hard drive into another computer. I am sure I could be sued by clients for not absolutely protecting the computer from unauthorized use.

The netbook I carry around does not have any data on it, only the programs. The data is on a password protected thumb drive. I have tried to implement PGP encryption and failed. I did not know how to solve the issue between backups the way I want to them and the encryption. I also did and cannot spend a fortune to hire someone to implement.

I also do not want to live in fear all the time, so I am risking to have my computer stolen (probably slim chance), and feel comfortable with my solution for the netbook. I also don't have an office where it would be possible to have an interview with a client and not have another client in the waiting area not be able to listen. If a client would like to turn me in for not ensuring enough privacy so be it. After all this is what it boils down to anyway, being turned in. If that happens I will stop doing tax returns.

I think we all have to find our own level of comfort with all these ridiculous rules and requirements. It's all nice and dandy if one has a firm big enough to have a dedicated IT person, most of us are not part of this.

Doug, thank you for sharing your reasoning. I have to admit that I never was successful to get beyond my confusing, what we tax preparers can and cannot do when it comes to disclosure. The only thing I understood was why this is done. All these reasons, like you point out, have to do with us wanting to use and disclose (mainly aimed at overseas tax return preparation and bank products).

I have heard and read interpretations from a variety of knowledge people who all come to the conclusion that we cannot disclose to anyone, period. I wished the IRS would issue some clear guidance.

I agree with you that the format 7216 mandates cannot possibly used for a client request since the tax return was done already. I sure appears that the use of this Disclosure form hinges on the client approval BEFORE the tax return is started.

I still wonder why so many people do interpret these rules they way they do. Are we all just frantic?

Gretel,

In my opinion (yes, I am on my soapbox), the IRS knew exactly what they wanted to say. They wanted to say that we preparers can't keep pushing a RAL every two minutes while preparing the tax return. They focused on preparers as if we are snake oil pitchmen and wanted to protect the clients from our harrassing ways.

They definitely did not consider that we frequently get calls in the middle of the night from clients long after the return is prepared saying, "What do I put on line X of the FAFSA form? I have to submit it tonight!!" This is obviously using tax return information for a purpose other than the completion of a tax return, the state return or estimates. This is not a purpose allowed under 301.7216-2 or the code. The client would not have given us signed authorization to help them like this before the return was signed (or at least if we had a form signed, we probably did not foresee this event occurring or we could have given them that information before it was signed). The IRS did not view us as we might view ourselves; wanting to help our clients, but as evil bloodsuckers who want to connive them out of every cent they have. They just made rules with a particular bias and never considered that these did not cover even half the disclosure situations we actually face.

Then we, especially those of us who want to do the right thing, got frantic. Look through the past posts on §7216 here and on other boards and you will see a repeated message that "we can't even tell clients about an IRA" as part of the interview without first getting consent. We were trying to comply with poorly written regulations that never considered that we might be helping our clients. [Actually, that specific example had been changed from the proposed regulations because in the proposed regulations, the use was specifically to sell an IRA. In the final regulations, they took that out to show that "use" was just "use" (neither good use nor bad use) and then later show that sometimes use is allowed under the code and regulations but other times it needs "prior signed consent."]

Yes, we panicked, but the IRS did nothing to help us. They gave us cryptic examples of verbiage that must be used if we wanted to do this or that, and what to do if someone was in a foreign country, and what to do when we had multiple uses or disclosures or both.

Despite all that, they never told us how to avoid the concerns about knowingly or recklessly using or disclosing tax information when a client initiated the request. Their attitude was that a client would only "consent" if we were "requesting permission" but they never stated that nuance in their definitions or interpretation. Their attitude was that if the client requested something, it is a request not consent (even though you or I may consider their signed authorization to be "consent" too). They could not understand how we could possibly confuse a client's request with a client's consent (remember, these are lawyers). They must have had long internal discussions where it was clear what consent meant, but when it came to documenting the rules, they never told us that consent was only in response to a preparer request.

I tell people, that "these are my opinions and there are others who disagree" even though I think I have done enough due diligence to be correct. However, the IRS has never clarified this much further. The IRS believed the example in my FAQ about a preparer's compliance with their E&O policy was a true oversight. However, that has never been clarified either. I am not sure if they are rethinking the whole process or if they are afraid to upset the apple cart again.

Either way, we are left with a jumbled mess and forced to try to understand this stuff by informal discussions on the street corner based on what we heard that someone was told at some seminar at some time rather than any clarification from the IRS.

(off soapbox)

Thanks for listening.

Doug, thank you so much for your thoughts again. I agree with you, however I am not sure that this is all there is to it.

When these rules came out I was glad at first, thinking that preparers who send tax return info offshore would now need consent and clients at least than know about it. On second thought I realized that any form for signature could be presented to the client and client would sign blindly. Almost all my clients do so with my engagement letter even new ones.

We are so bombarded with forms to sign noadays that we really don't pay much attention. Leave alone understanding every bit of it.

I also thought that clients would be better protected from bad RAL practices but that is not true either since whoever want to do something bad will always find a way.

I believe that all the new regulations are mainly aimed against us hard working, honest tax return preparers. Bigger offices have resources to deal with this or even find a way around things. But we will grow more and more tired of these things and than - one day - a huge number of us are weeded out. Wouldn't be surprised if next thing that happens is big companies going to offices, which are their most fierce competition, incognito, and then being a whistle blower.

Just a quick comment, since my time is limited right now:

"Password protected" is not synonymous with "encrypted." Some bookkeeping software, for example, requires a password to ensure that only the right people make changes, but the underlying data is easily cracked. I don't know whether a password-protected Adobe Acrobat file (using current versions) is encrypted, but my guess is that early versions weren't.

Using PGP or similar products to encrypt the underlying hard drive is an excellent idea. I think the business versions of Windows 7 have that ability built-in. Personally, I consider not doing that for any drive containing client data to be negligent, whether or not it's portable.

I've never seen any authoritative statement that sending customer data through e-mail in the clear would be malpractice. I believe it's an issue and should be avoided, but it's a mixture of perception and real risk. I'm not a lawyer, but I worry that if something is perceived as being a generally accepted practice, then that might raise a negligence argument, even if the underlying practice isn't cost effective.

Gary,

You are 100% correct that password protecting a pdf file attachment is not equivalent to sending an encrypted email.

If the governments are requiring encrypted emails, we have some real adventures ahead of us. I looked at a PrivateSky, Voltage, Send and Hushmail and am not sure I would want to use any of them.

Do you have any suggestions?