How to Set Up Secure File Sharing for Your Accounting Firm

Most accounting firms still collect tax documents over email. It works, in the sense that files arrive. But email was never designed for secure document exchange, and for tax preparers, the risks are real.

Standard email sends files as unencrypted attachments. Anyone who intercepts the message, or compromises either inbox, gets the contents. There is no access control after sending, no audit trail showing who opened what, and no way to revoke access to a document you already sent.

The bigger problem is regulatory. The FTC Safeguards Rule, updated in June 2023, classifies tax preparers as "financial institutions" under the Gramm-Leach-Bliley Act. That means every firm that prepares tax returns is legally required to implement specific data security controls, including encrypted file transfer and access logging. Email alone does not satisfy these requirements.

The IRS receives 3 to 5 new data theft reports from tax practitioners every week. In 2024, over 250 breach incidents were reported by tax professionals, affecting more than 200,000 clients. Many of these breaches started with compromised email, including the "new client" phishing scam where attackers pose as prospective clients and send malicious attachments.

Switching to a secure file sharing system is not just a best practice. For tax preparers, it is a legal obligation.

Helpful references: Fast.io Workspaces, Fast.io Collaboration, and Fast.io AI.

The FTC Safeguards Rule is the regulation that governs how tax preparers must protect client data. If you prepare tax returns for compensation, this applies to you regardless of firm size. Here are the specific requirements that affect file sharing.

Encryption standards. Files must be encrypted both at rest (AES-256 via tools like BitLocker or FileVault) and in transit (TLS 1.2 or higher). Sending a W-2 as an unencrypted email attachment violates this requirement.

Multi-factor authentication. Anyone accessing systems with customer data must use MFA. A simple username and password is not sufficient.

Access controls. The rule requires role-based access with least-privilege principles. Not every staff member should have access to every client's documents.

Activity logging. You need audit trails showing who accessed what files and when, with logs retained for at least 12 months.

Written Information Security Plan (WISP). Every firm must maintain a WISP that designates a qualified individual to oversee data security. The IRS has published templates in Publications 5708 and 5709 to help smaller firms create one.

Breach notification. As of May 2024, if a breach affects 500 or more consumers, you must notify the FTC electronically within 30 days. You also need to contact your IRS Stakeholder Liaison and the relevant state tax agency.

Smaller firms (under 5,000 consumers) are exempt from penetration testing and written incident response plans, but must still implement all core safeguards including encryption, MFA, and access logging.

Setting up a compliant file sharing system does not require an enterprise IT budget. Here is a practical approach that works for firms of any size.

1. Choose a platform with built-in encryption

Pick a file sharing tool that encrypts data at rest and in transit by default. Look for AES-256 encryption and TLS 1.2+ connections. Avoid tools that require you to configure encryption separately, because someone will forget.

2. Create organized client folders

Set up a folder structure by client, with subfolders for each tax year and document type. A typical structure looks like this:

• Client Name/
  • 2026 Tax Year/
    • W-2s and Income
    • Deductions and Credits
    • Prior Year Returns
    • Correspondence

This keeps documents findable and limits exposure. If one folder is compromised, not everything is exposed.

3. Configure access controls

Assign permissions at the folder level. Staff should only access the clients they work with. Set up separate access for partners, senior staff, and junior preparers. When a client relationship ends, revoke access promptly.

4. Set up client-facing document collection

Replace email requests with a secure upload portal. Send clients a link where they can upload their W-2s, 1099s, and other documents directly into their folder. This eliminates the need for email attachments and gives you an audit trail of when each document was received.

5. Enable audit logging and review it

Turn on activity logging so you have a record of every file upload, download, and access event. Review logs monthly during off-season and weekly during tax season. This is not just for compliance. It helps you catch unauthorized access early.

Protect Your Clients' Documents With a Secure Workspace

Fast.io gives accounting firms encrypted workspaces with granular permissions, audit trails, and branded client portals. Start with 50 GB free, no credit card required. Built for secure file sharing accountants workflows.

Sign Up Free

Not every file sharing tool is built for accounting workflows. Here is what to look for, and how the main options compare.

Purpose-built accounting platforms like TaxDome, SmartVault, and Canopy include client portals, document request checklists, e-signatures, and integrations with tax software like Lacerte and Drake. They are designed for tax season workflows. The tradeoff is cost. TaxDome runs $700 to published pricing per year, and Canopy starts around published pricing per month.

Enterprise file sharing tools like ShareFile (Citrix) offer strong security and compliance features but lack accounting-specific workflows. You get encryption and audit trails, but no built-in document request lists or tax software integrations.

General cloud storage like Dropbox and Google Drive is familiar and cheap, but lacks the access controls, audit logging, and compliance features the FTC Safeguards Rule requires. Using Dropbox for client tax documents is convenient, but it leaves gaps in your compliance posture.

Workspace platforms like Fast.io sit between enterprise file sharing and accounting-specific tools. Fast.io provides encrypted workspaces with granular permissions at the org, workspace, folder, and file level. Branded shares let you create client-facing upload and download portals with guest access, and every file operation is logged in an audit trail. The free plan includes 50 GB of storage and requires no credit card, which makes it practical for solo practitioners or small firms testing a new workflow. For firms that want to go further, Intelligence Mode auto-indexes uploaded documents for semantic search, so you can find a specific K-1 across hundreds of client folders without remembering the exact file name.

The right choice depends on your firm's size and workflow. Solo preparers handling a few hundred returns may do well with a general workspace platform. Larger firms with complex tax software integrations may benefit from a purpose-built accounting tool.

Tax season is when your file sharing setup faces the most pressure. Clients send documents in waves, often at the last minute, and the volume of sensitive data moving through your systems spikes dramatically.

Use document request checklists. Instead of emailing clients a list of what you need, send them a secure link to a collection portal with a clear checklist. This reduces back-and-forth and ensures documents land in the right folder. Tools with Receive or Exchange share types, like Fast.io's branded shares, let you set up a dedicated upload link per client that feeds directly into their workspace folder.

Set expiration dates on shared links. Any link you send to a client for uploading or downloading documents should expire after a reasonable window, typically 30 to 60 days. This limits the risk of old links being compromised.

Watch for phishing attacks. The IRS has documented a spike in "new client" scams where attackers send emails posing as prospective clients with malicious attachments. Train your staff to verify new client identities before opening any attachments, and never open files outside your secure file sharing platform.

Separate active and archived clients. During tax season, keep active client folders accessible and archive prior-year folders with read-only permissions. This reduces the attack surface and keeps your workspace organized.

Automate where you can. If your file sharing platform supports webhooks or activity notifications, set up alerts for large batch uploads or unusual access patterns. Catching anomalies early during the busiest time of year can prevent a small problem from becoming a breach.

A WISP is not optional for tax preparers. It is a federal requirement. The good news is that the IRS has published straightforward templates that make it manageable for small firms.

Start with IRS Publication 5708, which provides a fill-in-the-blank WISP template. At minimum, your plan needs to cover:

• Who is responsible for data security (your "qualified individual")
• What client data you collect and where it is stored
• How you protect data in transit and at rest (your file sharing platform handles much of this)
• Access control policies (who can see what)
• Employee training requirements (annual security awareness training, quarterly phishing simulations)
• Incident response procedures (who to contact, in what order)
• Vendor oversight (how you evaluate the security of tools you use)

Your file sharing platform is a key part of your WISP. Document which platform you use, what security features it provides (encryption, MFA, audit logs), and how you configure permissions. If your platform provides audit trails, note that logs are retained and reviewed on a schedule.

Review your WISP annually and update it whenever you change tools or processes. The FTC requires the qualified individual to report on the plan's status to firm leadership at least once a year.

For firms that want belt-and-suspenders security, consider platforms that provide detailed activity summaries. Fast.io's audit trails cover file operations, membership changes, and access events, which gives you documentation you can reference directly in your WISP when describing how you monitor for unauthorized access.