The AICPA has defined a set of Generally Accepted Privacy Principles (GAPP) that Certified Public Accountants should understand and adhere to when handling the private information of their clients. Section 8.2.5 of the GAPP addresses specific requirements for securely sending and receiving (aka, transferring or transmitting) personal information. Each of the four methods below are not appropriate for sending and receiving sensitive information and would not comply with the Section 8.2.5 guidelines.
1. Password protecting zip files is not safe
Password protecting a zip file offers little protection to the data contained inside. Many free hacking tools exist that make easy work of cracking passwords on zip files. Password protection on zip files is better than no protection, but just barely.
2. Sending data and passwords in a separate email message
Sending your client an email message with a username or password protected file in one email message and then sending the password for the resource in a second message offers no additional security. Email is not a secure transport method, whether sent in one or multiple messages. This is virtually no safer than sending the username and password together in the same email. If someone has gained access to your or your client's email account, then they’ve got access to all of the email messages, including the first and second email.
Encrypted email can offer a greater degree of protection, but often the recipient will save the email message in a decrypted state after he reads it, thus making the message and its contents vulnerable to theft. A CPA should never send or receive sensitive information by email.
3. Uploading files to a standard FTP server
Standard FTP servers are great for sharing large amounts of non-sensitive data with others, but standard FTP does not provide protection for sensitive data that a CPA exchanges with clients. Usernames and passwords are transmitted in plain text so they’re easily stolen, especially on wireless or public networks. If a large collection of W-2 forms, tax returns, QuickBooks backup files and other types of data that a CPA often exchanges with clients is sitting on an FTP server, then it's vulnerable to theft and easy prey for an attacker.
4. Sending CDs or DVDs by mail or parcel carrier
Sending data by mail or parcel carrier is actually a dangerous way for a CPA to share sensitive data with clients. The potential for the package containing the data to get lost is high. The ability to track who has accessed the data or has potentially had access to the data is low. Besides a name on the outside of the package, there is little else to help limit who receives the data. If this is your only option, at a minimum the data should be encrypted using a strong encryption method, such as PGP, that allows you to encrypt the data to a specific person’s key.
A Safer Method to Share Files
Every CPA should have a secure method to share files with his or her clients and business partners. The safest method is to use a private LAN or VPN. Unfortunately, this is not practical for the CPA in public practice who needs to share data with clients outside of his or her office.
A better alternative to safely send and receive sensitive data is a web based secure file exchange system. Like the name implies, secure file exchange systems let you securely transfer files, documents and messages between a CPA and his clients, using an SSL protected website. This means that sensitive data never travels across the internet in an unsafe manner and is never at risk inside of an email inbox.
Key highlights of a good secure file exchange system include:
- Your data is encrypted using SSL and military grade encryption
- The sender will receive an email notification when the recipients open their message
- Requires no special software to install. All you need is a web browser like Internet Explorer or Firefox.
- Bypasses firewall and email attachment restrictions that often prevent sending or receiving files
- No third-party storage providers, all data is stored in a banking grade data center
- Low cost monthly subscription pricing
- A file retention policy that allows for automatic data purging of old files