Every Accountant Should Know About Data Encryption - Integrity Technologies
Free Consultation

Every Accountant Should Know About Data Encryption

Summary:

  • Encrypt client data in transit and at rest to meet legal duties and reduce breach impact.
  • Use built-in tools like BitLocker and FileVault, and require TLS 1.2 or 1.3 for portals and email transport.
  • Document encryption in your Written Information Security Plan and vendor contracts.

Introduction:
This article explains practical encryption steps for small accounting firms. It focuses on protecting taxpayer and financial data on laptops, servers, cloud apps, and during transmission.

Why it matters for small firms

Accounting firms hold Social Security numbers, bank data, and tax returns. If attackers steal unencrypted data, you face legal exposure, client loss, and notification duties. The Federal Trade Commission’s Safeguards Rule covers many accounting firms and requires protection of customer information, including encryption of data in transit and at rest or approved alternatives if infeasible. The IRS also directs tax pros to safeguard taxpayer data and use encryption for sensitive files and email. (eCFR)

Encryption also aligns with national best practices. NIST’s Cybersecurity Framework 2.0 highlights encrypting sensitive data at rest and in transit as a baseline outcome. (NIST Publications)

What attackers do and why it works

Common tactics include phishing that leads to account takeover, and theft of laptops or USB drives from offices or cars. If the device or files are unencrypted, attackers can read client information. Transport attacks target weak or outdated encryption on portals or email. NIST guidance requires support for TLS 1.2 and support for TLS 1.3 to protect data in transit. (NIST Publications)

How to fix it this week

  • Turn on full-disk encryption on every computer.
    Windows: use BitLocker or device encryption features. BitLocker is available on Pro, Enterprise, and Education editions. Many Windows 10 and 11 devices also provide automatic device encryption tied to a Microsoft or work account. Record and store recovery keys securely. (Microsoft Support)
    Mac: enable FileVault. Newer Macs encrypt automatically and FileVault enforces login for decryption. (Apple Support)
  • Encrypt data during transmission.
    Require TLS 1.2 or 1.3 for portals, email gateways, and APIs. Check your vendors and hosting providers for TLS configuration status and certificates. NIST SP 800-52 Rev. 2 gives configuration guidance. (NIST Publications)
  • Protect files and backups.
    Encrypt sensitive PDFs, spreadsheets, and exports that contain taxpayer data. Ensure backup tools encrypt data at rest and in transit. IRS Publication 4557 advises encrypting stored client data and backups. (IRS)
  • Manage encryption keys.
    Use centralized key escrow in your MDM or backup platform. Follow NIST guidance to use approved algorithms such as AES and to safeguard key material. Limit who can access keys and store them separate from encrypted data. (NIST Computer Security Resource Center)
  • Lock down removable media.
    Either block USB storage or require automatic encryption of any removable drive. Document disposal steps for media that held customer information, as the Safeguards Rule requires secure disposal. (eCFR)
  • Update your Written Information Security Plan (WISP).
    Map where client data lives, record which systems are encrypted, and include procedures for key backup and recovery. IRS Publication 5708 provides a simple WISP template for tax and accounting firms. (IRS)
  • Verify vendors.
    The Safeguards Rule requires selecting and overseeing service providers that can maintain appropriate safeguards. Include clauses that require encryption at rest and in transit and allow you to review evidence. (eCFR)
  • Train staff on handling encrypted data.
    Teach how to recognize protected files, how to send encrypted attachments or secure links, and how to retrieve recovery keys if prompted after updates. IRS and FTC materials emphasize staff training as part of your program. (IRS)

Costs, effort, and common pitfalls

  • Software costs: Full-disk encryption is built into Windows and macOS, so software cost is low. Time is needed to enable, escrow keys, and test recovery. Windows device encryption may enable automatically when signing in with Microsoft or work accounts. Plan for key escrow and user prompts. (Microsoft Support)
  • TLS configuration: Your web host or portal vendor should already support TLS 1.2 or 1.3. Ask for a configuration report and certificate details. NIST SP 800-52 Rev. 2 gives technical requirements you can cite in contracts. (NIST Publications)
  • Common pitfalls:
    • No recovery keys on file. Store keys in a secure password manager or MDM. (NIST Computer Security Resource Center)
    • Partial coverage. A single unencrypted laptop, USB drive, or cloud folder breaks compliance. IRS P4557 warns to encrypt all sensitive files and backups. (IRS)
    • Old protocols. If any system still allows SSL, TLS 1.0, or 1.1, fix it. Follow NIST’s TLS guidance. (NIST Publications)

Compliance notes (if relevant)

  • FTC Safeguards Rule: Requires you to “protect by encryption all customer information” in transit over external networks and at rest, or use effective compensating controls approved by your Qualified Individual if encryption is infeasible. It also defines encryption and sets other required program elements such as risk assessments, service provider oversight, training, and an incident response plan. (eCFR)
  • IRS guidance for tax professionals: Publication 4557 directs firms to encrypt sensitive emails, files, and backups and to include these controls in your plan. Publication 5708 offers a WISP template you can adopt. (IRS)
  • Framework alignment: NIST CSF 2.0 Quick Start guidance includes encrypting sensitive stored and transmitted data as a core outcome. Use this to show due care. (NIST Publications)

FAQs

  • What algorithms and settings should we choose?
    Use NIST-approved algorithms such as AES for data at rest and TLS 1.2 or 1.3 for data in transit. Follow NIST SP 800-175B and SP 800-52 Rev. 2. (NIST Computer Security Resource Center)
  • Is email encryption required?
    The Safeguards Rule requires protecting customer information in transit over external networks. Use TLS for server-to-server transport and send password-protected or portal links for files with taxpayer data. Document your method in the WISP. (eCFR)
  • What if we use cloud apps?
    You are still responsible for ensuring providers encrypt data and keys properly and for overseeing them under the Safeguards Rule. Ask for attestations and configuration reports. (eCFR)

Call to action

Need help rolling out encryption across laptops, servers, backups, and cloud apps, and documenting it for Safeguards Rule and IRS expectations? Book a consultation to get an assessment, a prioritized action plan, and a WISP update that your team and your examiners can understand.

Sources

  • Federal Trade Commission. 16 CFR Part 314, Standards for Safeguarding Customer Information. Updated May 13, 2024. (eCFR)
  • eCFR. 16 CFR Part 314, definition of “Encryption.” Accessed 2025. (eCFR)
  • IRS. Publication 4557: Safeguarding Taxpayer Data (Rev. 5-2024). 2024. (IRS)
  • IRS. Publication 5708: Creating a Written Information Security Plan for Your Tax & Accounting Practice. 2024. (IRS)
  • NIST. SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of TLS Implementations. Final 2019, with TLS 1.3 support by Jan 1, 2024. (NIST Computer Security Resource Center)
  • NIST. SP 800-175B Rev. 1: Guideline for Using Cryptographic Standards. 2020. (NIST Computer Security Resource Center)
  • NIST. Cybersecurity Framework 2.0 Quick Start (SP 1299). 2023. (NIST Publications)
  • Microsoft Support. BitLocker Drive Encryption availability. Accessed 2025. (Microsoft Support)
  • Microsoft Support. Device Encryption in Windows. Accessed 2025. (Microsoft Support)
  • Apple Support. Protect data on your Mac with FileVault. Accessed 2025. (Apple Support)