Should I be concerned that my accountant emailed me my tax return?
April 14, 2015 10:24 AM Subscribe
TaxFilter time! I am out-of-town and to facilitate getting my taxes done, my accountant sent me a copy of the draft and final returns via unencrypted email. Is this a standard practice these days?
I consented to electronic review/delivery of the return. I assumed (erroneously) that they would have some sort of portal where I could securely view the documents.
Our accountant runs a bit of a mom-and-pop shop, although they're affiliated with a larger organization.
I consented to electronic review/delivery of the return. I assumed (erroneously) that they would have some sort of portal where I could securely view the documents.
Our accountant runs a bit of a mom-and-pop shop, although they're affiliated with a larger organization.
I assumed (erroneously) that they would have some sort of portal where I could securely view the documents.
Ha! The accounts I have been to (all two or three of them) were about the least tech-savvy people I have met in my life, so yeah, I'd say that is normal. Maybe I am mistaken, but I really don't think that email is much less secure than the online portal thing that my accountant used to access my info.
posted by kinddieserzeit at 10:34 AM on April 14, 2015
Ha! The accounts I have been to (all two or three of them) were about the least tech-savvy people I have met in my life, so yeah, I'd say that is normal. Maybe I am mistaken, but I really don't think that email is much less secure than the online portal thing that my accountant used to access my info.
posted by kinddieserzeit at 10:34 AM on April 14, 2015
The "standard practice" is to encrypt the contents and tell you the password separately by phone or in person.
Email is very easily intercepted (including accidentally) and shouldn't be used for stuff like this unencrypted.
I doubt they broke any laws though; it's just a little sloppy.
posted by richb at 10:36 AM on April 14, 2015 [3 favorites]
Email is very easily intercepted (including accidentally) and shouldn't be used for stuff like this unencrypted.
I doubt they broke any laws though; it's just a little sloppy.
posted by richb at 10:36 AM on April 14, 2015 [3 favorites]
My accountant also emailed me my return unencrypted.
posted by Dragonness at 10:48 AM on April 14, 2015
posted by Dragonness at 10:48 AM on April 14, 2015
So did mine! I wasn't worried at the time, but now I am...er, maybe this is a dumb question, but should I print it and then delete it from my account?
posted by stray at 10:59 AM on April 14, 2015 [1 favorite]
posted by stray at 10:59 AM on April 14, 2015 [1 favorite]
Are you certain that it was unencrypted? Many mail transfer agents support opportunistic encryption and will use a TLS channel for sending mail if it is available and supported.
posted by bfranklin at 11:00 AM on April 14, 2015
posted by bfranklin at 11:00 AM on April 14, 2015
In the last couple of years all the accountants I work with (3 in total) have gotten portals. They sometimes send me e-mail plain text with numbers and dollar amounts in it, but not my SSN. Most stuff goes through the portal.
posted by alms at 11:02 AM on April 14, 2015
posted by alms at 11:02 AM on April 14, 2015
My accountant accepts documentation (W-2, 1099, and so forth) by scanned PDF in e-mail (I never send the documents that way), but he still snail mails me a paper copy of my returns. Anything with your Social Security number on it really shouldn't be sent by unencrypted e-mail, in my opinion.
posted by tckma at 11:38 AM on April 14, 2015
posted by tckma at 11:38 AM on April 14, 2015
All tax software, to my knowledge, provides for the option of exporting returns to pdf with client data (SSNs, bank info, etc) redacted. There is no reason to export an unredacted return unless the client specifically requests it or you're filing on paper.
In addition, some states require returns/client data to be encrypted.
posted by melissasaurus at 2:03 PM on April 14, 2015
In addition, some states require returns/client data to be encrypted.
posted by melissasaurus at 2:03 PM on April 14, 2015
Theoretically, if both your mailservers and your accountant's mailservers were configured to use TLS-encrypted connections when sending email, it would have been very difficult to intercept the mail in transit and get anything from it. That's a relatively large if, depending on who handles your and your accountant's email. That said, it is probably relatively unlikely that someone is watching that traffic closely (unless you're the NSA or something), though you have no way of knowing for sure.
The other, more problematic, issue is the storage of the email at rest. Most mail transfer agents (software on servers that sends email around) create multiple copies of emails as they wend through their system, possibly purging them eventually, but you're not guaranteed that. Also, unless the email provider has taken specific steps to prevent it, someone with enough access to the server (like an administrator) could read your unencrypted email, to say nothing of the more prevalent threat of hackers who steal or brute-force email account logins.
While what's done is done, you should definitely delete the email from your mail server once you've copied the documents somewhere safe. It might not get rid of all of the copies, but it'll at least get rid of the easiest-to-access ones.
posted by Aleyn at 11:47 PM on April 14, 2015
The other, more problematic, issue is the storage of the email at rest. Most mail transfer agents (software on servers that sends email around) create multiple copies of emails as they wend through their system, possibly purging them eventually, but you're not guaranteed that. Also, unless the email provider has taken specific steps to prevent it, someone with enough access to the server (like an administrator) could read your unencrypted email, to say nothing of the more prevalent threat of hackers who steal or brute-force email account logins.
While what's done is done, you should definitely delete the email from your mail server once you've copied the documents somewhere safe. It might not get rid of all of the copies, but it'll at least get rid of the easiest-to-access ones.
posted by Aleyn at 11:47 PM on April 14, 2015
"Standard practice" and "best practice" are completely different things in this area.
posted by smackfu at 7:01 AM on April 15, 2015 [1 favorite]
posted by smackfu at 7:01 AM on April 15, 2015 [1 favorite]
I have a common name and an email address reflecting that name, and have more than once accidentally received important unencrypted confidential information intended for someone else with the same name. If your accountant sends your information unencrypted, the same thing could happen to you.
posted by dfan at 8:14 AM on April 16, 2015
posted by dfan at 8:14 AM on April 16, 2015
This thread is closed to new comments.
posted by aniola at 10:33 AM on April 14, 2015