Page Metadata

Q: How do I securely send a QuickBooks file to a client?

Never email a .qbw file directly. First, create a backup (.qbb) or portable file (.qbm). Then, use a tool like sekura.app to compress and encrypt that file with AES-256 encryption before attaching it.

Target Audience: CPAs, Tax Preparers, Forensic Accountants, Bookkeepers, and Firm Owners.

How to Encrypt Files as a CPA: IRS Compliance & Client Security Guide (2025)

Introduction: The Trust Currency

Scott, a cybersecurity consultant at Nerds Support, recently noted, “The most dangerous words in accounting today are: ‘It won’t happen to us.’”

For decades, the currency of the accounting profession has been trust. Clients hand over the intimate details of their financial lives—SSNs, bank statements, payroll data—believing their CPA is a fortress. But the digital landscape has shifted the ground beneath firms of all sizes.

According to 2024 data from L Squared Insurance Agency, accounting firms now face a 30-60% probability of experiencing a cyber event in 2025. This isn’t just bad luck; it’s a statistical likelihood.

Encryption is no longer a task you can delegate to an external IT guy and forget about. It is a mandatory requirement for maintaining your license, complying with federal law, and preserving the trust that keeps your firm alive. If you cannot guarantee that a tax return sent via email is unreadable to an interceptor, you are already non-compliant.

The good news? You don’t need a degree in computer science to secure your data. This guide walks you through practical, compliant steps to encrypt tax returns, QuickBooks backups, and client communications without disrupting your workflow.

The Stakes: Why CPAs Are Prime Targets

Financial data is the gold standard for cybercriminals. Unlike a stolen credit card number, which has a short shelf life, the data CPAs hold—Social Security numbers, EINs, and historical financial records—can be used for identity theft for years.

The financial impact of losing this data is staggering. The IBM 2024 Cost of a Data Breach Report indicates that the average cost of a breach in the financial sector has reached $6.08 million. While that figure includes massive enterprises, the costs scale down devastatingly for small and mid-sized firms. Between forensic investigations, client notifications, and credit monitoring services, a single breach can bankrupt a thriving practice.

Even the Giants Fall

It’s a mistake to think hackers only target the “big fish,” but it’s also a mistake to think the big fish are safe. In 2024, Sax LLP, a top 100 U.S. accounting firm, suffered a breach affecting 228,876 individuals. The exposure included names, addresses, Social Security numbers, and even passport numbers. If a firm with significant IT resources can be compromised, the solo practitioner or mid-sized partnership is certainly at risk.

The Regulatory Hammer

Beyond the immediate cleanup costs, the regulatory penalties are severe. The FTC Safeguards Rule allows for civil penalties of up to $100,000 per violation for firms that fail to protect customer data. Furthermore, IRS Publication 4557 outlines the “Security Six”—the non-negotiable safeguards tax professionals must implement. “Data Encryption” is explicitly listed as a core pillar.

If you are audited on your security practices and cannot demonstrate how you encrypt data at rest and in transit, you are effectively handing over your checkbook to regulators.

Anatomy of a Breach: 3 Scenarios to Avoid

Generic security advice often fails because it doesn’t account for how CPAs actually work. To understand why encryption is vital, let’s look at three specific points of failure in a typical accounting workflow.

Scenario A: The “QuickBooks Swap” (Data in Transit)

Mark, a solo CPA in Chicago, had a habit of emailing QuickBooks backup files (.qbb) directly to his clients for review. He assumed the proprietary file format was obscure enough to be safe.

The Mistake: Mark didn’t realize that .qbb files are easily opened by anyone with a copy of QuickBooks or a brute-force tool. When a hacker compromised his email outbox, they downloaded the backup files. The Result: The attacker accessed five years of payroll data for 12 local businesses. Mark faced an FTC investigation for failing to encrypt customer data in transit and lost 40% of his client base within six months. The Lesson: Proprietary file formats are not security tools.

Scenario B: The Ransomware Deadline (Data Recovery)

A mid-sized firm in the Southeast was working around the clock for the April 15th deadline. On April 13th, a junior associate opened a PDF attachment from a spoofed client email.

The Mistake: The firm relied on unencrypted local backups. The malware moved laterally through the network, encrypting all active client tax returns (.tax2024 files) and the backups on the local server. The Result: Because their files weren’t encrypted with their own keys (which would have prevented the malware from reading/corrupting the data structure effectively) or stored in an immutable state, they missed filing deadlines for 400 clients. The Lesson: Encryption acts as a final barrier. Even if a network is breached, properly encrypted archives remain inaccessible to unauthorized tools.

Scenario C: The Lost Laptop (Data at Rest)

Sarah, a forensic accountant, downloaded unencrypted Excel exports of a client’s bank statements to work offline during a flight. She left her laptop in a rideshare.

The Mistake: Sarah thought her Windows login password was enough. However, she hadn’t enabled BitLocker (full disk encryption), nor had she encrypted the specific Excel files. The Result: The finder removed the hard drive, bypassed the Windows login, and extracted Excel files containing 3,000 transaction rows. Sarah’s firm was fined by the state board for “lack of due care.” The Lesson: Login passwords do not encrypt data. If the physical drive is stolen, your files are open books without encryption.

Step-by-Step: How to Encrypt Common Accounting Files

Protecting your firm doesn’t require changing your entire tech stack. It requires adding a layer of protection to the files you handle every day. Here is how to handle the most common file types.

1. QuickBooks Files (.qbw vs .qbb)

QuickBooks files are notoriously difficult to share securely because of their size and sensitivity.

Never email a live .qbw file. This is your primary company file. It is a database prone to corruption if transferred improperly, and it contains everything.
The Workflow:
1. Create a Backup or Portable File: Inside QuickBooks, go to File > Create Copy and choose either a Backup Copy (.qbb) or a Portable Company File (.qbm).
2. Encrypt the Archive: Do not attach this file directly to an email. Use an archiving tool like sekura.app or 7-Zip to compress the file and wrap it in AES-256 encryption.
3. Set a Strong Password: The encryption tool will ask for a password. Generate a random one (e.g., Tr$ck-99-Blue-Bird).
4. Send: You can now safely upload this encrypted archive to a portal or attach it to an email (if size permits).

For a deeper dive into the technical standard that makes this possible, read our guide on What is AES-256 Encryption?.

2. Tax Returns (PDFs)

Many CPAs rely on the “Protect Document” feature found in older versions of Adobe Acrobat or generic PDF readers.

The Warning: Standard PDF password protection often uses weak encryption standards (40-bit or 128-bit RC4) that modern cracking tools can bypass in seconds.
The Workflow:
1. Print your tax return to PDF as usual.
2. Instead of using the PDF reader’s password tool, drag the PDF into a dedicated encryption tool like sekura.app.
3. This ensures the file is wrapped in military-grade encryption that travels with the file, regardless of what software the client uses to open it.

See why standard passwords fail in our article: Password Protection vs. Encryption.

3. Excel Projections (.xlsx)

You likely have folders for each client containing dozens of spreadsheets—projections, P&Ls, and amortization schedules. Encrypting these one by one is inefficient.

The Workflow:
1. Organize your client’s monthly deliverables into a single folder.
2. Encrypt the entire folder at once. This creates a single encrypted package (often a .skra or .zip file).
3. This method is faster and ensures you didn’t accidentally leave one spreadsheet unprotected.

Note: QuickBooks backups and folder archives often exceed standard email attachment limits (25MB). For solutions, check out Sending Large Files Securely.

Compliance Checklist: The WISP and The Law

As a tax professional, you operate under a strict legal framework. It is critical to understand that encryption is not just a “best practice”—it is a documented requirement.

The Written Information Security Plan (WISP)

The FTC Safeguards Rule explicitly requires tax professionals to maintain a Written Information Security Plan (WISP). This isn’t just a mental checklist; it must be a physical or digital document. Your WISP must verify that you have protocols in place to encrypt customer information. If you are investigated, the first thing auditors will ask for is your WISP.

Data at Rest vs. Data in Transit

Your WISP must address two states of data:

Data at Rest: This refers to files sitting on your hard drive or server.
- Requirement: Full-disk encryption (like BitLocker for Windows or FileVault for Mac) protects you if hardware is physically stolen.
Data in Transit: This refers to files moving across the internet (email, portals, cloud upload).
- Requirement: File-level encryption (AES-256) protects you if the transmission is intercepted.

The “Human Element”

Why is this necessary? Because we make mistakes. The 2023 Verizon Data Breach Investigations Report found that 74% of breaches involved a human element, such as error, privilege misuse, or social engineering. Encryption acts as a safety net. When an employee inevitably clicks the wrong link or emails the wrong “John,” the data remains secure because the unauthorized recipient cannot decrypt it.

You have encrypted the tax return. You are ready to email it. Now you face the classic dilemma: How do I give the client the password?

The Golden Rule: Never send the password in the same email as the encrypted file. If a hacker has access to your email to steal the file, they also have access to read the password in the body of the message.

Use “Out-of-Band” Communication

You must send the decryption key via a different communication channel than the file itself. This is known as “out-of-band” authentication.

Text Message (SMS/Signal): “Hi John, I just emailed your tax return. The password to open it is: [Password].”
Voice Call: Call the client and dictate the password. This adds a personal touch and confirms they received the file.
In-Person Handoff: For high-net-worth clients, exchange passwords during your quarterly meeting.

Zero Knowledge Cloud Storage

If you use cloud storage (Google Drive, Dropbox), be careful. Unless you have a specific configuration or a “Zero Knowledge” provider, the service provider holds the encryption keys. This means a subpoena or a breach at the provider level could expose your client data. Always encrypt sensitive files before uploading them to the cloud to ensure you maintain control of the keys.

FAQ: Common CPA Encryption Questions

Is password protecting a PDF enough for IRS compliance? Generally, no. Standard PDF password protection often uses weak encryption that is easily cracked. IRS Pub 4557 requires “strong encryption.” We recommend using dedicated encryption tools that utilize AES-256 standards rather than relying on the default “Protect Document” feature in older PDF readers.

Do I really need a Written Information Security Plan (WISP)? Yes. The FTC Safeguards Rule explicitly requires tax professionals to maintain a WISP. Part of this plan must verify that you are encrypting customer information both in transit and at rest. Failure to have a WISP is a primary violation during audits.

Can I use Google Drive or Dropbox for client files? Only if configured correctly. Standard consumer versions may not be GLBA compliant. You must ensure the service signs a Business Associate Agreement (if HIPAA applies) or guarantees encryption where they do not hold the keys (Zero Knowledge). To be safe, encrypt the files locally before uploading them to these services.

What is the difference between BitLocker and file encryption? BitLocker encrypts your entire hard drive (protecting data if your laptop is stolen). File encryption protects specific files (like tax returns) when you send them over the internet. You need both to be fully compliant.

How do I securely send a QuickBooks file to a client? Never email a .qbw file directly. First, create a backup (.qbb) or portable file (.qbm). Then, use a tool like sekura.app to compress and encrypt that file with AES-256 encryption before attaching it or uploading it to a portal.

Conclusion & Implementation

In the accounting profession, security is not about convenience; it is about continuity. The “Security Six” and IRS regulations are not hurdles designed to slow you down—they are guidelines designed to keep you in business.

The threat landscape in 2025 is unforgiving, but the solution is straightforward. Don’t wait for a ransom note or an FTC letter to upgrade your workflow.

Start small. Commit to encrypting your very next client deliverable. If you need a tool that fits seamlessly into your CPA workflow without complex technical setups, try sekura.app. It offers compliant, drag-and-drop encryption that keeps your firm safe and your clients trusting you.