Why accounting firms face unusual file risk
Accounting work is dense with some of the most sensitive data clients will ever produce: tax returns, financial statements, payroll records, audit workpapers, and pre-transaction due diligence packages. The exposure window is wide. External links pass through client email. Engagement files are shared with third-party auditors. Year-end documents move between firm and client during the precise moment they are most sensitive.
Most breaches in professional services are not dramatic infrastructure failures. They are quiet: a link forwarded once too many times, a shared folder with no expiry, a partner's device accessing files outside your control.
The regulatory context
Accounting firms operate under multiple overlapping obligations depending on jurisdiction and client type.
- GLBA (Gramm-Leach-Bliley Act) applies to firms providing financial services to US individuals, requiring safeguards for client financial data.
- GDPR applies when handling personal data of EU individuals, with direct implications for how client files are stored and shared.
- Professional ethics rules — from AICPA, ICAEW, and equivalent bodies — impose confidentiality duties on top of statutory requirements.
- SOC 2 alignment is increasingly expected by enterprise clients during vendor review.
None of these frameworks specify which file sharing tool to use. They specify outcomes: that sensitive data is controlled, that access is logged, and that you can demonstrate it.
What most firms actually use — and why it falls short
Email attachments remain the dominant transfer method in accounting. They are fast, familiar, and completely uncontrolled after delivery. Once sent, an attachment can be forwarded to anyone, saved anywhere, and there is no revocation mechanism.
Consumer cloud storage improves on email but introduces a different problem: the provider has full access to file content. That access may be used for scanning, threat analysis, or model training. For firms with confidentiality obligations, provider-side access is not a theoretical risk. It is a governance problem.
What a compliant standard looks like
Strong file sharing for accounting firms requires four controls working together.
Client-side encryption. Files should be encrypted before upload, on the device. This eliminates provider-side plaintext access and means a platform breach does not produce readable content.
Per-document key isolation. Each file should carry its own protection. A compromised passphrase on one document does not cascade to a client's entire engagement history.
Link controls. Every shared document should carry explicit expiry, download limits, and the ability to revoke access at any moment. A link without an expiry is an indefinite access grant.
Channel separation for credentials. The link and the passphrase should travel through independent channels. Delivering both in the same email eliminates one layer of protection.
Deployment checklist for accounting firms
- Define which file categories always require encrypted sharing: tax returns, financial statements, audit workpapers, payroll records.
- Set a firm-wide default expiry for all external links.
- Establish a passphrase policy: never reused, never sent in the same message as the link.
- Assign clear ownership for active share review on a monthly cadence.
- Use geolocking for client files that must not cross regulatory jurisdictions.
Business outcomes to track
- Percentage of external client shares with active expiry and download cap.
- Time to link revocation when a client relationship ends or an engagement closes.
- Number of forwarded or re-shared links outside the intended recipient scope.
- Audit readiness: can you produce a log of every external access within 24 hours?
Rollout approach
Start with the highest-sensitivity engagement type in your portfolio — M&A due diligence, or a client with explicit data handling requirements. Validate the workflow with that team, then standardize across all client-facing document delivery.