The Non-Negotiable Rules for Secure Remote Access and Protecting Client Tax Data

Remote work is no longer an occasional perk during tax season , it’s the new normal. But remote access can quietly create vulnerabilities, and attackers know it.

According to Verizon’s 2025 DBIR, stolen credentials account for a significant portion of breaches, often giving hackers direct access to accounting platforms or email inboxes full of sensitive client records.

Tax professionals can maintain flexibility while protecting client data by following updated guidance. The rules shifted when the IRS tied tax practices to the FTC Safeguards Rule and Pub 4557, making secure remote access a baseline requirement. Today, any connection to taxpayer data must be protected by default.

Why Remote Access Brings Additional Security Responsibilities

Taxpayer data has always required careful handling, but Pub 4557, a guidance issued by the Internal Revenue Service to help tax professionals protect sensitive taxpayer data, raises the stakes by spelling out “reasonable safeguards.” That includes: 

• Multi-factor authentication (MFA)
• Encryption
• Access controls
• Documented security plans

The Safeguards Rule, issued by the Federal Trade Commission (FTC), is a legal framework designed to ensure businesses handle sensitive information responsibly and reduce the risk of data breaches. It requires firms to maintain a written security program and implement breach-notification procedures whenever unencrypted data is exposed. Many firms don’t realize that these requirements apply even when a tax preparer works from home or accesses client files on a laptop in a café.

The Non-Negotiable Rules for Secure Remote Access

To protect client data in today’s remote work environment, certain safeguards are essential. The rules below are drawn from real-world incidents, federal requirements, or both, and they form the foundation of secure remote access.

1. Protect Every Login with Multi-Factor Authentication

Attackers often target credentials because they provide a quiet, effective way into systems. Verizon reports that about 88% of basic web-app attacks rely on stolen usernames and passwords. Implementing multi-factor authentication (MFA) disrupts that pattern, blocking unauthorized access even if credentials are compromised.

Pub 4557 and the Safeguards Rule consider MFA essential for tax software, portals, and VPNs. Put simply: any system that a password can access for taxpayer data should require MFA.

2. Route All Remote Work Through a Hardened VPN or Zero-Trust Gateway

Unrestricted Remote Desktop Protocol (RDP) sessions remain one of the fastest ways for attackers to breach a network. CISA and the NSA have repeatedly warned that unpatched VPN devices and exposed remote desktop tools can lead to full network compromise. Pub 4557 reflects this guidance by listing secure VPN connections as part of its “Security Six.”

Some firms now adopt zero-trust access, which grants permissions to individual applications instead of the entire network. Both approaches are effective when they include:

• encrypted tunnels
• strict authentication
• monitored sessions

3. Encrypt Data in Every Direction

Encryption is not optional under the Safeguards Rule. It must cover data in transit and at rest. That includes laptops used at home, external drives, backups, and file exchanges. 

Document transfers deserve special attention. Email alone is not enough for sensitive files. Many firms now rely on portals or encrypted cloud exchanges connected to their cloud phone systems or productivity suites.

4. Lock Down Privileged Accounts

Attackers typically target administrator accounts, not regular users. Once compromised, they can take control of the entire network. Effective controls include:

1. Single sign-on with role-based access
2. Short-lived admin permissions
3. Separate credentials for remote tools
4. Continuous log review

5. Harden Endpoints and Home Offices

A surprising number of breaches start in home office environments, not on corporate servers. Someone connects over old Wi-Fi, opens a phishing email, or uses a shared device to access tax software. Pub 4557 stresses firewalls, antivirus, drive encryption, and up-to-date systems as part of baseline hygiene.

Managed protection makes a big difference here. Modern tools take care of patching, monitoring, and remote troubleshooting. When home setups follow the same practices, overall risk decreases quickly.

6. Use Secure Collaboration Tools Instead of Attachments

Why does the IRS caution so heavily against email attachments? Criminals often impersonate the IRS, tax software vendors, or cloud providers, and unsuspecting users click. This can allow attackers to steal session cookies, credentials, or even gain full remote access.

A safer workflow relies on:

• Encrypted portals
• Secure file-sharing
• Clear rules about personal email
• Documented vendor requirements

7. Monitor Remote Access and Respond Quickly

Detection speed shapes the cost of a breach. IBM’s 2025 report found that organizations with strong monitoring saved nearly $2M compared with those that lacked controls. Logs from VPNs, cloud apps, and endpoints reveal early signs of trouble, such as odd login hours, new device fingerprints, or large data transfers.

Why does this matter for Pub 4557? Because the FTC requires firms to investigate security events and adjust safeguards as needed. You can’t fix what you can’t detect.

Strengthen Your Defenses With Proactive Support

Tax data is highly sensitive. One compromised remote-access account can lead to months of remediation, frustrated clients, and regulatory attention. By following the safeguards above, firms reduce risk and operate with greater confidence.

If your team needs help implementing these safeguards, Unbound Digital can assist with secure VPN deployments, cloud access controls, MFA enforcement, and endpoint protection. To discuss your security plan, call 423‑467‑7777 or contact us through our online form.

Article FAQ

What does IRS Pub 4557 expect from firms using remote access?

IRS Pub 4557 sets clear expectations for anyone handling taxpayer data. Mandatory safeguards include multi-factor authentication (MFA), encryption, secure VPN use, and written security procedures. These controls apply whether a preparer works in the office or remotely, since attackers often target the weakest access point. The goal is to ensure every access path is secured before client data is ever opened.

Why is MFA the top control for tax professionals?

MFA blocks most unauthorized access by preventing stolen passwords from granting immediate entry into tax software or email accounts. Since attackers rely heavily on credential theft, this extra verification step provides strong protection with minimal disruption for legitimate users. It remains one of the simplest and most effective defenses for small firms.

Do remote workers need encrypted devices?

Yes. Any device handling taxpayer data must be encrypted, whether it’s office-owned or used at home. Encryption safeguards data if a laptop is lost, stolen, or compromised, and regulators consider it a core requirement, not an optional precaution.