It’s long been said that emails should be treated like postcards – only use them when you don’t mind them being read by the postman.
Email, by its nature is horribly insecure. The underlying technology (SMTP) was designed and built by a bunch of Californian geek types (at UCLA, mainly) who gave almost NO thought to security because it was assumed that it would be used within a single organisation only.
When you send an email – it travels to its destination via other people’s hardware – that’s the way the Internet works. The exact route taken can vary from minute to minute.
If you send a draft tax-return to a client as an unencrypted PDF file – that file can be intercepted and read with an ease that makes postcards look like paragons of discretion.
Now, let’s not overstate things. The reality, of course, is that the chances of this actually happening are tiny – not many people are THAT interested in your client’s tax returns, and they’d have to wade through the VAST quantities of other data that is streaming across that corner of the Internet.
Nevertheless – it can be argued that sending something like a tax return over unencrypted email could be a breach of your responsibilities under the Data Protection Act. All it would take is the right combination of high-profile client and tabloid feeding-frenzy, and your PII providers will be earning their money for the next few months.
The solution doesn’t have to be complex. Every PDF-creation system I’ve seen (including the ones built into tax products) has an option to set a password. This feature encrypts the data in the PDF to a degree that will deter all but the most determined (and well resourced).
Make arrangements with each of your clients to use a standard password for all email communications, and make sure that this password is used whenever sending email attachments. It’s an extra hassle for your staff, but one day, it’s going to save your bacon.