VPN for CPAs and Accountants: Protect Client Data and Stay FTC Compliant

If you prepare tax returns, manage audits, or handle client financials from anywhere outside your office — a coffee shop, a client's conference room, a hotel, or your home — you are transmitting some of the most sensitive data that exists. Social Security numbers. Bank account details. Business financials. Tax filings.

And the IRS, along with the Federal Trade Commission, expects you to protect it.

A VPN is not optional for CPAs and accountants who work remotely. It is a specific requirement under two federal frameworks that govern your practice. Here is what you need to know.

What the Law Actually Requires

Two regulations directly apply to CPA firms and independent tax professionals:

IRS Publication 4557 — Safeguarding Taxpayer Data

IRS Publication 4557 requires all tax preparers to develop and implement a written data security plan. That plan must include specific safeguards: encryption for data in transit, multi-factor authentication, access controls, and — critically — a VPN for any remote access to systems that handle taxpayer information. Non-compliance can result in the loss of your PTIN or EFIN, which means you cannot e-file during tax season.

FTC Safeguards Rule

CPA firms are classified as financial institutions under the Gramm-Leach-Bliley Act. That places them under the FTC Safeguards Rule, which mandates a Written Information Security Plan, a designated security coordinator, and documented safeguards including encryption and VPN for remote access. As of January 2025, FTC fines for violations reach $50,120 per violation. The average cost of a data breach for a firm of any size now reaches $4.44 million.

This is not theoretical risk. The IRS reported a 50% increase in financial data protection audits in recent years. Small and mid-size CPA firms are prime targets precisely because they hold high-value data but often have fewer IT resources than large enterprises.

The Real Risks CPAs Face Working Remotely

Accountants are targeted specifically because of the data they hold. The most common threats are not elaborate hacking operations — they are straightforward attacks that exploit unprotected connections and human error.

Public Wi-Fi Interception

Connecting to a client portal, tax software, or cloud storage over a coffee shop or hotel Wi-Fi network without a VPN means your traffic is visible to anyone on that same network. An attacker using a packet sniffer can capture login credentials and session tokens in minutes. This is not a rare scenario — it is a documented attack vector used routinely at airports, hotels, and co-working spaces.

Phishing and Credential Theft

81% of breaches involve stolen credentials, according to security research. Tax season brings a surge of highly convincing phishing emails impersonating the IRS, QuickBooks, Drake Software, and payroll platforms. A VPN with Web Shield DNS blocking stops connections to known phishing domains before they load — adding a layer of protection that email filters alone cannot provide.

Man-in-the-Middle Attacks

On an unsecured connection, an attacker positioned between you and your destination server can intercept and modify data in transit. Sending a client's financial documents over unencrypted Wi-Fi without a VPN creates exactly this exposure. AES-256-GCM encryption eliminates it by making intercepted data unreadable.

Ransomware During Tax Season

Ransomware attacks on accounting firms spike before major tax deadlines. Attackers know you cannot afford downtime. A VPN reduces your exposure by encrypting your connection and preventing malicious actors from easily mapping your network traffic and identifying attack surfaces.

What to Look for in a VPN as a CPA or Accountant

Not all VPNs are built for professional use. As someone handling client financial data, these are the features that actually matter:

AES-256 Encryption

The IRS and FTC both require encryption for data in transit. Look specifically for AES-256-GCM — the same encryption standard used by federal agencies. Anything less is not compliant with IRS Publication 4557 guidance.

Zero-Logs Policy

Your VPN provider should not store records of your browsing activity, connection times, or IP addresses. If a provider cannot demonstrate a verified no-logs policy, your client data is potentially accessible to that provider — a GLBA violation waiting to happen.

US-Operated Infrastructure

For accounting professionals handling US taxpayer data, a VPN operated by a company subject to US law matters. Offshore VPN providers operate under different legal frameworks, and their data handling practices may not align with IRS or FTC requirements. A US-operated VPN means the company is accountable under the same legal system you are.

Kill Switch

A kill switch automatically cuts your internet connection if the VPN drops unexpectedly — preventing any unencrypted traffic from leaking before you notice the disconnect. This is essential for maintaining continuous encryption compliance.

Web Shield / DNS Filtering

DNS-level blocking stops connections to known malware and phishing domains before they load. For tax professionals who receive high volumes of email and access many third-party portals, this adds a meaningful layer of protection against credential theft.

How CPAs Use a VPN in Practice

Using a VPN as an accounting professional does not require any technical expertise. Here is what your workflow looks like:

• Before connecting to any tax software remotely — turn on CyberFence. Your connection to Drake, ProSeries, UltraTax, or any cloud-based platform is now encrypted end-to-end.
• Before opening client portals — connect to the VPN first. Documents you upload or download are transmitted through an encrypted tunnel, not over your raw internet connection.
• Working from a hotel or airport — connect to CyberFence before opening anything. Public Wi-Fi becomes a non-issue because your traffic is encrypted before it hits the network.
• Video calls with clients — a VPN does not meaningfully slow modern video conferencing. You get encrypted protection without any noticeable performance impact.

CyberFence runs quietly in the background across iPhone, iPad, Mac, Windows, and Android. One subscription covers all your devices, and the app reconnects automatically if your connection drops — so you stay protected without having to think about it.

Does a VPN Alone Make You Fully Compliant?

A VPN is a required component of FTC Safeguards Rule and IRS Publication 4557 compliance — but it is one piece of a broader security plan. Your written Information Security Plan also needs to address:

• Multi-factor authentication on all systems that access client data
• Secure client portals for document sharing (not email attachments)
• Regular security awareness training for staff
• Access controls and quarterly access reviews
• Incident response procedures
• Vendor security certifications for any third-party software you use

That said, a VPN is the fastest and most immediate step you can take to protect data in transit — and it is one of the most explicitly called out requirements in both frameworks. If you are working remotely without one, that is the first gap to close.

What a Data Breach Costs a CPA Firm

The numbers are worth stating plainly. A single data breach at a CPA firm now averages $4.44 million in total cost. FTC fines for Safeguards Rule violations reach $50,120 per violation. Breach notification costs average $245 per affected client — and if you have 200 clients whose Social Security numbers were exposed, that is $49,000 in notification costs alone, before legal fees, remediation, or regulatory investigation.

CyberFence costs $7.99 per month. The math is not complicated.

Bottom Line

CPAs and accountants working remotely face real, documented cybersecurity threats — and real regulatory obligations that require them to act. A VPN that meets IRS and FTC standards is not a nice-to-have. It is a line item in your data security plan.

CyberFence gives you AES-256-GCM encryption, Web Shield DNS blocking, a zero-logs policy, and US-operated infrastructure — everything an accounting professional needs to work securely from anywhere, on any device, without disrupting their workflow.

Your clients trust you with the most sensitive financial data of their lives. CyberFence helps you protect it.