Mid-Tier Accounting Firm Case Study

Mid-Tier Accounting Firm in the United StatesCatching the Tax Manager Who Uploaded 200+ Client 1099s to Google Drive — For "Working From Home"

When a client received another person's tax return in an email from the firm, the IT security team discovered a tax manager had been uploading 200+ client 1099 forms to personal Google Drive — "because the shared drive was too slow when working from home." The firm's USB blocklist couldn't see webmail. PrivateDLP's AI screen auditing caught the browser-based upload and gave the compliance team the screenshot evidence they needed for the regulatory disclosure.

200+
Client Records Exposed Via Webmail
Zero
Client Data Incidents After Deployment
28%
Non-Billable Time Discovered in Tax Season

Executive Summary

The client is a mid-size accounting firm in the United States — providing audit, tax preparation, and consulting services to mid-market corporate clients and high-net-worth individuals. The tax season runs from January through April, with 50+ preparers working across the main office and two satellite locations. The firm processes everything from corporate tax returns to individual 1099s, W-2s, and audit workpapers — all of which represent client confidentiality obligations under IRS regulations and professional standards.

The triggering event was a phone call from a corporate client: they had received another client's tax return in an email from the firm. The IT security team's investigation found that a tax manager had been uploading 200+ client 1099 forms to personal Google Drive for three weeks — "because the shared drive was too slow when working from home." The firm's USB blocklist couldn't see webmail. When the regulatory disclosure obligation came up, the compliance team had no screenshot evidence of what had actually happened — only the aftermath of a client complaint.

What the firm bought was PrivateDLP's AI screen auditing — specifically the capability to detect browser-based uploads of client files to personal cloud storage, with screenshot evidence for regulatory disclosure. What they also discovered: during the previous tax season, the tax department was averaging 28% non-billable time — social media, streaming video, personal errands — because there was no supervision and no one had ever measured.

Browser-Based Client Data Upload Detection With Screenshot Evidence
Tax Season Productivity Monitoring Across Preparers
Plain-English Rule Definition for Tax Partners
On-Premises Screenshot Storage for Regulatory Disclosure

Client Profile

The client is a mid-size accounting firm in the United States — providing audit, tax preparation, and consulting services to mid-market corporate clients and high-net-worth individuals. The tax season runs from January through April, with 50+ preparers working across the main office and two satellite locations. The firm's client data includes corporate tax returns, individual W-2s and 1099s, audit workpapers, and financial statements — all of which represent client confidentiality obligations under IRS regulations, state tax boards, and professional standards (AICPA).

Office Locations

Main office plus two satellite locations with 50+ tax preparers during peak season

Client Data Types

Corporate tax returns, W-2s, 1099s, audit workpapers, financial statements

Compliance Requirements

IRS regulations, state tax board requirements, AICPA professional standards

Workforce Structure

Partners, managers, senior preparers, and seasonal staff with varying technology familiarity

The Challenges

Running a mid-size accounting firm during tax season — with 50+ preparers across multiple offices, handling sensitive client financial data with regulatory disclosure obligations

USB Blocklist Can't Catch Webmail-Based Client Data Transfers — And That's How the 1099s Were Actually Leaving

The firm's USB blocklist policy blocked unauthorized removable storage on tax preparer workstations. None of that stopped a tax manager from opening Google Drive in Chrome and uploading 200+ client 1099 forms to a personal account — 'because the shared drive was too slow when working from home.' When a client called to report receiving someone else's tax return, the IT team had no logs showing what had happened. The tax manager wasn't trying to steal anything. She genuinely didn't think uploading to her personal Google Drive was a problem. The firm's blocklist had no visibility into browser-based file transfers — and no way to produce screenshot evidence for the regulatory disclosure.

Tax Season Productivity: 28% Non-Billable Time Because No One Had Measured

The tax partners knew that productivity varied during tax season but had no data to explain why some preparers were faster than others, or why certain clients took longer than comparable returns. What PrivateDLP's AI screen auditing found: the tax department was averaging 28% non-billable time — social media, streaming video, personal errands — spread across the team. Not everyone. But enough to matter. Three preparers were consistently above 40% non-billable during peak season.

Seasonal Staff With Full Client Data Access — No Baseline, No Accountability

Tax season brings 20+ seasonal staff who need full access to client records to prepare returns. The firm had no way to establish a productivity baseline for seasonal workers — no data on what a reasonable number of returns per day looked like, no visibility into whether they were actually working during billed hours. One seasonal preparer was discovered spending 3+ hours per day on personal social media during billed client time. The partner found out from the AI report, not from any internal alert.

No Screenshot Evidence for Regulatory Disclosure — Only the Aftermath of a Client Complaint

When the IRS disclosure obligation came up after the 1099 incident, the compliance team needed to document what had happened. The IT team produced system logs — which showed the tax manager's workstation had been active, but not what files had been opened, uploaded, or transferred. The regulatory inquiry took three weeks to answer because there was no screenshot evidence. The firm had to reconstruct events from memory and email records rather than presenting a clean incident timeline.

The Solution: PrivateDLP

The firm chose PrivateDLP for two capabilities its existing stack didn't have: AI screen auditing that could catch browser-based client data uploads with screenshot evidence, and productivity monitoring that could show tax partners what preparers were actually doing during billed hours

Browser-Based Client Data Upload Detection

The core capability the firm needed: AI screen auditing that could detect when a preparer had a client file open alongside a personal cloud upload window — and preserve the screenshot as evidence. The tax partner writes rules in plain English: "flag any screenshot showing a client tax file open alongside a personal cloud upload window." The IT administrator deploys the rule from the server console the same day.

Tax Season Productivity Visibility

The tax partners wanted data on what preparers were actually doing during billed hours. PrivateDLP's AI screen auditing captured screenshots approximately every minute and analyzed them for non-billable activity. The first report showed 28% non-billable time across the tax department — social media, streaming video, personal errands. The tax partners had something in writing for the first time.

Deployment: The Windows client was deployed across 80+ tax preparation workstations across the main office and two satellite locations. Screenshots are stored on the firm's own Windows server — which was a procurement requirement for the regulatory disclosure process. The tax partners own the productivity rule definitions. The IT administrator handles deployment and incident review.

Implementation & Key Capabilities

PrivateDLP gave the accounting firm two capabilities it didn't have before: browser-based client data upload detection with screenshot evidence, and productivity monitoring that tax partners could operate without vendor consultants

Browser-Based Client Data Upload Detection With Screenshot Evidence

The capability the firm was buying: AI screen auditing that could catch browser-based personal cloud uploads alongside open client files — with timestamped screenshot evidence for regulatory disclosure:

  • Plain-language rule definition: A tax partner writes a rule like 'flag any screenshot showing a client tax file open alongside a personal cloud upload window' — no regex, no DLP consultant
  • Screenshot evidence on demand: When a rule fires, the triggering screenshot is preserved — timestamped, linked to the workstation, available for regulatory review and compliance disclosure
  • Customizable alert content: The IT administrator defines what the alert says and who receives it when specific rules are triggered — tax partner, compliance team, or both
  • AI model flexibility: Screenshots are analyzed by their own LLM — all data stays within the firm's own server infrastructure

Tax Season Productivity Monitoring — In Plain English

The tax partners wanted visibility into what preparers were actually doing during billed hours. PrivateDLP's AI screen auditing provided it — with rules the tax partners wrote themselves:

  • Plain-language productivity rules: The tax partner writes rules like 'flag any screenshot showing social media during work hours' or 'flag any screenshot showing streaming video during tax season'
  • Role-specific baselines: Seasonal staff have their own baseline — what counts as productive versus non-billable is configured per role, not one rule for all preparers
  • Department-level reporting: The AI produces a weekly breakdown by office and role — showing work time versus non-billable time, per preparer, during tax season
  • Privacy-first design: Screenshots are deleted immediately after AI analysis unless a rule is triggered — protecting preparer privacy while providing the data the tax partners need

USB Controls With Tax Preparation Flexibility

The firm needed USB controls that wouldn't interfere with legitimate tax preparation workflows while blocking personal USB devices:

  • Approved device whitelist: Only firm-approved encrypted USB devices used for legitimate tax preparation — external hard drives for client file backups, licensed software keys — are allowed. Personal devices are blocked.
  • Department-based policies: Tax preparers have different USB policies than audit staff or administrative personnel — configured by role, not by individual
  • Automatic device scanning: All USB devices undergo antivirus scanning upon insertion — preventing malware from entering the firm network through contaminated drives
  • Audit trail for USB events: Every USB device connection is logged — user, timestamp, device ID — creating accountability for device usage during client engagements

On-Premises Screenshot Storage for Regulatory Disclosure

The regulatory disclosure process required evidence that the firm could produce quickly and reliably. PrivateDLP's storage options addressed the compliance requirement:

  • On-premises screenshot storage: All screenshots are stored on the firm's own Windows server — not in a third-party cloud. This was a hard requirement for the firm's compliance and legal team.
  • Chain of custody documentation: When a rule fires, the screenshot is preserved with full metadata — timestamp, workstation ID, user account, rule triggered — creating an auditable chain of custody.
  • Retention and access controls: Screenshots are retained for 180 days on-premises, with role-based access controls — only the compliance team and designated partners can view incident screenshots.
  • Regulatory-ready reporting: The IT administrator can generate a report showing all triggered rules, screenshots preserved, and actions taken — for IRS inquiries and state tax board reviews.

What Changed at the Firm

Three months after deployment — during the following tax season — the tax partners are writing their own productivity rules, the IT team has screenshot evidence on demand, and the compliance team has a documented incident response process for the next regulatory inquiry

Metric / ObjectiveBefore PrivateDLPAfter PrivateDLP
Browser-Based Client Data Upload Detection
USB blocklist showed nothing; the Google Drive uploads were discovered from a client calling to report receiving someone else's tax return, not from any internal alert1 confirmed personal cloud upload violation in the first 60 days — a preparer uploading client W-2s to personal Dropbox before leaving for another firm
Tax Season Productivity Visibility
The tax partners knew productivity varied during tax season but had no data — only anecdotal observations from managersAI productivity reports showed 28% average non-billable time across the tax department — with three preparers consistently above 40% during peak season
Regulatory Disclosure Evidence
System logs showed workstation activity but not what files were opened, uploaded, or transferred — the IRS inquiry took three weeks to answerScreenshot evidence is preserved at the moment of rule violation — timestamped, linked to the workstation and user account, available for the next regulatory inquiry
Productivity Rule Deployment Time
New productivity rules required a vendor consultant and regex expertise — the tax partners couldn't write or update rules without IT support and vendor engagementThe tax partner writes rules in plain English; the IT administrator deploys them from the server console in under an hour. First rule was deployed within the first week
Browser-Based Client Data Upload Detection
1 in 60 days
Tax Season Productivity Visibility
28% non-billable detected
Regulatory Disclosure Evidence
Evidence available
Productivity Rule Deployment Time
Self-sufficient

"The thing that opened the conversation with our compliance team wasn't about us having a data breach. It was about us having no way to prove we hadn't — or to show what actually happened. When the IRS inquiry came, we could show them system logs that said the preparer's workstation had been active. We couldn't show them what she'd actually done with the files. That was the moment our IT director understood what we were missing. The screenshot evidence is what makes this work for an accounting firm. The next time an inquiry comes, we can show them exactly what happened."

— Head of IT Security
Mid-Tier Accounting Firm, United States

"I wrote the first rule myself. The IT team didn't have to call a vendor or build a regex pattern. I just said 'flag any screenshot showing a client tax file open next to a personal cloud upload window' and they deployed it the same afternoon. Three months in, I've written rules for personal cloud uploads with client data visible, streaming video during tax season, and social media during work hours. The IT team is happy because I'm not asking them to build custom DLP policies. I'm happy because I actually have visibility into what my preparers are doing during billed hours. The part that made this procurementable for an accounting firm: screenshots don't leave our infrastructure. Our compliance team and legal counsel asked about that specifically."

— Tax Partner

The firm's deployment is scoped to 80+ tax preparation workstations across the main office and two satellite locations — managed from a single Windows server, with screenshot storage on the firm's own infrastructure. The tax partners own the productivity rule definitions. The IT administrator handles deployment and incident review. The arrangement is self-sustaining: when a new concern emerges during tax season, the tax partner writes the rule and the IT administrator deploys it the same day.

What the firm bought wasn't a full security overhaul. It was a tool that fit two specific gaps: screen-level visibility on tax preparation workstations where client files live, and productivity monitoring that the tax partners could actually operate without calling a vendor consultant. The deployment stayed within the firm's budget, server infrastructure, and compliance procurement requirements — and it gave the tax partners something they'd never had before: their own rule set, deployed without waiting for IT vendor engagement.