Mid-Tier Accounting Firm in the United StatesCatching the Tax Manager Who Uploaded 200+ Client 1099s to Google Drive — For "Working From Home"
When a client received another person's tax return in an email from the firm, the IT security team discovered a tax manager had been uploading 200+ client 1099 forms to personal Google Drive — "because the shared drive was too slow when working from home." The firm's USB blocklist couldn't see webmail. PrivateDLP's AI screen auditing caught the browser-based upload and gave the compliance team the screenshot evidence they needed for the regulatory disclosure.
Executive Summary
The client is a mid-size accounting firm in the United States — providing audit, tax preparation, and consulting services to mid-market corporate clients and high-net-worth individuals. The tax season runs from January through April, with 50+ preparers working across the main office and two satellite locations. The firm processes everything from corporate tax returns to individual 1099s, W-2s, and audit workpapers — all of which represent client confidentiality obligations under IRS regulations and professional standards.
The triggering event was a phone call from a corporate client: they had received another client's tax return in an email from the firm. The IT security team's investigation found that a tax manager had been uploading 200+ client 1099 forms to personal Google Drive for three weeks — "because the shared drive was too slow when working from home." The firm's USB blocklist couldn't see webmail. When the regulatory disclosure obligation came up, the compliance team had no screenshot evidence of what had actually happened — only the aftermath of a client complaint.
What the firm bought was PrivateDLP's AI screen auditing — specifically the capability to detect browser-based uploads of client files to personal cloud storage, with screenshot evidence for regulatory disclosure. What they also discovered: during the previous tax season, the tax department was averaging 28% non-billable time — social media, streaming video, personal errands — because there was no supervision and no one had ever measured.
Client Profile
The client is a mid-size accounting firm in the United States — providing audit, tax preparation, and consulting services to mid-market corporate clients and high-net-worth individuals. The tax season runs from January through April, with 50+ preparers working across the main office and two satellite locations. The firm's client data includes corporate tax returns, individual W-2s and 1099s, audit workpapers, and financial statements — all of which represent client confidentiality obligations under IRS regulations, state tax boards, and professional standards (AICPA).
Office Locations
Main office plus two satellite locations with 50+ tax preparers during peak season
Client Data Types
Corporate tax returns, W-2s, 1099s, audit workpapers, financial statements
Compliance Requirements
IRS regulations, state tax board requirements, AICPA professional standards
Workforce Structure
Partners, managers, senior preparers, and seasonal staff with varying technology familiarity
The Challenges
Running a mid-size accounting firm during tax season — with 50+ preparers across multiple offices, handling sensitive client financial data with regulatory disclosure obligations
USB Blocklist Can't Catch Webmail-Based Client Data Transfers — And That's How the 1099s Were Actually Leaving
The firm's USB blocklist policy blocked unauthorized removable storage on tax preparer workstations. None of that stopped a tax manager from opening Google Drive in Chrome and uploading 200+ client 1099 forms to a personal account — 'because the shared drive was too slow when working from home.' When a client called to report receiving someone else's tax return, the IT team had no logs showing what had happened. The tax manager wasn't trying to steal anything. She genuinely didn't think uploading to her personal Google Drive was a problem. The firm's blocklist had no visibility into browser-based file transfers — and no way to produce screenshot evidence for the regulatory disclosure.
Tax Season Productivity: 28% Non-Billable Time Because No One Had Measured
The tax partners knew that productivity varied during tax season but had no data to explain why some preparers were faster than others, or why certain clients took longer than comparable returns. What PrivateDLP's AI screen auditing found: the tax department was averaging 28% non-billable time — social media, streaming video, personal errands — spread across the team. Not everyone. But enough to matter. Three preparers were consistently above 40% non-billable during peak season.
Seasonal Staff With Full Client Data Access — No Baseline, No Accountability
Tax season brings 20+ seasonal staff who need full access to client records to prepare returns. The firm had no way to establish a productivity baseline for seasonal workers — no data on what a reasonable number of returns per day looked like, no visibility into whether they were actually working during billed hours. One seasonal preparer was discovered spending 3+ hours per day on personal social media during billed client time. The partner found out from the AI report, not from any internal alert.
No Screenshot Evidence for Regulatory Disclosure — Only the Aftermath of a Client Complaint
When the IRS disclosure obligation came up after the 1099 incident, the compliance team needed to document what had happened. The IT team produced system logs — which showed the tax manager's workstation had been active, but not what files had been opened, uploaded, or transferred. The regulatory inquiry took three weeks to answer because there was no screenshot evidence. The firm had to reconstruct events from memory and email records rather than presenting a clean incident timeline.
The Solution: PrivateDLP
The firm chose PrivateDLP for two capabilities its existing stack didn't have: AI screen auditing that could catch browser-based client data uploads with screenshot evidence, and productivity monitoring that could show tax partners what preparers were actually doing during billed hours
Browser-Based Client Data Upload Detection
The core capability the firm needed: AI screen auditing that could detect when a preparer had a client file open alongside a personal cloud upload window — and preserve the screenshot as evidence. The tax partner writes rules in plain English: "flag any screenshot showing a client tax file open alongside a personal cloud upload window." The IT administrator deploys the rule from the server console the same day.
Tax Season Productivity Visibility
The tax partners wanted data on what preparers were actually doing during billed hours. PrivateDLP's AI screen auditing captured screenshots approximately every minute and analyzed them for non-billable activity. The first report showed 28% non-billable time across the tax department — social media, streaming video, personal errands. The tax partners had something in writing for the first time.
Deployment: The Windows client was deployed across 80+ tax preparation workstations across the main office and two satellite locations. Screenshots are stored on the firm's own Windows server — which was a procurement requirement for the regulatory disclosure process. The tax partners own the productivity rule definitions. The IT administrator handles deployment and incident review.
Implementation & Key Capabilities
PrivateDLP gave the accounting firm two capabilities it didn't have before: browser-based client data upload detection with screenshot evidence, and productivity monitoring that tax partners could operate without vendor consultants
Browser-Based Client Data Upload Detection With Screenshot Evidence
The capability the firm was buying: AI screen auditing that could catch browser-based personal cloud uploads alongside open client files — with timestamped screenshot evidence for regulatory disclosure:
- Plain-language rule definition: A tax partner writes a rule like 'flag any screenshot showing a client tax file open alongside a personal cloud upload window' — no regex, no DLP consultant
- Screenshot evidence on demand: When a rule fires, the triggering screenshot is preserved — timestamped, linked to the workstation, available for regulatory review and compliance disclosure
- Customizable alert content: The IT administrator defines what the alert says and who receives it when specific rules are triggered — tax partner, compliance team, or both
- AI model flexibility: Screenshots are analyzed by their own LLM — all data stays within the firm's own server infrastructure
Tax Season Productivity Monitoring — In Plain English
The tax partners wanted visibility into what preparers were actually doing during billed hours. PrivateDLP's AI screen auditing provided it — with rules the tax partners wrote themselves:
- Plain-language productivity rules: The tax partner writes rules like 'flag any screenshot showing social media during work hours' or 'flag any screenshot showing streaming video during tax season'
- Role-specific baselines: Seasonal staff have their own baseline — what counts as productive versus non-billable is configured per role, not one rule for all preparers
- Department-level reporting: The AI produces a weekly breakdown by office and role — showing work time versus non-billable time, per preparer, during tax season
- Privacy-first design: Screenshots are deleted immediately after AI analysis unless a rule is triggered — protecting preparer privacy while providing the data the tax partners need
USB Controls With Tax Preparation Flexibility
The firm needed USB controls that wouldn't interfere with legitimate tax preparation workflows while blocking personal USB devices:
- Approved device whitelist: Only firm-approved encrypted USB devices used for legitimate tax preparation — external hard drives for client file backups, licensed software keys — are allowed. Personal devices are blocked.
- Department-based policies: Tax preparers have different USB policies than audit staff or administrative personnel — configured by role, not by individual
- Automatic device scanning: All USB devices undergo antivirus scanning upon insertion — preventing malware from entering the firm network through contaminated drives
- Audit trail for USB events: Every USB device connection is logged — user, timestamp, device ID — creating accountability for device usage during client engagements
On-Premises Screenshot Storage for Regulatory Disclosure
The regulatory disclosure process required evidence that the firm could produce quickly and reliably. PrivateDLP's storage options addressed the compliance requirement:
- On-premises screenshot storage: All screenshots are stored on the firm's own Windows server — not in a third-party cloud. This was a hard requirement for the firm's compliance and legal team.
- Chain of custody documentation: When a rule fires, the screenshot is preserved with full metadata — timestamp, workstation ID, user account, rule triggered — creating an auditable chain of custody.
- Retention and access controls: Screenshots are retained for 180 days on-premises, with role-based access controls — only the compliance team and designated partners can view incident screenshots.
- Regulatory-ready reporting: The IT administrator can generate a report showing all triggered rules, screenshots preserved, and actions taken — for IRS inquiries and state tax board reviews.
What Changed at the Firm
Three months after deployment — during the following tax season — the tax partners are writing their own productivity rules, the IT team has screenshot evidence on demand, and the compliance team has a documented incident response process for the next regulatory inquiry
| Metric / Objective | Before PrivateDLP | After PrivateDLP |
|---|---|---|
Browser-Based Client Data Upload Detection | USB blocklist showed nothing; the Google Drive uploads were discovered from a client calling to report receiving someone else's tax return, not from any internal alert | 1 confirmed personal cloud upload violation in the first 60 days — a preparer uploading client W-2s to personal Dropbox before leaving for another firm |
Tax Season Productivity Visibility | The tax partners knew productivity varied during tax season but had no data — only anecdotal observations from managers | AI productivity reports showed 28% average non-billable time across the tax department — with three preparers consistently above 40% during peak season |
Regulatory Disclosure Evidence | System logs showed workstation activity but not what files were opened, uploaded, or transferred — the IRS inquiry took three weeks to answer | Screenshot evidence is preserved at the moment of rule violation — timestamped, linked to the workstation and user account, available for the next regulatory inquiry |
Productivity Rule Deployment Time | New productivity rules required a vendor consultant and regex expertise — the tax partners couldn't write or update rules without IT support and vendor engagement | The tax partner writes rules in plain English; the IT administrator deploys them from the server console in under an hour. First rule was deployed within the first week |
"The thing that opened the conversation with our compliance team wasn't about us having a data breach. It was about us having no way to prove we hadn't — or to show what actually happened. When the IRS inquiry came, we could show them system logs that said the preparer's workstation had been active. We couldn't show them what she'd actually done with the files. That was the moment our IT director understood what we were missing. The screenshot evidence is what makes this work for an accounting firm. The next time an inquiry comes, we can show them exactly what happened."
"I wrote the first rule myself. The IT team didn't have to call a vendor or build a regex pattern. I just said 'flag any screenshot showing a client tax file open next to a personal cloud upload window' and they deployed it the same afternoon. Three months in, I've written rules for personal cloud uploads with client data visible, streaming video during tax season, and social media during work hours. The IT team is happy because I'm not asking them to build custom DLP policies. I'm happy because I actually have visibility into what my preparers are doing during billed hours. The part that made this procurementable for an accounting firm: screenshots don't leave our infrastructure. Our compliance team and legal counsel asked about that specifically."
The firm's deployment is scoped to 80+ tax preparation workstations across the main office and two satellite locations — managed from a single Windows server, with screenshot storage on the firm's own infrastructure. The tax partners own the productivity rule definitions. The IT administrator handles deployment and incident review. The arrangement is self-sustaining: when a new concern emerges during tax season, the tax partner writes the rule and the IT administrator deploys it the same day.
What the firm bought wasn't a full security overhaul. It was a tool that fit two specific gaps: screen-level visibility on tax preparation workstations where client files live, and productivity monitoring that the tax partners could actually operate without calling a vendor consultant. The deployment stayed within the firm's budget, server infrastructure, and compliance procurement requirements — and it gave the tax partners something they'd never had before: their own rule set, deployed without waiting for IT vendor engagement.