> Yeah define reasonable??? Well, in the end, 'reasonable' *should* mean that you've explained the options to the client, and *they* chose the level of security. Also meaning, they chose the costs involved (you haven't already included this in some other cost, have you?) Sure, if something goes wrong, they'll blame you anyway, but do the due diligence; try to get them to see their role in the choice. (Common mistake with this kind of thing is to think we have to provide the answer; much better to provide appropriate questions; see  below) A secure location on a web server, with PGP/GPG encryption, would make me comfortable with my tax forms being out there. I'll assume that if someone can hack the web server security *and* break GPG's encryption, they were gonna get it no matter what I did. GPG was free last time I used it, and it adds just enough extra effort to provide a convincing feeling of "I'm doing something important here" (which mentality is an important part of the security process.) It's not as fast, but a courier service could shuffle hard/digital copies for them. Pretty difficult to intercept a CD without robbing the courier. By the way, unless he was talking about having the partners sit together in the basement, I'm not sure how setting up a network in his basement would accomplish anything. Musta missed something. joel  Last company I worked at put me in charge of the business recovery plan. We came up with three levels of response (the 'zero loss' level, the 'quick recovery of the basics' level, and the 'hope and pray' level) and let upper management assess the risks vs. the costs, because in the end, it wasn't an IT/technical decision, it was an Ops/business decision. Puts the responsibility with the authority it's attached to.