There's a saying something like "security through obscurity is no security".
IMHO it would be wise to not even touch other's personal information. But if must, then several layers of security should be used.
Maybe better on his own machine and sent as attachments, but if online at least keep the files outside of the web root
One or more name/password protections in place
Put the files up as late as possible and take them down as soon as possible
If he's a hard sell, ask how happy he'd be if his financial instition's website didn't use https and anyone could access his information.
Ask if he's prepared to be sued for not taking "due diligence" in the event of identity theft.