Specially designed Security Summit plan helps tax pros protect data; summer security series begins

IR-2023-129, July 18, 2023

WASHINGTON — Kicking off an annual education effort, the Internal Revenue Service and its Security Summit partners today encouraged tax professionals, especially smaller practices, to take advantage of its security plan template designed to make data security planning easier.

The Written Information Security PlanPDF or WISP is a 28-page, easy-to-understand document developed by and for tax and industry professionals to keep customer and business information safe and secure.

The Security Summit - including tax professionals, industry partners, state tax groups and the IRS - developed the WISP. Summit members will highlight the template at each of the five IRS Nationwide Tax Forums to be held this summer throughout the U.S.

This is the opening news release in a five-part "Protect Your Clients; Protect Yourself" summer series from the Security Summit, a public-private partnership that works to protect the tax system against tax-related identity theft and fraud.

The news release series and the IRS Tax Forums will provide important information to help protect sensitive taxpayer data that tax professionals hold while also protecting their business from identity thieves. This marks the eighth year that the Security Summit partners have worked to raise awareness about these issues through the "Protect Your Clients; Protect Yourself" campaign.

"Tax professionals form a critical part of the defense against identity thieves and scammers," said IRS Commissioner Danny Werfel. "The IRS and Security Summit partners remain vigilant to emerging identity theft schemes and scams, but tax professionals following the steps outlined in the security plan will provide valuable protection to their practices as well as their clients."

Knowing that tax professionals play a critical role in our nation's tax system, the Summit – led by the Tax Professionals Working Group – spent months developing the WISP, including a special sample document that allows tax professionals to quickly focus on developing their own written security plans.

"It's more important than ever for tax pros to protect their data, passwords and other information," said Kimberly Rogers, director of the IRS Return Preparer Office and co-chair of the Summit's Tax Pro Working Group. "With cyberattacks against tax professionals continuing, having a sound security plan makes not only good business sense, it's also the law. But knowing where to start can be challenging. The Security Summit members worked together on this plan to make it easier for all tax professionals to develop an approach that is right for them."

Given the importance of security plans, the WISPs will be a special focus at the IRS Nationwide Tax Forums this year. The forums continue next week in Atlanta followed later in the summer in the Washington, D.C. area., San Diego and Orlando. The IRS reminds tax pros that registration deadlines are quickly approaching for several of the forums.

"These security plans provide valuable tips and information to help tax pros develop an effective plan that's appropriate for their business," said Jared Ballew, who was one of the Summit members who helped develop the WISP. Ballew serves as Vice President of Government Relations at Taxwell, representing Drake Software and TaxAct and will be leading the Tax Forum sessions on the WISP. "The Security Summit partners continue to urge tax pros to make sure they have a strong security plan in place, and the WISP is a great place to start for many practices."

The basics of a WISP

The WISP, available on IRS.gov and in Publication 5708PDF, begins with the basics. It walks users through getting started on a plan, including understanding security compliance requirements and professional responsibilities. It continues with an outline for a basic WISP and a sample template. The sample is not intended to be the final word in written security plans, but it is intended to give tax professionals a place to start in understanding and attempting to draft a plan for their business.

Throughout the process, tax pros are reminded that a security plan should be appropriate to the company's size, scope of activities, complexity and the sensitivity of the customer data it handles. There is no one-size-fits-all WISP.

The IRS also reminds tax professionals that a WISP is just one part of what they need to protect their clients and themselves. Given the rapidly evolving nature of threats, the Summit also strongly encourages tax professionals to consult with technical experts to help with security issues and safeguard their systems.

A good WISP focuses on three areas:

  • Employee management and training.
  • Information systems.
  • Detecting and managing system failures.

Tax pros required to have a security plan under the law

There are many aspects to running a successful business in the tax preparation industry, including reviewing tax law changes, learning software updates as well as managing and training staff. One often overlooked but critical component is creating a WISP. However, federal law requires all professional tax preparers to create and implement a data security plan.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect customer data. Under this law, tax and accounting professionals are considered financial institutions, regardless of size. In its implementation of this law, the Federal Trade Commission (FTC) issued measures required to keep customer data safe. One requirement is implementing a WISP.

As a part of the plan, the FTC requires each firm to:

  • Designate one or more employees to coordinate its information security program.
  • Identify and assess the risks to customer information in each relevant area of the company's operation and evaluate the effectiveness of the current safeguards for controlling these risks.
  • Design and implement a safeguards program and regularly monitor and test it.
  • Select service providers that can maintain appropriate safeguards by ensuring the contract requires them to maintain safeguards and oversee their handling of customer information.
  • Evaluate and adjust the program considering relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring.

Tax pro with a security problem? Contact an IRS Stakeholder Liaison

As part of a security plan, the IRS also recommends tax professionals create a data theft response plan, which includes contacting their IRS Stakeholder Liaison to report a theft. Tax professionals should also understand the FTC data breach response requirementsPDF as part of their overall information and data security plan.

Additional resources