Security Summit partners urge tax pros to create plan for data safety

FS-2022-34, August 2022

With data security incidents continuing, the Internal Revenue Service, state tax agencies and the tax industry —– known as the Security Summit — urge tax professionals to develop a security plan.

Not only is a security plan good practice, but the IRS also reminds tax professionals that federal law, enforced by the Federal Trade Commission, requires all professional tax preparers to create and implement a written data security plan.

Each year, the Security Summit partners highlight a "Protect Your Clients; Protect Yourself" summer campaign aimed at tax professionals. This fact sheet complements a series of five news releases issued to coincide with the Nationwide Tax Forums, which helps educate tax professionals on security and other important topics.

There are many aspects to running a successful business in the tax preparation industry, including reviewing tax law changes, learning software updates and managing and training staff. One often overlooked but critical component is creating a Written Information Security Plan or WISP.

Having a WISP protects businesses and clients while providing a blueprint of action in the event of a security incident. In addition, a WISP can help if other events occur that can seriously disrupt a tax professional's ability to conduct normal business, including fire, flood, tornado, earthquake and theft.

It is often difficult to know where to start when developing a WISP. That is why the Security Summit, led by the Tax Professional Working Group, with input from the software and tax community, developed a plain language sample plan tax pros can use to make their own WISP. The sample planPDF is available on IRS.gov.

A security plan should be appropriate to the company's size, scope of activities, complexity and the sensitivity of the customer data it handles. There is no one-size-fits-all WISP. For example, a sole practitioner can use a more abbreviated and simplified plan than a 10-partner accounting firm.

Developing a WISP

A good WISP should focus on three areas:

  • Employee management and training.
  • Information systems.
  • Detecting and managing system failures.

A good resource is the FTC's Data Breach Response GuidePDF.

As a part of the plan, the FTC requires each firm to:

  • Designate one or more employees to coordinate its information security program.
  • Identify and assess the risks to customer information in each relevant area of the company's operation and evaluate the effectiveness of the current safeguards for controlling those risks.
  • Design and implement a safeguards program, and regularly monitor and test it.
  • Select service providers that can maintain appropriate safeguards.
  • Evaluate and adjust the program considering relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring.

Follow-up

A good security plan requires regular maintenance and upkeep. Here are tips to keep a WISP effective:

  • Once completed, tax professionals should keep their WISP in a format that others can easily read, such as PDF or Word. Making the WISP available to employees for training purposes is also encouraged. Storing a copy offsite or in the cloud is a recommended best practice in the event of a physical disaster.
  • It is important to understand that a WISP is intended to be an evergreen document. It is important to regularly review and update any security plan, along with adjusting the plan to accommodate changes to the size, scope and complexity of a tax professional's business.
  • As part of a security plan, the IRS also recommends tax professionals create a data theft response plan, which includes contacting their IRS Stakeholder Liaison to report a theft. Also see the FTC data breach response requirementsPDF listed above.

Additional resources

Tax professionals also can get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer DataPDF, and Small Business Information Security: The FundamentalsPDF, by the National Institute of Standards and Technology. The IRS Identity Theft Central pages for tax pros, individuals and businesses have important details as well.

Publication 5293, Data Security Resource Guide for Tax ProfessionalsPDF, provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and social media.