Why your tax practice needs a written information security plan

A Written Information Security Plan (WISP) is not optional for tax professionals. Federal law requires firms that handle sensitive taxpayer information to maintain a written and accessible data security plan designed to protect client data, reduce the risk of identity theft and data breaches. IRS Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice, provides guidance to help tax professionals understand these requirements and develop a plan that fits their practice. Under federal law, including the Gramm-Leach-Bliley Act and the Federal Trade Commission Safeguards Rule, tax professionals are classified as financial institutions for data security purposes. So as a result, firms must create, implement and maintain a WISP that identifies risks, establishes safeguards and includes ongoing review procedures.

Core federal requirements for a WISP

Publication 5708 outlines several key elements that must be included in a compliant WISP. Firms must designate a qualified individual to oversee the security program and manage implementation. The plan must document:

• A formal risk assessment identifying potential threats to the confidentiality and integrity of client information
• How data is collected, stored and transmitted
• How firms are required to implement administrative, technical and physical safeguards to protect taxpayer data
• Safeguards that include access controls, secure networks, employee training and multifactor authentication unless a qualified individual approves an equivalent security measure in writing
• How procedures must be in place to regularly monitor and test safeguards to confirm they remain effective as threats evolve
• How firms must take reasonable steps to ensure that service providers who access client data maintain appropriate security measures
• Data breach response and reporting requirements, including Federal Trade Commission notification obligations when a breach impacts 500 or more individuals
  
  

Practical components to include in your plan

In addition to the required elements, Publication 5708 recommends including practical documentation that supports daily operations. A WISP should inventory hardware, software and storage locations where sensitive information resides and explain how each is protected. Firms should document network security controls, password policies and remote access procedures. The plan should clearly outline breach detection, response and recovery steps, including internal escalation procedures and external reporting responsibilities. Employee agreements, training policies and acknowledgment requirements should be included to ensure staff understand and follow security expectations. Record retention and secure data disposal policies should also be documented to limit unnecessary data exposure.

Maintaining ongoing compliance

A WISP is a living document that requires regular review and updates. Firms should revisit their WISP when business operations change, new technology is introduced or if testing reveals vulnerabilities. Ongoing reviews and adjustments help ensure continued compliance with federal requirements and support adequate protection of taxpayer data.

Learn how to make your WISP

Creating and maintaining a WISP is both a legal requirement and a professional responsibility for tax practitioners. A well-documented and regularly updated WISP helps protect client information, reduces exposure to data breaches and demonstrates a firm commitment to data security. IRS Publication 5708 provides a practical framework that enables firms of any size to develop a compliant plan tailored to their specific operations. NATP will offer an upcoming online workshop, Creating Your Firm’s WISP with Confidence, which provides practical guidance. Participants will receive a customizable template, examples written in plain English and checklists designed specifically for the tax preparation environment.