IRS Updates WISP Guide for Tax Pros

A newly updated Written Information Security Plan (WISP) is now available from the IRS, designed to help protect tax professionals against continuing threats from identity thieves and data breaches.

The updated 28-page template, “Publication 5708, Creating a Written Information Security Plan for Your Tax & Accounting Practice,” was announced by the agency and its Security Summit partners—representatives of state revenue departments and the tax industry—on Aug. 13 as part of their “Protect Your Clients; Protect Yourself” security campaign for tax professionals.

The result of a yearlong effort, the new WISP is an easy-to-understand guide developed by and for paid tax preparers and CPAs, particularly those who work in smaller practices, to keep customer and business information safe and secure.

This new iteration of the WISP includes several information updates since the first version was released in 2022. The new version highlights best practices for implementing multifactor authentication for any individual accessing any information system, unless their qualified individual has approved in writing the use of reasonably equivalent or more secure access controls, the IRS said.

In addition, tax professionals now need to report a security event affecting 500 or more people to the Federal Trade Commission (FTC) as soon as possible, but no later than 30 days from the date of discovery. Tax professionals also must report the incident to an IRS stakeholder liaison and state tax authorities.

Danny Werfel

“Tax professionals play a vital role in the nation’s tax system, and they hold a vast amount of taxpayer information that can be a treasure trove to identity thieves,” IRS Commissioner Danny Werfel said in a statement. “The newly updated Written Information Security Plan provides a helpful road map for tax pros to help protect their clients and themselves from the constant threat of data breaches. The IRS and the Security Summit partners urge tax pros to stay on top of these evolving threats, and this updated plan is an important part of that effort.”

Federal law mandates that all professional tax preparers create and implement a data security plan.

The Gramm-Leach-Bliley Act requires financial institutions to protect customer data, and under this law, tax and accounting professionals are considered “financial institutions,” regardless of their practice’s size. In its implementation of this law, the FTC issued measures required to keep customer data safe, and one requirement is implementing a WISP.

As a part of the plan, the FTC requires each firm to:

Designate one or more employees to coordinate its information security program.
Identify and assess risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.
Design and implement a safeguards program and regularly monitor and test it.
Select service providers that can maintain appropriate safeguards by ensuring the contract requires them to maintain safeguards and oversee their handling of customer information.

“Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring,” the IRS said.

The WISP, available in Publication 5708, begins with the basics. It walks users through getting started on a plan, including understanding security compliance requirements and professional responsibilities. It continues with an outline for a basic WISP and a sample template. The sample is not intended to be the final word on written security plans, but it’s intended to give tax professionals a place to start in understanding and attempting to draft a plan for their business, the IRS said.

Throughout the process, tax professionals are reminded that a security plan should be appropriate to the firm’s size, scope of activities, complexity, and the sensitivity of the customer data it handles.

“There is no one-size-fits-all WISP,” the IRS said.

The agency also reminds tax professionals that a WISP is just one part of what they need to protect their clients and themselves. Given the rapidly evolving nature of threats, the IRS and its Security Summit partners recommend that tax professionals consult with technical experts to help with security issues and safeguard their systems.

According to the IRS, a good WISP focuses on three areas:

Employee management and training;
Information systems; and
Detecting and managing system failures.

The IRS also recommends tax professionals create a data theft response plan, which includes contacting their IRS stakeholder liaison to report a security incident. Tax professionals can also share information with the appropriate state tax agency by visiting a special Report a Data Breach page with the Federation of Tax Administrators.

Tax professionals should also understand the FTC data breach response requirements as part of their overall information and data security plan. The new WISP also includes information on the requirement to report an incident to the FTC when 500 or more people are affected within 30 days of the incident.

As part of legal requirements to implement and maintain a WISP in their practices, tax professionals need to have it in a written form that’s accessible. In addition, they are recommended to review, test, and update their WISPs, the IRS said.

“It’s more important than ever for tax pros to protect their data, passwords, and other information,” said Kimberly Rogers, director of the IRS Return Preparer Office and co-chair of the Security Summit’s Tax Pro Working Group. “The updated Written Information Security Plan is a result of months of work by tax professionals across the country. The Security Summit members worked together on this plan to make it easier for all tax professionals to develop a plan and an approach that is right for them.”