IRS WISP Requirements for Tax Professionals

A Written Information Security Plan (WISP) is a document detailing how a business protects client information. For tax professionals, a WISP is a legal obligation under the Gramm-Leach-Bliley (GLB) Act. The Federal Trade Commission’s (FTC) Safeguards Rule implements this act, classifying tax preparers as financial institutions and outlining specific data security requirements that were updated in 2023. The plan serves as a roadmap for protecting confidential information against unauthorized access, theft, or misuse.

Core Components of a Written Information Security Plan

A compliant WISP must be built around a thorough risk assessment, which involves identifying foreseeable risks to client data. The assessment should evaluate potential threats in three areas: physical, administrative, and technical. Physical risks include unsecured file cabinets or unauthorized office access, while administrative risks involve gaps in employee policies and technical risks pertain to software or network vulnerabilities.

The WISP must outline procedures for vetting employees with access to sensitive information and require them to sign confidentiality agreements. It must also include a continuous security training program to educate staff on current threats, like phishing scams, and the firm’s data handling policies.

The plan must detail the safeguards for all information systems. This includes documenting access controls to limit data access to authorized personnel only. The WISP should specify the use of encryption for data in transit and at rest, and establish policies for secure data disposal, like shredding paper records and erasing electronic files.

The WISP should describe the tools and procedures used to monitor the firm’s network for suspicious activity, such as intrusion detection systems. It must also establish a policy for logging security events and reviewing those logs regularly to identify potential threats or system weaknesses.

The plan must address the oversight of third-party service providers. If a firm shares client data with external vendors like cloud storage providers, the WISP must require a due diligence process. This involves verifying that these providers also maintain appropriate safeguards, as the firm remains responsible for its client data.

Creating and Implementing Your WISP

The first step is to designate one or more qualified individuals to oversee the security program. In a larger firm, this could be a partner or IT specialist, while a sole proprietor is responsible for this role.

The next step is to draft the document. While templates from the IRS or software vendors are a good starting point, the WISP must be customized to the firm’s specific size and operations. The document should detail the firm’s unique risks and the controls implemented to mitigate them.

Once written, the WISP must be put into action by integrating its policies into daily operations. This includes training all employees on their responsibilities under the plan. It may also involve deploying new security software or updating physical access protocols as outlined in the document.

A WISP is a living document that requires periodic review and updates. This should occur at least annually or whenever significant changes happen, such as hiring new employees or adopting new technologies.

Responsibilities After a Data Breach

In the event of a data breach, the first step is to take immediate action to contain it, which may require disconnecting affected computers from the network. A firm should also engage a cybersecurity expert to determine the cause and scope of the breach. Documenting every step taken is necessary for regulatory reporting and insurance claims.

Data theft must be reported to the IRS as soon as possible by contacting the local IRS Stakeholder Liaison. If notified quickly, the IRS can take measures to block fraudulent tax returns from being filed with the stolen information. The liaison will notify IRS Criminal Investigation on the preparer’s behalf.

The firm must also report the incident to federal authorities. A report should be filed with local law enforcement, which may be needed for insurance purposes, as well as the local offices of the Federal Bureau of Investigation (FBI). If a data breach affects 500 or more individuals, the firm must also report the incident to the Federal Trade Commission (FTC).

Most states have their own data breach notification laws that require reporting to state authorities, such as the Attorney General. Tax preparers must comply with the laws in every state where they prepare returns. The Federation of Tax Administrators maintains a resource to help find the correct state agencies.

The firm must also notify all clients who may have been affected. The timing of this communication may need to be coordinated with law enforcement to avoid compromising an investigation. The notification should explain the breach and provide clients with steps to protect themselves, such as monitoring their credit.