What Does Publication 4557 Say About Safeguarding Data?

IRS Publication 4557, “Safeguarding Taxpayer Data,” provides tax preparers with a framework for protecting sensitive client information. The publication helps preparers comply with the Federal Trade Commission (FTC) Safeguards Rule, which implements parts of the Gramm-Leach-Bliley Act. This rule requires financial institutions, including tax professionals, to create and maintain a comprehensive security plan to protect consumer data. Following Publication 4557 helps build a defense against data theft of Social Security numbers, bank details, and other personal information, which maintains client trust.

Who Must Comply with Publication 4557

The guidance in Publication 4557 applies to any individual or firm that prepares federal tax returns for compensation. This includes Certified Public Accountants (CPAs), enrolled agents, attorneys, and preparers in the IRS Annual Filing Season Program. The FTC’s definition of a “financial institution” under the Safeguards Rule explicitly includes professional tax preparers. The rules apply equally to all business sizes, from a sole practitioner to a large accounting firm, and cover anyone who is an authorized IRS e-file provider. Failure to comply can be treated as a violation of IRS Revenue Procedure 2007-40.

Core Components of a Written Security Plan

A Written Information Security Plan (WISP) is a requirement of the FTC Safeguards Rule, and Publication 4557 provides a roadmap for its creation. The plan documents how a tax practice protects client data and is organized around three categories of safeguards that address potential vulnerabilities.

Technical Safeguards

Technical safeguards are the protections applied to computer systems and networks that store or transmit taxpayer information. This includes using security software, such as firewalls to block unauthorized traffic and antivirus programs to remove malicious software, which should be configured to update automatically. Strong password policies are also required; passwords should be complex, changed regularly, and never reused. Publication 4557 emphasizes using multi-factor authentication (MFA) whenever available, especially for email and tax software access. MFA adds a second security layer beyond a password, like a code sent to a mobile device, and encryption is also a focus, requiring that sensitive files are unreadable to unauthorized parties.

Physical Safeguards

Physical safeguards involve securing the tangible locations where taxpayer data is stored, including paper records and client organizers. The plan must detail procedures for securing office spaces, such as locking doors and setting alarms when the office is unoccupied. Inside the office, sensitive documents should be kept in locked file cabinets or rooms with restricted access. A “clean desk” policy is a recommended practice where employees clear their desks of sensitive papers at the end of the day. The plan must also address the secure destruction of data, with procedures for shredding paper documents and permanently erasing or destroying old computer hard drives before disposal.

Administrative Safeguards

Administrative safeguards are the management-level policies that govern a firm’s security practices. A primary step is to designate an employee or team to oversee the information security program. This coordinator leads the development of a formal risk assessment, which involves identifying foreseeable internal and external threats to client data, assessing their potential impact, and evaluating the sufficiency of current controls. The results of this assessment form the basis for the WISP. Other controls include comprehensive employee training on security policies and common cyber threats like phishing, along with background checks for employees who will have access to sensitive information. The plan must be regularly monitored and updated at least annually or when significant business changes occur.

Procedures for a Data Breach

Even with a strong security plan, data breaches can happen. Publication 4557 outlines a response protocol that begins with containing the breach and determining what information was compromised. Once data theft is suspected or confirmed, the firm must make several notifications to regulatory bodies, law enforcement, and affected individuals.

A tax professional must first contact their local IRS Stakeholder Liaison so the agency can monitor for fraudulent tax filings. The firm must also notify several other parties:

• Local law enforcement to create an official police report of the crime.
• Federal law enforcement, such as the FBI or Secret Service, depending on the scale of the breach.
• The Federal Trade Commission (FTC) for any breach affecting 500 or more consumers. This report must be made no later than 30 days after discovery.
• All clients whose information may have been compromised. State laws dictate the timing and content of these notices, which should explain the breach and how clients can protect themselves, such as by placing a fraud alert with credit reporting agencies.
• The firm’s insurance carrier to understand coverage for breach response costs.