IR-2023-224, Nov. 28, 2023 WASHINGTON — As part of a larger effort to protect taxpayers against identity theft, the Internal Revenue Service and the Security Summit partners today reminded tax professionals to protect themselves and their client's sensitive information, including putting in place written security plans and following new requirements to use multi-factor authentication. Under updated standards set by the Federal Trade Commission, tax professionals now not only need to have a Written Information Security Plan (WISP), but they also need to use multi-factor authentication to protect taxpayer accounts and client information. To help tax professionals with this during National Tax Security Awareness Week, the IRS and the Security Summit partners will hold a special webinar on Nov. 30 to help tax professionals develop a security plan. "Tax professionals play a key role in the nation's tax system, and it's critical that they take important steps to protect their systems from identity thieves," said IRS Commissioner Danny Werfel. "A system breach for a tax professional can be devastating not just to their business, but to their clients. The IRS and the Security Summit partners remind tax professional to follow required guidelines, including developing a Written Information Security Plan, to protect themselves and their clients from identity thieves." During National Tax Security Awareness Week, now in its eighth year, the Security Summit partnership of the IRS, state tax agencies and the nation's tax community work to raise awareness among taxpayers and tax professionals about the importance of safeguarding information to protect against identity theft. The Security Summit formed in 2015 to combat tax-related identity theft through better public-private sector coordination as well as strengthening internal protections in the tax community and raising public awareness about security threats. With the holiday shopping season underway and tax season fast approaching, the Security Summit partners today alerted taxpayers and tax professionals during day 2 of the special week to take extra steps to protect their financial and tax information. As the IRS and the Summit partners have strengthened their internal defenses in recent years to protect against fraud, identity thieves have increasingly focused on tax professionals as one of the ways to obtain sensitive taxpayer information in hopes of evading systemic defenses by the IRS and the tax community. Tax pros are the first line of defense in protecting taxpayer information. The Summit partners highlighted several key steps that tax pros – regardless of the size of their practice – should take to protect their systems and comply with federal standards. WISP, multi-factor authentication can help tax pros protect their clients, protect themselves The IRS and Security Summit partners remind tax professionals that federal law requires them to have a written information security plan. The plans, called WISPs for short, provide a blueprint for security. Members of the Summit's Tax Professional team developed a special document that allows practitioners to quickly develop their own WISP. This sample document, Written Information Security Plan (WISP) PDF, provides a starting point for businesses large or small, and can be scaled for a company's size, scope of activities, complexity and customer data sensitivity. There's not a one-size-fits-all WISP. For example, a sole practitioner can use a more abbreviated and simplified plan than a 10-partner accounting firm, which is reflected in the sample WISP from the Security Summit group. Addressing security issues for a tax professional can be difficult and expensive. A WISP addresses risk considerations for inclusion in an effective plan and provides a blueprint of applicable actions in the event of a security incident, data loss or theft. "We continue to see instances where tax professionals struggle to maintain security plans or know how to protect themselves against identity thieves and other fraudsters," said Kimberly Rogers, director of the IRS Return Preparer Office and co-chair of the Security Summit tax professionals working group. "This WISP document goes a long way in helping even the smallest tax professional firm protect themselves against security threats." To help tax professionals learn more about these plans, the IRS and Summit partners plan a special webinar, Developing a Written Information Security Plan, WISP, at 10:30 a.m. ET, Nov. 30. Tax professionals can earn one continuing education (CE) credit by registering and attending. The session will be conducted by the IRS and Jared Ballew, one of the Summit members who helped develop the WISP. Ballew serves as Vice President of Government Relations at Taxwell, representing Drake Software and TaxAct. He conducted special IRS Nationwide Tax Forum sessions this summer to standing-room-only audiences. "These security plans provide valuable tips and information to help tax pros develop an effective plan that's appropriate for their business," Ballew said. "The Security Summit partners continue to urge tax pros to make sure they have a strong security plan in place, and the WISP is a great place to start for many practices." Tax pros can also review IRS Publication 5709, How to Create a Written Information Security Plan for Data Safety PDF, for more information on WISPs. In addition to requirements to have a WISP, the IRS also reminds the tax community that the Federal Trade Commission this summer updated their safeguards standards and now require tax professionals to use multi-factor authentication to protect client information. Multi-factor authentication provides an extra layer of security to ensure the proper people are accessing sensitive accounts and systems. IRS Tax Pro Account: Another important line of defense The IRS and Summit partners also emphasize another way to help protect sensitive information from identity thieves is through secure online tools such as Tax Pro Account. These can manage client information to safeguard sensitive taxpayer and financial data from cyberthreats. Tax Pro Account is a secure, mobile-friendly, digital, self-service application that enables tax professionals to act on a taxpayers' behalf, view the taxpayers' information and manage their authorization relationships more efficiently. Tax professionals can use Tax Pro Account to send Power of Attorney and Tax Information Authorization requests directly to a taxpayer's individual IRS Online Account. Once the taxpayer approves the request, it's processed in real time — no faxing, mailing, uploading or long waits. Establishing a Tax Pro Account for your clients is easy, doesn't require forms, and eliminates risks associated with storing and sending paper records. Visit the Tax Professionals page on IRS.gov to learn more about E-Services, Tax Pro Account, EINs, filing, forms, third party authorizations, and other safe and secure online tools to serve your clients. Data breaches: What to do if a tax pro is victimized The IRS also recommends tax professionals create an action plan to outline the steps to take in the event of a breach or data theft, in addition to the required information security plan. This will save valuable time should the worst occur. A key component to an effective action plan is knowing who to contact. In addition to reporting data loss to the IRS, tax professionals should contact law enforcement, the appropriate states, clients and security professionals. Places to get help from the IRS and law enforcement in case of a data breach: IRS Stakeholder Liaison - The IRS recommends reporting data theft to the local Stakeholder Liaison first. Liaisons will notify IRS Criminal Investigation and others within the agency on the tax professional's behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients' names. Federal Bureau of Investigation - the local office. Secret Service - the local office (if directed). Local police – to file a police report on the data breach. Contacting states in which tax professionals prepare state returns: Federation of Tax Administrators – Tax professionals can reach this special "report a data breach" web page for victim reporting guidance to the states. State Attorneys General - most states require that the state attorney general be notified of data breaches. Visit the National Tax Security Awareness Week 2003 page on IRS.gov for more details. Additional resources Publication 4557, Safeguarding Taxpayer Data PDF Publication 5293, Data Security Resource Guide for Tax Professionals PDF. Publication 4524, Security Awareness for Taxpayers PDF Tax professionals, individuals and businesses can find security recommendations by visiting Identity Theft Central at IRS.gov. National Institute of Standards and Technology — Small Business Information Security: The Fundamentals PDF Federal Trade Commission's Cybersecurity for Small Businesses Stay connected to the IRS through subscriptions to e-News for Tax Professionals and social media. Tax Talk Today highlights National Tax Security Awareness Week