IRS, Security Summit release new Written Information Security Plan to help tax pros protect against identity thieves, data risks

 

Week 6 of Protect Your Clients; Protect Yourself series highlights tips that tax pros can take

IR-2024-208, Aug. 13, 2024

WASHINGTON — The Internal Revenue Service and the Security Summit partners today announced the availability of a new, updated Written Information Security Plan designed to help protect tax professionals against continuing threats from identity thieves and data breaches.

As part of a special eight-part series, the IRS and Summit partners highlighted the newly updated Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice PDF. This Written Information Security Plan, or WISP, is a 28-page template designed to help tax pros, particularly smaller practices. The WISP has been updated and expanded to make data security planning easier.

The new WISP, the result of a year-long effort, is an easy-to-understand document developed by and for tax and industry professionals to keep customer and business information safe and secure. Tax pros are required to have a security plan under federal law.

The new version of the WISP includes several new information updates since the first version came out. This includes highlighting best practices for implementing multi-factor authentication for any individual accessing any information system, unless their qualified individual has approved in writing the use of reasonably equivalent or more secure access controls.

In addition, tax pros now need to report a security event affecting 500 or more people to the Federal Trade Commission (FTC) as soon as possible, but no later than 30 days from the date of discovery. This is in addition to reporting the incident to an IRS Stakeholder Liaison and state tax authorities.

“Tax professionals play a vital role in the nation’s tax system, and they hold a vast amount of taxpayer information that can be a treasure trove to identity thieves,” said IRS Commissioner Danny Werfel. “The newly updated Written Information Security Plan provides a helpful road map for tax pros to help protect their clients and themselves from the constant threat of data breaches. The IRS and the Security Summit partners urge tax pros to stay on top of these evolving threats, and this updated plan is an important part of that effort.”

This marks the sixth part of a special summer news release series focused on tax professional security. Now in its ninth year, the Protect Your Clients; Protect Yourself campaign provides timely tips to help protect sensitive taxpayer data that tax professionals hold while also protecting their own businesses from identity thieves.

This is part of an annual education effort by the Security Summit, a group that includes tax professionals, industry partners, state tax agencies and the IRS. The public-private partnership has worked since 2015 to protect the tax system against tax-related identity theft and fraud.

These security tips and the newly updated WISP are a key focus of the Nationwide Tax Forum, being held this summer in five cities throughout the U.S. In addition to the series of eight news releases, the tax professional security component is featured at the three-day continuing education events. The forums continue this week in Baltimore, as well as the weeks of August 19 in Dallas and September 9 in San Diego. The IRS reminds tax pros that registration deadlines are quickly approaching for the Dallas forum, as San Diego has already sold out.

The forums will feature several specific sessions to help educate the tax professional community on security-related topics. Tax professionals will hear from experts at the IRS, the tax professional community as well as a special session from Salve Regina University’s Pell Center from Rhode Island.

In the remaining weeks, the news release series and the IRS Tax Forums will provide timely tips to help protect sensitive taxpayer data that tax professionals hold while also protecting their own businesses from identity thieves.

Tax professionals are required by law to secure their clients’ data, and to help them meet this obligation, the IRS and the Security Summit partners are advising them to use the WISP template designed to make data security planning easier.

Knowing that tax professionals play a critical role in our nation's tax system, the Summit – led by the Tax Professionals Working Group – spent months originally developing two publications: Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice PDF and Publication 5709, How to Create a Written Information Security Plan for Data Safety PDF. Publication 5708 is the WISP, and Publication 5709 is a special summary flyer designed to be shared among the tax professional community.

“It’s more important than ever for tax pros to protect their data, passwords and other information,” said Kimberly Rogers, director of the IRS Return Preparer Office and co-chair of the Summit's Tax Pro Working Group. “The updated Written Information Security Plan is a result of months of work by tax professionals across the country. The Security Summit members worked together on this plan to make it easier for all tax professionals to develop a plan and an approach that is right for them.”

As part of legal requirements to implement and maintain a WISP in their practices, tax pros need to have it in a written form that’s accessible. In addition, tax professionals are recommended to review, test and update their WISPs.

The basics of a WISP

The WISP, available in Publication 5708 PDF, begins with the basics. It walks users through getting started on a plan, including understanding security compliance requirements and professional responsibilities. It continues with an outline for a basic WISP and a sample template. The sample is not intended to be the final word on written security plans, but it is intended to give tax professionals a place to start in understanding and attempting to draft a plan for their business.

Throughout the process, tax pros are reminded that a security plan should be appropriate to the company’s size, scope of activities, complexity and the sensitivity of the customer data it handles. There is no one-size-fits-all WISP.

The IRS also reminds tax professionals that a WISP is just one part of what they need to protect their clients and themselves. Given the rapidly evolving nature of threats, the Summit also strongly encourages tax professionals to consult with technical experts to help with security issues and safeguard their systems.

A good WISP focuses on three areas:

  • Employee management and training;
  • Information systems;
  • Detecting and managing system failures.

Tax pros required by law to have a security plan

There are many aspects to running a successful business in the tax preparation industry, including reviewing tax law changes, learning software updates as well as managing and training staff. One often overlooked but critical component is creating a WISP. However, federal law requires all professional tax preparers to create and implement a data security plan.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect customer data. Under this law, tax and accounting professionals are considered financial institutions, regardless of size. In its implementation of this law, the FTC issued measures required to keep customer data safe. One requirement is implementing a WISP.

As a part of the plan, the FTC requires each firm to:

  • Designate one or more employees to coordinate its information security program.
  • Identify and assess risks to customer information in each relevant area of the company's operation and evaluate the effectiveness of the current safeguards for controlling these risks.
  • Design and implement a safeguards program and regularly monitor and test it.
  • Select service providers that can maintain appropriate safeguards by ensuring the contract requires them to maintain safeguards and oversee their handling of customer information.

Evaluate and adjust the program considering relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring.

Tax pro with a security problem? Contact an IRS Stakeholder Liaison, states and FTC

As part of a security plan, the IRS also recommends tax professionals create a data theft response plan, which includes contacting their IRS Stakeholder Liaison to report a security incident. Tax professionals can also share information with the appropriate state tax agency by visiting a special Report a Data Breach page with the Federation of Tax Administrators.

Tax professionals should also understand the FTC data breach response requirements PDF as part of their overall information and data security plan. The new WISP also includes information on the requirement to report an incident to the FTC when 500 or more people are affected within 30 days of the incident.

Additional resources

Tax professionals should also stay connected to the IRS through subscriptions to e-News for tax professionals and its social media sites.