The Internal Revenue Service (IRS) and Security Summit partners have introduced an updated Written Information Security Plan (WISP) to safeguard tax professionals from identity theft and data breaches. This 28-page template, outlined in Publication 5708, aims to simplify data security planning for tax professionals, particularly smaller practices, making it easier for them to comply with federal security regulations.
The new WISP is the result of a year-long collaboration between tax professionals and industry experts. It emphasizes the importance of implementing multi-factor authentication and mandates that any security incidents affecting 500 or more individuals be reported to the Federal Trade Commission (FTC) within 30 days. This requirement is in addition to notifying IRS Stakeholder Liaisons and state tax authorities.
IRS Commissioner Danny Werfel stressed the critical role tax professionals play in safeguarding taxpayer information, which is highly valuable to identity thieves. The updated WISP is a vital tool in helping tax professionals protect their clients and themselves from the growing threat of data breaches. The document is part of a broader "Protect Your Clients; Protect Yourself" campaign, now in its ninth year, which offers timely tips for securing sensitive data.
The Security Summit, a partnership between tax professionals, industry partners, state tax agencies, and the IRS, has been working since 2015 to combat tax-related identity theft and fraud. This summer, the updated WISP and related security tips are being highlighted at the Nationwide Tax Forum, a series of continuing education events for tax professionals across five U.S. cities.
The updated WISP includes a straightforward guide to creating a security plan, starting with understanding compliance requirements and professional responsibilities. Throughout the process, tax pros are reminded that a security plan should be appropriate to the company’s size, scope of activities, complexity and the sensitivity of the customer data it handles. There is no one-size-fits-all WISP.
Under the Gramm-Leach-Bliley Act (GLBA), tax professionals are considered financial institutions and are legally required to implement a data security plan. The FTC mandates that these professionals designate employees to oversee their security programs, assess risks, implement safeguards, and regularly monitor and adjust their security measures as needed.
In the event of a security breach, the IRS advises tax professionals to have a response plan in place. This includes promptly reporting incidents to the IRS, state tax agencies, and the FTC. The updated WISP provides detailed guidance on these reporting requirements, reinforcing the importance of a proactive approach to data security in the tax profession.