As the fight against identity theft and data breaches continues to intensify, the Internal Revenue Service (IRS) and its Security Summit partners have once again emphasized the critical importance of having a Written Information Security Plan (WISP) in place. This federally mandated plan helps tax professionals safeguard both their clients' sensitive data and their businesses from rising security threats.
The IRS has been offering ongoing support and resources to help tax professionals navigate the complexities of creating and maintaining a WISP. The latest announcement marks the third installment in the IRS’s summer security news release series, focusing on ways tax professionals can bolster their cybersecurity practices. Through this campaign, titled "Protect Your Clients; Protect Yourself," the IRS provides timely, actionable tips aimed at protecting sensitive taxpayer data and ensuring businesses remain secure from identity theft.
A WISP is not just a useful tool—it's a legal requirement for tax and accounting professionals. Under the Gramm-Leach-Bliley Act (GLBA), all financial institutions, including tax professionals, must implement a robust data security plan to protect customer information. The Federal Trade Commission (FTC) further mandates that firms take specific actions to meet compliance requirements.
Here’s a quick breakdown of the key actions that tax professionals must take under the GLBA:
-
Designate an employee (or a team) to coordinate the firm’s information security program.
-
Assess risks to customer information and evaluate the effectiveness of existing safeguards.
-
Create, implement, and monitor a set of security protocols, regularly testing and refining them.
-
Select service providers who can maintain proper security standards, with contracts that ensure compliance.
At its core, a solid WISP should cover three primary areas:
-
Employee Management and Training
-
Information Systems
-
Detecting and Managing System Failures
The IRS’s Publication 5708, Creating a Written Information Security Plan for Your Tax & Accounting Practice, is an excellent resource for tax professionals, especially those running smaller practices. This 28-page guide provides a comprehensive WISP template, helping users understand security compliance and their professional responsibilities, step by step.
Tax professionals are legally required to have a written, accessible WISP, and it’s crucial that this plan is reviewed, tested, and updated regularly. As a practice grows or changes, adjustments should be made to ensure that the plan evolves in tandem with operational or security monitoring improvements.
Additionally, tax professionals should include a Data Theft Response Plan in their WISP. The IRS recommends that professionals have a strategy for handling data theft incidents, including promptly reporting them to the IRS Stakeholder Liaison and other relevant authorities. If a data breach affects 500 or more individuals, the FTC mandates that it be reported within 30 days.
As part of their ongoing efforts to educate tax professionals, the IRS is also incorporating these security strategies into its Nationwide Tax Forum, which is taking place in cities across the U.S. This year, the Forum includes a dedicated tax professional security component, offering valuable insight into best practices for protecting sensitive taxpayer data.
The Forum continues next week in New Orleans, with additional events planned for Orlando, Baltimore, and San Diego. This is an excellent opportunity for tax professionals to engage with experts, learn about new security measures, and ensure they are in full compliance with the latest regulations.
With cyber threats becoming increasingly sophisticated, it is more critical than ever for tax professionals to take proactive steps in protecting their clients’ information. The IRS’s emphasis on having a WISP is not just a legal obligation—it’s a crucial tool in the fight against data theft and identity fraud. By following the IRS’s guidelines, regularly reviewing security protocols, and attending events like the Nationwide Tax Forum, tax professionals can ensure they are doing everything in their power to secure both their clients’ data and their businesses.
For further details, tax professionals can consult the IRS’s resources, including Publication 5708 and the FTC’s data breach response requirements guide.