WISP Requirements for Tax Preparers

Understanding Why WISP Matters in the Tax Preparation Industry

Tax preparers operate at the center of the nation’s tax system and handle some of the most sensitive customer data in existence. Social Security numbers, income records, tax returns, and financial account details are prime targets for cybercriminals. Because of this risk, federal law requires tax professionals to maintain formal safeguards to protect client data.

A Written Information Security Plan, commonly referred to as a WISP, is the foundational document that outlines how tax professionals protect customer information, prevent data theft, and respond to security incidents.

What Is a Written Information Security Plan (WISP)

A written information security plan is a documented security framework that explains how an organization protects sensitive information across people, processes, and technology. For tax preparers, a WISP is not optional. It is a legal requirement enforced through federal law and regulatory agencies.

A WISP addresses how client data is collected, stored, accessed, transmitted, and destroyed. It also defines how a firm responds to a data breach or security event.

Federal Law and Regulatory Oversight

The Federal Trade Commission classifies tax preparers and accounting firms as financial institutions under the Gramm-Leach-Bliley Act. As a result, the FTC Safeguards Rule applies directly to the tax preparation industry.

In addition, the Internal Revenue Service requires professional tax preparers to maintain a WISP and to report data theft and security incidents to the IRS Stakeholder Liaison and, when applicable, to state tax administrators.

Federal law requires that these safeguards be documented, implemented, and regularly reviewed.

Core WISP Requirements for Tax Preparers

A compliant information security plan WISP must include several critical components.

Tax preparers must conduct a documented risk assessment that evaluates threats to customer data, including internal and external risks, as well as vulnerabilities in systems and workflows.

The WISP must clearly define security policies related to access controls, authentication, encryption, and information security practices. These policies establish appropriate safeguards based on the company’s size, operation, and relevant circumstances.

Tax professionals must designate a qualified individual to oversee the information security program and ensure compliance with legal requirements.

The FTC Safeguards Rule Explained

The FTC Safeguards Rule requires financial institutions, including tax preparers, to implement and maintain a safeguards program designed to protect customer information.

The safeguards rule requires financial institutions to:

• Develop written security plans
• Identify and assess risks to customer data
• Implement appropriate safeguards
• Regularly monitor and test security controls
• Adjust safeguards based on tax law changes and evolving threats

Failure to comply with the FTC safeguards rule exposes tax practitioners to regulatory penalties, legal liability, and reputational damage.

Protecting Client Data in Practice

Client data protection is a critical component of a successful business in the tax preparation industry. Protecting client data goes beyond documentation and requires enforceable cybersecurity measures.

Tax professionals must ensure that sensitive information is encrypted, access is limited to authorized users, and multi-factor authentication is in place for systems that handle taxpayer information.

Customer information must be stored securely, backed up regularly, and protected from unauthorized access. Firms must also ensure that service providers and software vendors maintain equivalent safeguards.

Data Security Plan and Safeguards Program

The data security plan acts as the operational layer of the WISP. It explains how the firm protects customer data on a day-to-day basis.

This plan must document how data is stored, transmitted, retained, and securely destroyed. It must also define procedures for managing and training staff, applying software updates, and conducting security testing.

A safeguards program ensures that policies are enforced through technical and administrative controls rather than existing only on paper.

Risk Assessment and Ongoing Monitoring

Risk assessment is not a one-time exercise. Tax professionals must regularly review risks related to data security, information systems, and evolving threats.

Regular monitoring helps identify security issues before they become incidents. Reviewing tax law and technology changes ensures that current safeguards remain effective.

Security testing, including access reviews and backup testing, helps confirm that the information security program works as intended.

Data Theft Response Plan and Incident Handling

Federal law requires tax preparers to maintain a documented data theft response plan. This plan outlines how the firm responds to a data breach, data theft, or security incident.

A proper response plan includes detection procedures, containment steps, communication requirements, and recovery actions. Tax pros must be prepared to notify affected clients, tax administrators, and the IRS when necessary.

The IRS recommends that tax professionals treat incident response as a critical component of their overall security plan.

Staff Training and Internal Accountability

At least one employee must be trained to understand the firm’s security policies and incident response procedures. In firms with one or more employees, ongoing training staff programs are essential.

Managing and training staff reduces human error, a leading cause of data breaches in accounting firms and tax preparation offices.

Selecting and Managing Service Providers

Tax preparers must carefully select service providers who handle customer data or support information systems. The safeguards rule requires firms to evaluate whether vendors can maintain appropriate safeguards.

Service provider agreements should clearly define security responsibilities, data protection expectations, and breach notification requirements.

Legal Obligations and Enforcement Risk

WISP compliance is a legal obligation, not a best practice. Firms that fail to maintain safeguards risk enforcement action, insurance coverage denial, and loss of client trust.

Professional tax preparers play a vital role in protecting taxpayer information and maintaining confidence in the nation’s tax system.

WISP Templates and Practical Implementation

A WISP template can help structure documentation, but templates alone do not ensure compliance. Effective WISP implementation depends on how sound policies align with actual operations.

Information security is only adequate when policies, systems, and staff behavior work together.

Final Word on WISP Compliance for Tax Preparers

WISP requirements for tax preparers are clear and enforceable under federal law. A written information security plan is a critical component of protecting customer data, maintaining compliance, and sustaining a successful business.

Tax professionals who invest in strong information security programs reduce risk, improve resilience, and demonstrate accountability to clients and regulators alike.