A newly updated Written Information Security Plan (WISP) is now available from the IRS to protect tax professionals from ongoing threats of identity theft and data breaches.

The updated 28-page template, “Publication 5708, Creating a Written Information Security Plan for Your Tax and Accounting Practice,” was announced by the agency and its partners at the Security Summit — representatives of state tax offices and the tax industry — on August 13 as part of its “Protect Your Clients; Protect Yourself” security campaign for tax professionals.

The new WISP is the culmination of years of work and is an easy-to-understand guide developed by and for paid tax preparers and certified public accountants (CPAs), particularly those working in smaller practices, to ensure the security of client and business information.

The new version of the WISP includes several new information updates since the first version was released in 2022. These include highlighting best practices for implementing multifactor authentication for any person accessing an information system unless the qualified person has agreed in writing to use reasonably equivalent or more secure access controls, the IRS said.

In addition, tax professionals must now report a security incident affecting 500 or more people to the Federal Trade Commission (FTC) as soon as possible, but no later than 30 days after discovery. Tax professionals must also report the incident to an IRS agent and state tax authorities.

“Tax professionals play a vital role in the nation’s tax system and hold a vast amount of taxpayer information that can be a treasure trove for identity thieves,” IRS Commissioner Danny Werfel said in a statement. “The newly updated written information security plan provides tax professionals with a helpful guide to protect their clients and themselves from the constant threat of data breaches. The IRS and Security Summit partners urge tax professionals to stay on top of these evolving threats, and this updated plan is an important part of that effort.”

Federal law requires all professional tax preparers to develop and implement a data security plan.

The Gramm-Leach-Bliley Act requires financial institutions to protect customer data. Under this law, tax and accounting professionals are considered “financial institutions” regardless of the size of their practice. In implementing this law, the FTC enacted measures necessary to protect customer data. One of these requirements is the implementation of a WISP.

As part of the plan, the FTC requires each company to:

• Assign one or more employees to coordinate your information security program.
• Identify and assess risks to customer information in all relevant areas of company operations and evaluate the effectiveness of current security measures to control those risks.
• Design and implement a security program and monitor and test it regularly.
• Select service providers that can provide appropriate security measures by ensuring that their contracts require them to implement security measures and monitor their handling of customer information.

“Evaluate and adjust the program taking into account relevant circumstances, including changes in the company’s business or operations or the results of security testing and monitoring,” the IRS said.

The WISP, available in Publication 5708, starts with the basics. It walks users through the first steps in creating a plan, including understanding security compliance requirements and job responsibilities. It then provides an outline for a basic WISP and a sample template. The template is not intended to be the final word on written security plans, but rather to provide tax professionals with a starting point for understanding and attempting to draft a plan for their business, the IRS said.

Throughout the process, tax professionals are reminded that a security plan should be appropriate to the size of the company, the scope of activity, the complexity and sensitivity of the customer data processed.

“There is no one-size-fits-all WISP,” the IRS said.

The agency also reminds tax professionals that a WISP is only part of what they need to protect their clients and themselves. Given the rapidly evolving nature of threats, the IRS and its Security Summit partners recommend tax professionals consult technical experts to help with security issues and protect their systems.

According to the IRS, a good WISP focuses on three areas:

• Employee management and training;
• Information systems; and
• Detect and resolve system failures.

The IRS also recommends that tax professionals create a data breach response plan, including contacting their IRS stakeholder contact to report a security incident. Tax professionals can also report information to the appropriate state tax authority by visiting a dedicated data breach reporting page at the Federation of Tax Administrators.

Tax professionals should also familiarize themselves with the FTC’s data breach response requirements as part of their comprehensive information and data security plan. The new WISP also includes information on the requirement to report an incident to the FTC if 500 or more individuals are affected within 30 days of the incident.

As part of the legal requirements to implement and maintain a WISP in their practice, tax professionals must have it in a written, accessible form. In addition, they are encouraged to review, test and update their WISPs, the IRS said.

“It’s more important than ever for tax professionals to protect their data, passwords and other information,” said Kimberly Rogers, director of the IRS Return Preparer Office and co-chair of the Security Summit’s Tax Pro Working Group. “The updated Written Information Security Plan is the result of months of work by tax professionals across the country. Security Summit members worked together on this plan to make it easier for all tax professionals to develop a plan and approach that is right for them.”