Skip to main content

Tax Pros Urged To Have An Updated Written Information Security Plan

bg-149-tax-pros-urged-updated-written-security-plan

Identity thieves on the hunt for taxpayer data aren’t just targeting taxpayers, they’re going after the tax professionals, who hold enormous amounts of sensitive taxpayer data, in hopes of filing fraudulent tax returns. This year, the IRS has already received more than 250 reports of data breach incidents from tax professionals affecting approximately 200,000 clients.

Tax professionals are required by federal law to have written plans identifying foreseeable data security risks and safeguards, and a plan of action to take in the event of a security breach. The IRS also reminds taxpayers that additional safeguards, like multi-factor authentication (MFA), are required by federal law to better protect themselves and their clients. MFA provides an extra layer of security to ensure the proper people are accessing sensitive accounts and systems.

“Countering identity theft is a collective effort, and tax pros are the first line of defense when it comes to protecting taxpayer information,” said IRS Commissioner Danny Werfel. “Millions of taxpayers entrust their personal data to tax professionals, and we want to make it as easy as possible for tax pros to know what they need to do to keep themselves and their clients’ information safe. The Written Information Security Plan forms an essential part of the tax professionals’ defense against data breaches and identity thieves, helping protect their clients and protect themselves.”

The WISP, available in IRS Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice, walks tax professionals through the steps of assembling a plan, including understanding security compliance requirements and professional responsibilities. It also provides a sample template that tax professionals can use as they draft a plan for their business. The new version of the WISP, includes several updates, like highlighting best practices for implementing multi-factor authentication.

WISPs and MFA are crucial – and necessary

“This helpful guide with sample templates provides a starting point for businesses large or small, and can be scaled for a company's size, scope of activities, complexity and customer data sensitivity,” said Kimberly Rogers, the IRS Return Preparer Office director and co-chair of the Summit’s tax pro group. “There's not a one-size-fits-all WISP. A sole practitioner can use a more abbreviated and simplified plan than a 10-partner accounting firm. This flexibility is reflected in the sample policies and pre-populated templates included in the publication.”

Addressing security issues for a tax professional can be difficult and expensive. A WISP addresses risk considerations for inclusion in an effective plan and provides a blueprint of applicable actions in the event of a security incident, data loss or theft.

Tax pros can also review IRS Publication 5709, How to Create a Written Information Security Plan for Data Safety, for more information on WISPs.

In addition to requirements to have a WISP, the IRS also reminds the tax community that the Federal Trade Commission last year updated its safeguards standards and now require tax professionals to use MFA to protect client information. MFA, which can include sending text/SMS verification codes to a user or asking additional questions to confirm the identity of a person logging into a system, provides an extra layer of security to ensure the proper people are accessing sensitive accounts and systems.

IRS Tax Pro Account: Protects pros and their clients’ data and saves time, too

The IRS and Summit partners also emphasize another way to help protect sensitive information from identity thieves is through secure online tools such as the Tax Pro Account. These tools can help manage client information to safeguard sensitive taxpayer and financial data from cyberthreats.

The Tax Pro Account is a secure, mobile-friendly, digital, self-service application that enables tax professionals to act on a taxpayers' behalf, view the taxpayers' information and manage their authorization relationships more efficiently.

As part of IRS transformation efforts, the IRS will continue adding new features to the Tax Pro Account in the future to help tax professionals securely and efficiently serve their clients.

Currently, tax professionals can use Tax Pro Account to send Power of Attorney and Tax Information Authorization requests directly to a taxpayer's individual IRS Online Account. Once the taxpayer approves the request, it's processed in real time — no faxing, mailing, uploading or long waits.

Visit the Tax Professionals page on IRS.gov to learn more about E-Services, Tax Pro Account, Employer Identification Numbers, filing, forms, third-party authorizations as well as other safe and secure online tools to serve clients.

Places to get help in case of a data breach:

  • IRS Stakeholder Liaison – The IRS recommends reporting data theft to the local Stakeholder Liaison first. Liaisons will notify IRS Criminal Investigation and others within the agency on the tax professional's behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients' names.
  • Federal Trade Commission – Data breaches involving 500 or more people are now required to be reported to the FTC as soon as possible, but no later than 30 days from the date of discovery.
  • Federal Bureau of Investigation – the local office.
  • Secret Service – the local office (if directed).
  • Local police – to file a police report on the data breach.

Contacting states in which tax pros prepare state returns:

Additional resources

Contact Info

  •   8513 NE Hazel Dell Ave Suite 204
            Vancouver, WA 98665
  •   1 (800) 367-8130
  •   (360) 695-8309
  •   (360) 695-7115
  •   taxes@nstp.org

NSTP Swag

Visit our online store to pick up some NSTP swag!