A Written Security Plan is Required – Do You Have One?

As a tax professional, you are legally required under the FTC Safeguards Rule to maintain a Written Information Security Plan (WISP). This plan outlines the policies and procedures your business or firm follows to safeguard taxpayer data, assess risks, and respond to cybersecurity threats.

Why a WISP is Essential

A well-documented WISP helps you:

• Identify potential security risks to client data.
• Outlines safeguards to prevent data breaches.
• Ensure compliance with IRS and FTC data protection requirements.
• Provides a clear response plan in the event of a security incident.

What Your WISP Should Include

1. Risk Assessment – Identify internal and external risks to client data.
2. Safeguards and Controls – Define security measures such as encryption, firewalls, and access controls.
3. Data Handling Policies – Establish rules for data storage, access, and disposal.
4. Incident Response Plan – Outline steps for responding to breaches, including reporting procedures and client notifications.
5. Employee Training – Train staff on security best practices and phishing awareness.
6. Regular Security Reviews – Schedule periodic audits and updates to keep your plan current.

Failure to Have a WISP Can Lead to Serious Consequences

Non-compliance with federal security rules can result in fines, legal actions, and reputational damage. More importantly, failing to secure taxpayer data can put your clients at risk for identity theft and fraud.

If you don’t have a WISP yet, now is the time to create one. The IRS and FTC provide guidance on developing a strong security plan.

Protect your business. Protect your clients. Get your security plan in place today.

Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice
Publication 4557, Safeguarding Taxpayer Data: A Guide for Your Business