Both taxpayers and the Internal Revenue Service depend on tax professionals doing their jobs in, well, a professional manner. A crucial part of the job is ensuring the security of clients’ tax information.
Security measures are particularly important as everyone — tax pros, taxpayers, and the IRS — increasingly rely on electronic methods to complete tax tasks. In fact, tax professionals are legally required to secure their clients’ data.
The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act after the names of its primary Congressional sponsors, mandates that financial institution companies ensure the security and confidentiality of any and all consumer information they collect. The Federal Trade Commission administers the law.
So what’s that got to do with tax pros? Paid tax preparers are included in the law's definition of financial institutions. I know, Congress.
But the upshot is that tax professionals must create a written security plan. And the IRS wants to help.
Security plan guideline: Under the FTC's rules, information security programs "must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue."
Tax data, obviously, is incredibly sensitive. And developing a plan for security issues, on top of all the other responsibilities tax professionals face, can be daunting.
So the IRS and its Security Summit partners — representatives of state revenue departments and the tax industry —created a have created a document guide tax pros through the many considerations needed to create a plan that protects their businesses, clients, and complies with federal law.
If’s officially known as IRS Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice. The document walks tax pros through development and implementation of the titular Written Information Security Plan, or WISP.
The IRS has updated the 28-page template to help tax pros, particularly smaller practices, understand security compliance requirements and professional responsibilities and make tax data security planning easier.
Updated security concerns: The IRS says the updated WISP is the result of a year-long effort, and includes several new information updates since the first version came out in 2022.
It now includes highlights of best practices for implementing multi-factor authentication for any individual accessing any information system. This is needed if the qualified individual doesn’t already have written approval for the use of reasonably equivalent or more secure access controls.
In addition, tax pros now need to report a security event affecting 500 or more people to the FTC as soon as possible, but no later than 30 days from the date of discovery. This is in addition to reporting the incident to an IRS Stakeholder Liaison and state tax authorities.
“Tax professionals play a vital role in the nation’s tax system, and they hold a vast amount of taxpayer information that can be a treasure trove to identity thieves,” said IRS Commissioner Danny Werfel in announcing the updated WISP.
The updated WISP, added the commissioner, “provides a helpful road map for tax pros to help protect their clients and themselves from the constant threat of data breaches. The IRS and the Security Summit partners urge tax pros to stay on top of these evolving threats, and this updated plan is an important part of that effort.”
WISP basics: If you’re a tax pro, or just a security conscious taxpayer, you can review the latest WISP at your leisure. But I did want to point out a few of the highlights.’
The sample plan in the IRS publication is not intended to be the final word on written security plans. Just as every taxpayer’s situation is unique, tax preparer operations also have their specific needs.
The IRS notes that there is no one-size-fits-all WISP. A security plan should be appropriate to the tax service’s size, scope of activities, complexity, and the sensitivity of the customer data it handles.
The IRS also reminds tax professionals that a WISP is just one part of what they need to protect their clients and themselves. Given the rapidly evolving nature of threats, the tax agency and Security Summit members encourage tax professionals to consult with technical experts to help with security issues and safeguard their systems.
A good place to start, says the IRS, is by making a solid assessment of your tax preparation business’ needs. You can start by focusing on three areas:
- Employee management and training;
- Information systems; and
- Detecting and managing system failures.
The IRS also recommends your security plan include a data theft response strategy, which includes the previously mentioned alerting of your IRS Stakeholder Liaison after a security incident.
And once you have a WISP in place, it’s a good idea to periodically evaluate and adjust the program considering relevant circumstances, such as changes in your firm's operations or business focus, or the results of security testing and monitoring.
Other security plan resources: In addition to the WISP guide, tax professionals can get help with security recommendations in IRS Publications 4557, Safeguarding Taxpayer Data; 5293, Data Security Resource Guide for Tax Professionals; 5293, Data Security Resource Guide for Tax Professionals; and the National Institute of Standards and Technology document on the fundamentals of small business information security.
All us taxpayers who are handing over our critical tax data to tax pros also need to be aware of tax security. A review of the WISP document can help us, too, as we work to avoid tax scams and identity theft schemes.
You also might find these items of interest:
- Be ready for the worst: Create a tax data theft recovery plan
- IRS employee misconduct cited in accessing taxpayer accounts
- Tax-exempt bond spear phishing effort is latest tax pro security threat
Advertisements
🌟 Search Amazon Electronics 🌟
The text link above is an affiliate ad. If you click through and then buy a product, I receive a commission.
