Tax Pros Must Have a Written Information Security Plan to Protect Client Data

Aug 12, 2025 | IRS, security

IRS Security Summit Reminder

The article, published by the IRS, highlights the importance of tax professionals maintaining a Written Information Security Plan (WISP) to safeguard client data from identity theft and breaches. This is part of the “Protect Your Clients; Protect Yourself” campaign, a collaborative effort with the Security Summit partners. Key Reminders for Tax Professionals:Cyber Security Plan - Franek Tax Services

  • Tax pros are legally required to create, maintain, and regularly update a WISP, which must be written, accessible, and adapted based on operational changes or security tests.
  • They should develop a data theft response plan, including prompt reporting of incidents to the IRS Stakeholder Liaison, state tax agencies, and, if affecting 500+ individuals, to the Federal Trade Commission (FTC) within 30 days.
  • Staying informed through IRS e-News subscriptions and social media is encouraged to keep up with security best practices.

Details on the Written Information Security Plan (WISP)

  • Legal Basis: Mandated under the Gramm-Leach-Bliley Act (GLBA), which treats tax professionals as financial institutions obligated to protect customer information. The FTC outlines key elements, including:
    • Designating employees to coordinate the security program.
    • Identifying risks to client data and evaluating safeguards.
    • Implementing, monitoring, and testing security measures.
    • Ensuring service providers have appropriate protections via contracts.
  • Core Focus Areas: Employee training and management, information systems security, and handling system failures or breaches.
  • The plan should be tailored to the business’s size and complexity, with regular reviews.

Resources and Tips

  • IRS Publication 5708 provides a 28-page template to help, especially smaller firms, in developing a compliant WISP.
  • For incident reporting: Contact IRS Stakeholder Liaisons or use the Federation of Tax Administrators’ webpage.
  • Additional education is available at Nationwide Tax Forums, with upcoming events in cities like New Orleans, Orlando, Baltimore, and San Diego, featuring sessions on tax pro security.
  • This reminder is the third in a five-part summer series aimed at enhancing data protection for taxpayers and professionals.

The article underscores that a robust WISP not only meets legal requirements but also helps prevent data theft in an increasingly digital tax environment. For more detailed information, please see the IRS website and blog: https://www.irs.gov/newsroom/irs-security-summit-remind-tax-pros-they-must-have-a-written-information-security-plan-to-protect-client-data