IRS Form 4557: Safeguarding Taxpayer Data Guide

What Is IRS Publication 4557? (Not a Filing Form)

Tax professionals searching for "IRS Form 4557" are typically looking for IRS Publication 4557, titled Safeguarding Taxpayer Data: A Guide for Your Business. Unlike the W-2 or 1099 series, Publication 4557 is not a tax filing form you submit — it is the IRS's official compliance guide outlining what every tax professional must do to protect sensitive client data under federal law.

First published in 2004 and updated regularly, Publication 4557 draws its legal authority from the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule. The IRS uses this publication to communicate specific security controls, administrative requirements, and incident response obligations that apply to anyone who prepares federal tax returns or handles Federal Tax Information (FTI). The current version is available as a free PDF download from the IRS website.

If your firm has been told to review "IRS Form 4557" by a compliance auditor, a professional association, or an IRS representative, this guide breaks down exactly what Publication 4557 requires — and the concrete steps your practice must take to achieve and maintain compliance in 2026.

Who Must Follow IRS Publication 4557?

Publication 4557 applies to every tax professional who "receives, maintains, retransmits, or discloses Federal Tax Information." In practical terms, that includes:

• Individual tax preparers — CPAs, Enrolled Agents, tax attorneys, and PTIN holders of any kind
• Accounting and bookkeeping firms of any size, including solo practitioners
• Payroll service providers who handle FTI on behalf of clients
• Software companies and cloud platforms that process FTI on behalf of tax professionals
• Third-party vendors who access client tax data in any form, even temporarily

The IRS does not exempt sole proprietors or small firms from these obligations. If you prepare even a single federal return, you are responsible for implementing the safeguards described in Publication 4557.

The most consequential compliance threshold is 11 or more returns per year: once you cross that line, federal law requires you to maintain a Written Information Security Plan (WISP) — a documented security policy reviewed and updated at least annually. Our guide on PTIN and WISP requirements for tax preparers explains this threshold in detail.

Third-party service providers represent a particular exposure point. Under the FTC Safeguards Rule — which Publication 4557 incorporates by reference — you must vet and oversee every vendor who touches your clients' data. A breach at a cloud storage provider or practice management software vendor can expose your firm to liability if you failed to perform adequate due diligence on that vendor before granting access to client records. See our analysis of security risks in tax client portals for a closer look at this exposure.

The IRS Security Six: Core Requirements of Publication 4557

Publication 4557 identifies six baseline security controls — collectively known as the IRS Security Six — that every tax professional must implement. Developed through the IRS's Security Summit partnership with state tax agencies and the private tax industry, these controls target the most common attack vectors used against tax preparers.

1. Anti-Virus and Anti-Malware Software

Every device that touches client data must run up-to-date anti-virus and anti-malware software. This includes workstations, laptops, and mobile devices used for client communication. Auto-update settings must be enabled — outdated virus definitions leave your systems exposed to malware variants specifically engineered to target tax software and steal FTI.

2. Firewalls

A properly configured firewall is required on all network connections. For most small practices, this means a business-grade router with stateful packet inspection and intrusion detection capabilities. Consumer-grade routers sold at retail stores typically do not meet this standard. If employees work from home, their home networks need appropriate firewall protection on devices used for client work.

3. Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) must be enabled on all accounts that access Federal Tax Information — including tax software portals, cloud storage, email, and remote desktop connections. The IRS has identified compromised credentials as the leading cause of data theft at tax firms. MFA significantly reduces this risk by requiring a second verification step beyond a password alone. Our guide on multi-factor authentication for small businesses provides step-by-step setup instructions for common platforms.

4. Drive Encryption

All drives containing client data must be encrypted. Windows BitLocker and Apple FileVault provide built-in, no-cost encryption for desktop and laptop computers. Portable storage devices — USB drives, external hard disks — must also be encrypted. If a laptop containing unencrypted client data is stolen, you face both a reportable breach and potential regulatory penalties, regardless of whether anyone actually accessed the data.

5. Data Backup

Publication 4557 requires regular, tested data backups stored in a secure, separate location. The operative word is tested: backing up data that cannot be successfully restored provides no real protection. Best practice follows the 3-2-1 rule — three copies of data, stored on two different media types, with one copy kept offsite or in a geographically separate cloud region.

6. Virtual Private Network (VPN)

Any remote access to client data — whether from a home office, hotel, or public Wi-Fi — must use a business-grade Virtual Private Network (VPN). Consumer VPN services marketed for personal privacy typically lack the security controls required for handling FTI. Your firm's VPN should encrypt traffic end-to-end and log connection activity for audit purposes. Our guide on how to choose a VPN covers what to look for in a business-grade solution.

WISP Requirements Under IRS Publication 4557

The Written Information Security Plan (WISP) is the centerpiece of Publication 4557 compliance for most tax professionals. If you prepare 11 or more federal returns annually, a WISP is not an administrative formality — it is a federal legal requirement under the Gramm-Leach-Bliley Act, enforced through the FTC Safeguards Rule.

At minimum, your WISP must document:

• Scope: Which data, systems, and employees are covered by the security program
• Risk assessment methodology: How you identify and evaluate threats to client data
• Security controls: The specific measures you use to mitigate each identified risk
• Employee responsibilities: Who is accountable for each security function and what training they receive
• Vendor management: How you vet, onboard, and monitor third-party service providers
• Incident response: Step-by-step procedures for responding to a suspected or confirmed breach
• Physical safeguards: Controls for paper records and physical access to data systems
• Annual review process: How and when you will review, test, and update the plan

The IRS does not mandate a specific WISP format, which gives firms flexibility — but that flexibility is also a compliance trap. A WISP that is too vague, or one that fails to address your actual data environment, may not satisfy an IRS examiner or an FTC audit. If you are building your WISP from scratch, our free 2026 WISP template provides a detailed starting framework aligned with Publication 4557 requirements.

One of the most frequently overlooked WISP components is vendor risk management. Tax software companies, payroll processors, cloud storage providers, and IT support vendors who have access to your client data must all be addressed in your plan. Maintain a current vendor inventory documenting what data each vendor accesses, and keep copies of any data processing agreements or security attestations they provide. For a detailed walkthrough of what the IRS expects, see our guide on the IRS Written Information Security Plan.

Breach Reporting and Enforcement Under Publication 4557

IRS Publication 4557 dedicates substantial guidance to what tax professionals must do when a data breach occurs. The IRS defines a breach as any unauthorized access to, use of, or disclosure of Federal Tax Information — including incidents originating at third-party vendors who process your clients' data on your behalf.

Immediate Steps After a Suspected Breach

Publication 4557 directs you to take the following actions when a breach is discovered or suspected:

1. Contain the breach: Disconnect affected systems from the network without powering them off. Powering down machines can destroy forensic evidence needed for investigation and prosecution.
2. Report to the IRS: Contact the IRS Stakeholder Liaison in your area and notify the IRS Identity Protection Specialized Unit at 1-800-908-4490. For clients whose identities have been compromised, assist them in filing IRS Form 14039 (Identity Theft Affidavit).
3. Notify affected clients: Most states mandate breach notification within 30 to 72 hours. Publication 4557 recommends proactive client notification regardless of applicable state law thresholds.
4. File a police report: Report to local law enforcement. For incidents involving interstate activity, submit a complaint to the FBI's Internet Crime Complaint Center (IC3).
5. Report to the FTC: If the breach affects 500 or more customers, you must notify the FTC within 30 days under the Safeguards Rule.

Penalties for Non-Compliance

The IRS can revoke or suspend your Electronic Filing Identification Number (EFIN) or Preparer Tax Identification Number (PTIN), effectively prohibiting you from filing returns electronically or operating as a preparer. The FTC, under its Safeguards Rule authority, can impose civil penalties of up to $51,744 per violation per day — a figure that can become existential for a small firm.

Beyond regulatory exposure, a breach opens your firm to civil liability from affected clients. IBM's 2024 Cost of Data Breach Report found that the average breach in the financial services sector — the category that encompasses tax preparation — exceeded $6 million when litigation costs were factored in. For a solo practitioner or a firm with fewer than 10 employees, that exposure is financially catastrophic.

Read our guide on FTC Safeguards Rule compliance for tax preparers for a breakdown of enforcement mechanisms and documented penalty cases. You can also review online tax filing security risks for a broader picture of threat vectors targeting preparers.

Building a Security Program That Exceeds Publication 4557 Minimums

Publication 4557 itself acknowledges that its recommendations represent baseline standards and encourages practitioners to implement additional controls based on their specific risk profile. Three areas where proactive firms go further than the minimum are worth addressing directly.

Dark Web Monitoring for Credential Exposure

Compromised credentials from prior data breaches frequently appear on dark web marketplaces within hours of being stolen — long before the affected organization knows a breach occurred. Continuous dark web monitoring provides early warning when credentials associated with your firm's domain or your employees' email addresses surface in criminal markets, allowing you to rotate passwords and enforce MFA before attackers exploit those credentials against your tax software accounts or client portals.

Security Awareness Training Beyond Annual Refreshers

Publication 4557 requires employee security training but does not specify frequency or format. Verizon's 2024 Data Breach Investigations Report found that phishing remains the primary entry point for professional services breaches. Running quarterly simulated phishing tests — not just annual training sessions — measurably reduces employee click rates on malicious links over time. Our guide on what phishing is and how to recognize it covers the specific lures attackers use against CPAs and preparers, including W-2 fraud schemes and software credential harvesting campaigns.

Aligning with NIST SP 800-171 for a More Mature Program

For firms that want a more rigorous framework than Publication 4557 alone, NIST Special Publication 800-171 Revision 3 provides 110 security controls for protecting controlled unclassified information (CUI). While originally developed for federal contractors, NIST SP 800-171 is increasingly used by accounting firms as a benchmark for a mature security program that goes well beyond IRS Publication 4557's requirements. Aligning your controls with this framework also strengthens your position with cyber insurance underwriters, who increasingly require evidence of formal control frameworks before issuing or renewing coverage. See our guide on cyber insurance requirements for small businesses for what underwriters are asking for in 2026.

Use our tax season cybersecurity checklist as a structured starting point for your pre-filing-season security review, and consider a Publication 4557 compliance assessment to identify gaps before filing season opens.

Physical Security and FTI: An Overlooked Publication 4557 Requirement

Most discussions of Publication 4557 focus on digital controls — and for good reason, since cyberattacks account for the majority of FTI exposures. But the publication also mandates physical safeguards that smaller firms frequently overlook.

Physical security requirements under Publication 4557 include controlling access to areas where client records are stored or displayed, locking workstations when unattended, shredding paper documents containing FTI rather than placing them in recycling or trash, and maintaining a clean-desk policy that prevents unauthorized individuals from viewing client data. For firms that share office space with other businesses or operate in open-floor-plan environments, screen privacy filters on client-facing monitors are a recommended — and inexpensive — physical control.

The question of which physical security practice is required for FTI specifically is addressed in our dedicated guide on physical security requirements for Federal Tax Information. For firms with significant paper record volumes, the publication recommends establishing a records retention and destruction policy that specifies how long each category of document is kept and how it is securely destroyed at the end of that period.

Physical security is also relevant to breach reporting obligations. If physical records are lost or stolen — a box of client files left in an unlocked vehicle, for instance — that constitutes a reportable breach under Publication 4557, not merely an administrative error.