What Is IRS Form 4557?
IRS Publication 4557—commonly referred to as form 4557—is the IRS's official guide for tax professionals on protecting client taxpayer data. If you prepare returns for compensation, form 4557 applies to your practice without exception, whether you file 11 returns or 11,000.
The publication functions as a compliance roadmap, drawing from three federal authorities: the Gramm-Leach-Bliley Act (GLBA), the Federal Trade Commission (FTC) Safeguards Rule, and IRS Revenue Procedure 2007-40. Together, these establish that tax preparers are financial institutions in the eyes of the law and must implement a formal, written information security program—or face suspension from the IRS e-file program.
For a broader view of how these requirements fit into your practice, see our guide on cybersecurity for tax professionals.
Tax Data Security By The Numbers
IBM Cost of Data Breach Report 2024
IRS Data Book 2023 — business and individual identity theft reports
Verizon 2024 Data Breach Investigations Report
The Legal Framework Behind Form 4557
Three interlocking laws and regulations establish why form 4557 compliance is mandatory for every tax professional:
Gramm-Leach-Bliley Act (GLBA)
The GLBA classifies tax preparers as financial institutions because they receive nonpublic personal information (NPI)—Social Security numbers, bank account data, and income records—as part of providing a financial service. This classification activates mandatory data protection obligations under federal law.
FTC Safeguards Rule (16 CFR Part 314)
The FTC Safeguards Rule requires covered financial institutions to develop, implement, and maintain a written information security program. The 2023 amendments strengthened the rule significantly, adding mandatory requirements for Multi-Factor Authentication (MFA), encryption of data in transit and at rest, and annual risk assessments. These are now baseline controls, not discretionary measures.
IRS Revenue Procedure 2007-40
This IRS procedure governs all authorized e-file providers. The IRS has formally stated that violations of the FTC Safeguards Rule constitute violations of Revenue Procedure 2007-40. The consequence is direct: non-compliance can result in removal from the IRS e-file program, ending your ability to file returns electronically on behalf of clients.
For a detailed review of your current obligations, see our guide on tax safeguard compliance 4557.
Core Requirements of IRS Publication 4557
Written Information Security Plan (WISP)
The foundation of form 4557 compliance is a Written Information Security Plan. Every tax professional preparing returns for compensation must create, maintain, and actively implement a WISP. The IRS publication references NIST IR 7621r1: Small Business Information Security Fundamentals as the recommended framework for building this plan.
A compliant WISP must address:
- The scope of taxpayer data collected, processed, and stored
- Formal risk assessment procedures and review schedule
- Technical, physical, and administrative safeguards in place
- Employee roles, responsibilities, and security training requirements
- Incident response and breach notification procedures
- Vendor and third-party service provider oversight
For a ready-to-use template, see our guide on the irs publication 5708 wisp template, which provides a structured starting point aligned to form 4557 requirements. You can also review the full scope of irs publication 4557 safeguarding taxpayer data wisp requirements on our resource hub.
Access Controls and Authentication
IRS Publication 4557 requires restricting access to taxpayer data to authorized personnel only. This means assigning unique user IDs, enforcing strong password policies, and implementing MFA on every system that stores or transmits taxpayer information. The IRS recommends a minimum password length of 12 characters combining uppercase and lowercase letters, numbers, and symbols—with 8 characters documented as the floor. Password managers are specifically recommended for tracking complex, unique credentials across tax software, email, and financial portals.
How to Build a Form 4557-Compliant Security Program
Conduct a Risk Assessment
Identify every location where taxpayer data is stored, processed, or transmitted — including laptops, cloud storage, and email. Document identified risks and their likelihood of exploitation.
Draft Your Written Information Security Plan
Using IRS Publication 4557 and NIST IR 7621r1 as guides, create a WISP that addresses all required control areas. Designate a security coordinator responsible for implementation and annual reviews.
Implement Technical Safeguards
Deploy MFA on all tax software and email accounts. Enable full-disk encryption via BitLocker or an equivalent tool. Apply all pending security patches and confirm anti-virus definitions are current.
Secure Your Network
Configure Wi-Fi using WPA-2 with AES encryption. Use a non-identifying SSID and disable broadcast. Segment your tax workstations from guest or personal device networks to limit lateral movement.
Train Your Staff
All employees with access to taxpayer data must receive security awareness training. Phishing simulation exercises and annual refreshers are required under the updated FTC Safeguards Rule.
Test and Update Annually
Review your WISP and test your controls at least once per year — or after any material change to your systems, staffing, or services. Document the review and any updates made as evidence of compliance.
Technical Controls Required by Form 4557
Encryption
All taxpayer data must be encrypted both in transit and at rest. For Windows workstations, Microsoft BitLocker provides full-disk encryption that renders stored data unreadable without the correct credentials at boot. For data moving between systems—such as client documents sent via email or uploaded to a portal—Transport Layer Security (TLS) 1.2 or higher is the required standard. Unencrypted email is not an acceptable method for transmitting tax documents under form 4557 requirements.
Anti-Virus and Patch Management
Every workstation in a tax practice must run actively updated anti-virus and anti-malware software. Patch management carries equal weight: unpatched vulnerabilities in operating systems and tax software are among the most commonly exploited attack vectors. The Verizon 2024 Data Breach Investigations Report identified vulnerability exploitation as a top initial access technique across small business targets, reinforcing that timely patching directly reduces breach risk.
Wireless Network Security
IRS Publication 4557 specifically addresses wireless network security as a required control area. Your network must use Wi-Fi Protected Access 2 (WPA-2) with Advanced Encryption Standard (AES) encryption. The Service Set Identifier (SSID) should not identify your business, and broadcast should be disabled where technically feasible. Any guest or personal devices must operate on a separate network segment from tax workstations. Our guide on what is network segmentation explains how to implement this separation effectively.
For practices concerned about ransomware — one of the fastest-growing threats targeting tax firms — see our guide on ransomware protection for tax practices.
E-File Suspension Risk
Non-compliance with form 4557 requirements is not merely a fine risk. The IRS treats violations of the FTC Safeguards Rule as direct violations of Revenue Procedure 2007-40. The stated consequence is suspension from the IRS e-file program — ending your ability to file returns electronically on behalf of clients and effectively halting your practice during tax season.
Form 4557 Security Implementation Levels
Key Protections Form 4557 Requires You to Implement
Written Security Plan (WISP)
A documented plan covering risk assessment, safeguards, employee responsibilities, and incident response — required for all tax preparers under the FTC Safeguards Rule.
Multi-Factor Authentication
MFA on all tax software, email, and remote access systems. Mandatory under the 2023 FTC Safeguards Rule amendments for all covered financial institutions.
Data Encryption
Full-disk encryption for data at rest and TLS for data in transit. Protects taxpayer records if a device is lost, stolen, or intercepted on the network.
Employee Security Training
All staff with access to taxpayer data must receive security awareness training covering phishing recognition and safe data handling procedures.
Vendor Oversight
Tax professionals must vet and monitor third-party service providers — cloud storage, payroll, and tax software vendors — for adequate data security practices.
Incident Response Plan
A documented, tested plan for responding to data breaches, including notifying the IRS via Stakeholder Liaison and filing IRS Form 14039-B for confirmed identity theft.
Incident Response and Breach Notification Under Form 4557
IRS Publication 4557 requires tax professionals to maintain a documented incident response plan — not just preventive controls. When a breach occurs, response obligations are specific and time-sensitive.
Under the GLBA and FTC Safeguards Rule, a breach of taxpayer data triggers mandatory notification obligations to affected clients, the IRS, and in most states, state regulators. Delayed notification compounds both legal exposure and client trust damage significantly.
The IRS-specific steps after a confirmed or suspected breach:
- Isolate affected systems immediately to stop further data exfiltration
- Contact your cybersecurity team or Managed Security Service Provider (MSSP)
- Report the breach to your IRS Stakeholder Liaison — contact information is listed directly in IRS Publication 4557
- File IRS Form 14039-B (Business Identity Theft Affidavit) if tax-related identity theft is confirmed
- Notify affected clients per applicable state breach notification laws
- Document all response actions and update your WISP to address the root cause
The current online tax filing security risks 2025 2026 environment includes increasingly targeted attacks on small tax practices — attackers know these firms hold high-value data with often limited security resources. A tested incident response plan is essential to limiting damage when prevention fails.
For details on building a complete written security program, see our full guide on the written information security plan requirements and structure.
Get a Free Form 4557 Compliance Assessment
Bellator Cyber Guard specializes in helping tax professionals meet IRS Publication 4557 requirements. We'll evaluate your current security posture, identify gaps, and provide a prioritized remediation roadmap — at no cost.
Frequently Asked Questions About IRS Form 4557
Any tax professional who prepares federal tax returns for compensation must comply with form 4557. This includes sole practitioners, small accounting firms, enrolled agents, and tax preparation franchises. The Gramm-Leach-Bliley Act classifies these professionals as financial institutions, triggering mandatory data protection obligations regardless of firm size or return volume.
They refer to the same document. IRS Publication 4557, titled "Safeguarding Taxpayer Data," is frequently called form 4557 in common usage. It is a guidance publication rather than a fillable tax form — it outlines the data security requirements and best practices tax professionals must follow to protect client information and maintain their e-file authorization.
The IRS treats violations of the FTC Safeguards Rule as violations of IRS Revenue Procedure 2007-40. This can result in suspension from the IRS e-file program, preventing you from filing returns electronically on behalf of clients. Additionally, GLBA violations can expose your firm to FTC enforcement actions and civil penalties under applicable state laws.
Yes. A Written Information Security Plan (WISP) is a formal legal requirement under the FTC Safeguards Rule for all covered financial institutions, including tax preparers. IRS Publication 4557 references the WISP requirement directly and provides guidance on what it must cover. Tax professionals can face regulatory action for failing to maintain a current, implemented WISP.
At minimum, your WISP and security controls must be reviewed and tested annually. The FTC Safeguards Rule also requires updates whenever you make material changes to your systems, services, or business operations — such as adding a cloud storage platform, hiring remote staff, or switching tax software. Annual reviews are the floor, not the ceiling.
Yes. The 2023 updates to the FTC Safeguards Rule made MFA a mandatory control for all covered financial institutions, including tax preparers. IRS Publication 4557 reflects this requirement. MFA must be implemented on all systems that store or provide access to taxpayer data, including tax software, email accounts, and remote access platforms.
Immediately isolate affected systems, then contact your IRS Stakeholder Liaison (contact information is listed in Publication 4557), file IRS Form 14039-B if identity theft is confirmed, and notify affected clients. Most states require breach notification within 30–90 days of discovery. Document all actions taken and update your WISP to address the root cause.
The FTC Safeguards Rule (16 CFR Part 314) is the federal regulation that establishes substantive data security requirements for financial institutions, including tax preparers. IRS Publication 4557 translates those requirements into practical guidance for the tax preparation context. The IRS explicitly states that violations of the Safeguards Rule constitute violations of IRS Revenue Procedure 2007-40, tying FTC enforcement authority directly to your IRS e-file authorization.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
