
What IRS Publication 4557 Actually Requires from Tax Professionals
If you prepare federal tax returns professionally, IRS Publication 4557 — Safeguarding Taxpayer Data — is not a suggestion. It is the IRS's definitive guidance on your legal obligations under the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule to protect the sensitive financial data you handle every day.
At its core, Publication 4557 requires every tax professional or firm — regardless of size — to implement a formal, written data security program. That program is called a Written Information Security Plan, or WISP. If you handle 11 or more federal returns annually, the FTC Safeguards Rule mandates you have one in place. The IRS reinforces this obligation through Publication 4557 and Publication 5708, which provides a sample WISP template.
This guide breaks down exactly what Publication 4557 covers, what your WISP must include, and the practical steps to achieve and maintain compliance in 2026. For a broader view of security obligations specific to your profession, see our guide on cybersecurity for tax professionals.
Tax Preparer Data Security: By the Numbers
IBM Cost of Data Breach Report 2024
FTC Safeguards Rule civil penalty authority
Required notification to IRS Stakeholder Liaison after data theft discovery
The Legal Foundation: GLBA, FTC Safeguards Rule, and IRS Guidance
Tax preparers operate at the intersection of three overlapping regulatory frameworks, all of which converge on the same core requirement: protect taxpayer data with a documented security program.
Gramm-Leach-Bliley Act (GLBA)
The GLBA classifies tax preparers as "financial institutions" because they receive nonpublic personal financial information. This classification means you are subject to the FTC's implementing regulations — specifically the Safeguards Rule under 16 CFR Part 314 — which was significantly updated in 2023.
FTC Safeguards Rule (Updated 2023)
The revised Safeguards Rule requires covered financial institutions, including tax preparers filing 11 or more returns, to maintain a written information security program that includes:
- A designated qualified individual responsible for the program
- A written risk assessment identifying reasonably foreseeable threats
- Safeguards addressing identified risks, including encryption, access controls, and multi-factor authentication (MFA)
- Annual testing or monitoring of those safeguards
- Oversight of service providers who handle taxpayer data
- An incident response plan
- Annual reporting to the board or governing body
IRS Publication 4557
Publication 4557 translates these regulatory requirements into actionable IRS guidance. It maps directly to the FTC Safeguards Rule requirements while adding IRS-specific expectations around reporting data theft, responding to identity theft on tax returns, and securing e-file credentials (EFIN and PTIN). The IRS updates this publication periodically; the current version reinforces that a WISP is mandatory for any practicing tax professional.
Non-compliance carries real consequences. The FTC can impose civil penalties up to $50,120 per violation per day. State attorneys general can also bring independent enforcement actions. Beyond regulatory penalties, a breach of taxpayer data exposes your firm to civil liability and reputational damage that few small practices can survive. Review our page on tax safeguard compliance for enforcement context.
2026 Compliance Requirement
The FTC Safeguards Rule is fully in effect for all tax preparers handling 11 or more federal returns. The IRS has stated that WISP compliance will be verified during PTIN renewal and e-file provider audits. Tax professionals without a current, documented WISP risk PTIN suspension and FTC enforcement action.
What Must Be in Your WISP: The Required Elements
The FTC Safeguards Rule and IRS Publication 4557 together define the minimum elements your WISP must address. A compliant WISP is not a one-page acknowledgment — it is a living document that describes your actual security environment and how you manage risk within it.
1. Designated Qualified Individual
You must name a specific person — internal or an external service provider — responsible for overseeing, implementing, and enforcing the security program. For sole practitioners, this is typically the preparer themselves. For larger firms, it may be an office manager, IT director, or a managed security services partner.
2. Risk Assessment
Before you can protect data, you have to know what threats face it. Your WISP must document a formal risk assessment that identifies where taxpayer data lives (workstations, servers, cloud storage, email), who can access it, and what the realistic threats are — including phishing, ransomware, insider misuse, and physical theft. For guidance on assessing cloud exposure specifically, see our article on security of tax client portals.
3. Safeguards Proportionate to Risk
Based on the risk assessment, your WISP must specify the controls you use to mitigate each identified threat. The FTC Safeguards Rule prescribes several controls explicitly:
- Encryption of taxpayer data in transit and at rest
- Multi-factor authentication (MFA) for any system accessing taxpayer data (or a documented equivalent compensating control)
- Access controls limiting data access to those who need it
- Secure disposal of data and devices no longer needed
- Patch management keeping systems current against known vulnerabilities
- Anti-malware protection on all endpoints handling taxpayer data
4. Testing and Monitoring
Safeguards must be tested. For firms with fewer than 5,000 customer records, annual penetration testing is not mandated, but vulnerability assessments are. Larger firms must conduct annual penetration testing and bi-annual vulnerability scans. All firms must monitor systems for unauthorized access or anomalous activity.
5. Service Provider Oversight
If you use cloud tax software, hosted servers, or any vendor who accesses taxpayer data, your WISP must identify those providers and document how you verify their security practices — typically through written contracts requiring them to implement appropriate safeguards.
6. Incident Response Plan
Your WISP must include a written incident response plan describing how your firm will detect, contain, assess, notify, and recover from a security event. The IRS requires you to report data theft to the IRS Stakeholder Liaison within 24–48 hours of discovery. The NIST incident response framework provides a proven structure you can adapt for your practice.
IRS Reporting Obligations After a Data Breach
Contain the Incident
Isolate affected systems immediately to prevent further data exposure. Disconnect compromised workstations from the network without powering them off to preserve forensic evidence.
Notify the IRS Stakeholder Liaison
Contact your local IRS Stakeholder Liaison within 24–48 hours of discovering the breach. The IRS provides a dedicated contact list for this purpose at irs.gov.
File Form 14039-B
Submit IRS Form 14039-B (Business Identity Theft Affidavit) to report that your firm's credentials or client data may have been compromised.
Notify Affected Clients
Inform clients whose data may have been exposed. Follow applicable state breach notification laws, which vary by jurisdiction and may require notification within 30–72 hours.
Notify the FTC
If the breach involves 500 or more customers in a single state, you must also notify the FTC via the safeguards breach notification process under 16 CFR Part 314.
Document and Review
Preserve all evidence, document your response actions, and conduct a post-incident review. Update your WISP to address any gaps the incident revealed.
Building a WISP That Passes Scrutiny: Practical Guidance
Many tax preparers have a WISP on file that was written once, filed away, and never updated. That approach satisfies the letter of the requirement at the moment of creation but fails almost immediately — your technology, staff, and threat environment all change. Regulators and auditors look for evidence that your WISP reflects your current operations.
Start With IRS Publication 5708
The IRS published IRS Publication 5708, which includes a sample WISP template tailored specifically for tax professionals. It is the most practical starting point available and is structured to satisfy both FTC Safeguards Rule requirements and IRS-specific expectations. Use it as a framework, not a finished product — your WISP must reflect your actual environment, not a generic template. You can also download our free WISP template for 2026 to get started quickly.
Inventory Your Data First
You cannot protect data you have not mapped. Before drafting your WISP, document every place taxpayer data lives: local workstations, external hard drives, cloud tax software, email servers, client portals, and paper files. Include data in transit — email attachments, file transfers, fax. This inventory becomes the foundation of your risk assessment.
Match Controls to Actual Risk
A two-person firm operating on a single network with three workstations faces different risks than a 20-person regional CPA firm with remote staff. Your controls — and your WISP — should reflect that reality. Overengineered controls that staff do not follow are worse than simpler controls that are actually implemented. For detailed implementation guidance, review our WISP implementation guide for CPA firms.
Address Phishing Explicitly
Phishing is consistently the leading initial access vector in tax sector breaches, with the IRS issuing annual warnings about targeted campaigns against preparers. Your WISP should describe your email security controls, employee training cadence, and procedures for verifying suspicious client communications. See our analysis of phishing attacks and how to recognize them for current threat patterns.
Review and Update Annually — At Minimum
The FTC Safeguards Rule requires your qualified individual to report to the board (or equivalent) at least annually on the state of the security program. Tie your WISP review to that reporting cycle. Also update your WISP whenever you experience a material change: new software, new staff, new office location, new service providers, or a security incident.
How to Build a Compliant WISP: Step-by-Step
Designate a Qualified Individual
Name the person responsible for your security program in writing. For sole practitioners, this is you. For firms, choose someone with authority to enforce policy and allocate resources.
Conduct a Formal Risk Assessment
Inventory all systems, locations, and processes that touch taxpayer data. Identify realistic threats — ransomware, phishing, physical theft, insider access — and rate each by likelihood and impact.
Select and Document Security Controls
For each identified risk, document the specific control you use to address it: encryption standards, MFA configuration, access control policies, patch management schedule, and anti-malware tools.
Draft the Written Plan
Use IRS Publication 5708 as your template. Customize every section to reflect your actual environment, staff, software, and vendors. A generic template is not a compliant WISP.
Implement and Train
Deploy the controls documented in your WISP and train all staff on their responsibilities. Document training completion dates and topics covered — regulators will ask for evidence.
Test Your Safeguards
Run vulnerability assessments on your systems. Test your incident response plan with a tabletop exercise. Verify that backups restore successfully. Document all test results.
Review Annually and After Changes
Schedule an annual WISP review tied to your post-filing-season wind-down. Also review after any material change — new software, new hire, new vendor, or any security incident.
IRS Publication 4557 and the Broader Compliance Picture
Publication 4557 does not exist in isolation. Tax professionals increasingly face overlapping obligations from state-level data security laws, professional licensing bodies, and cyber insurance underwriters — all of which align with or exceed IRS/FTC requirements.
State-Level Requirements
At least 11 states have enacted their own data security laws for tax preparers or financial service providers, with requirements that may exceed the federal baseline. Massachusetts (201 CMR 17.00), New York (SHIELD Act and 23 NYCRR 500), and California (CCPA/CPRA) are among the most demanding. Your WISP should be reviewed against any state requirements applicable to your practice location and your clients' residences.
FTC Safeguards Rule vs. IRS Publication 4557
These two frameworks are complementary, not duplicative. The FTC Safeguards Rule is the enforceable regulation with civil penalty authority. IRS Publication 4557 is the IRS's interpretive guidance that applies the Safeguards Rule to the specific context of tax preparation and adds IRS-specific reporting requirements. Compliance with Publication 4557 generally satisfies the FTC Safeguards Rule for tax preparers, but you should verify compliance with both frameworks independently.
For firms that also handle payroll, benefits administration, or financial planning, additional framework obligations specific to those services may apply. Firms exploring a zero trust security architecture will find that approach well-aligned with Publication 4557's access control and least-privilege requirements. Review the NIST Cybersecurity Framework implementation guide for a practical starting point.
Cyber Insurance Requirements
Insurers writing cyber coverage for tax practices increasingly require documented WISP existence as a condition of coverage — and some require evidence of specific controls (MFA, Endpoint Detection and Response (EDR), encrypted backups) before binding a policy. A well-maintained WISP is not just a compliance document; it directly affects your insurability and premium. For more on endpoint protection requirements, see our guide on Managed Detection and Response (MDR) services for small businesses.
Common WISP Failures and How to Avoid Them
Having a WISP is necessary. Having a compliant, current WISP is what actually matters. The following are the most frequently observed failures in tax preparer security programs — and practical ways to address each one.
Using a Generic Template Without Customization
The IRS sample WISP in Publication 5708 is a starting point, not a finished document. A WISP that lists security controls your firm does not actually use — or omits controls you do use — is both inaccurate and potentially deceptive to regulators. Every section should reflect your real environment. Our WISP template for tax preparers includes customization guidance for every required section.
Not Updating After Changes
Adding a new staff member, switching tax software, or moving to cloud-based storage all change your risk profile. Each of these events should trigger a WISP review. Build a recurring calendar reminder tied to your tax season wind-down to conduct an annual full review.
Missing the Incident Response Component
The incident response plan is the most commonly omitted section in small-firm WISPs. It is also the most operationally important — in the stress of a breach, you need a documented playbook, not improvisation. At minimum, document who to call, in what order, within what timeframe, and what evidence to preserve. Our guide on incident response planning for tax practices provides a step-by-step framework.
No Documentation of Training
Training requirements without records do not count. Maintain a log of all security awareness training completed — dates, topics covered, and who attended. If you use an online training platform, export completion certificates and store them with your WISP.
Ignoring Physical Security
Publication 4557 covers physical as well as digital safeguards. Unlocked file cabinets containing client folders, unattended workstations, and unsecured printers storing tax returns in memory are all within scope. Your WISP should address office access controls and paper document handling. For guidance on physical security requirements, see our post on physical security practices required for federal tax information.
Ransomware is a particular concern for tax practices during filing season, when attackers know you cannot afford downtime. Our guide on ransomware prevention and recovery covers strategies aligned with Publication 4557 requirements.
IRS Publication 4557 WISP Compliance Checklist
- Designate a named qualified individual responsible for the security program
- Complete a written risk assessment covering all systems that store or process taxpayer data
- Enable multi-factor authentication on all tax software and systems accessing taxpayer data
- Encrypt taxpayer data both in transit (TLS) and at rest (AES-256)
- Implement access controls limiting data access to those with a business need
- Document a service provider inventory with written security agreements for each vendor
- Write a formal incident response plan with IRS Stakeholder Liaison contact information
- Schedule and document annual employee security awareness training
- Conduct an annual vulnerability assessment and document results
- Establish a secure disposal policy for devices and paper records containing taxpayer data
- Review and update the WISP at least annually and after any material change
- Report program status to firm leadership annually in writing
Bottom Line
Every tax professional handling 11 or more federal returns must have a Written Information Security Plan (WISP) under IRS Publication 4557 and the FTC Safeguards Rule. A generic template filed once and never updated does not constitute compliance. Your WISP must reflect your actual security environment, be updated after material changes, and be supported by documented training and testing records. The FTC can impose penalties up to $50,120 per violation per day for non-compliance.
Core Security Controls Required by IRS Publication 4557
Publication 4557 does not mandate specific technology products, but it does prescribe security outcomes that your controls must achieve. The table below maps each required outcome to the control category that typically satisfies it.
Required Outcome
Control Category
Example Implementation
Prevent unauthorized access to taxpayer data
Access Controls
Role-based access, unique user accounts, least-privilege permissions
Protect data in transit
Encryption
TLS 1.2+ for email and web, VPN for remote access
Protect data at rest
Encryption
AES-256 disk encryption on workstations and servers
Verify user identity
Authentication
MFA via authenticator app or hardware token
Detect and block malware
Endpoint Protection
EDR software with real-time behavioral detection
Identify vulnerabilities before attackers do
Vulnerability Management
Annual vulnerability scans; patch management within 30 days of release
Respond to security events
Incident Response
Written IRP with IRS reporting procedures and client notification protocols
Train staff to recognize threats
Security Awareness
Annual phishing simulations and security training with completion records
For tax professionals looking to go beyond the Publication 4557 baseline, the NIST Cybersecurity Framework (CSF) 2.0 provides a more detailed control catalog that maps well to IRS requirements. Our guide to online tax filing security risks covers specific threat scenarios that should inform your risk assessment.
Need a Ready-to-Use WISP Template?
Our IRS-aligned WISP template is pre-structured to satisfy Publication 4557 and FTC Safeguards Rule requirements — with customization guidance for every required section.
The FTC Safeguards Rule and Publication 4557: What Changed in Recent Updates
The 2023 amendments to the FTC Safeguards Rule introduced the most significant changes to tax preparer data security requirements in over a decade. If your WISP was drafted before 2023, it may not satisfy current requirements even if it was once compliant.
Key changes that affect tax preparers include:
- Encryption is now mandatory — previous versions allowed encryption as one option among several; the 2023 rule requires it for data in transit and at rest unless a documented exception is justified
- MFA is required by default — all systems containing taxpayer data must use MFA, with any alternative requiring a written compensating control justification
- Penetration testing timelines are specified — firms above the 5,000-record threshold must conduct annual pen tests and bi-annual vulnerability scans
- Board reporting is mandatory — the qualified individual must provide a written annual report to firm leadership on the state of the security program
- Breach notification thresholds added — breaches affecting 500 or more customers in a single state trigger mandatory FTC notification
For a detailed breakdown of how the FTC Safeguards Rule applies to your practice, see our dedicated guide on the FTC Safeguards Rule for tax preparers as financial institutions. For PTIN-specific compliance obligations, review our article on PTIN and WISP requirements for tax preparers.
Get a Free IRS Publication 4557 Compliance Assessment
Bellator Cyber Guard's security specialists will evaluate your current WISP and data security controls against IRS Publication 4557 and FTC Safeguards Rule requirements — and give you a prioritized action plan at no cost.
Frequently Asked Questions
Any tax professional or firm that prepares 11 or more federal tax returns annually is required to have a Written Information Security Plan (WISP) under the FTC Safeguards Rule, which IRS Publication 4557 implements for the tax preparation context. This includes sole practitioners, enrolled agents, CPA firms, and tax preparation businesses. The requirement applies regardless of firm size — there is no small-firm exemption.
IRS Publication 4557 — Safeguarding Taxpayer Data — is the IRS's official guidance document explaining your legal obligations to protect taxpayer data under the Gramm-Leach-Bliley Act and FTC Safeguards Rule. IRS Publication 5708 is a separate, companion document that provides a sample WISP template specifically designed for tax professionals to use as a starting point. Publication 4557 tells you what you must do; Publication 5708 gives you a template for documenting how you do it.
The FTC can impose civil penalties up to $50,120 per violation per day for non-compliance with the Safeguards Rule. State attorneys general can bring independent enforcement actions under state data security laws. Beyond regulatory penalties, the IRS can suspend or revoke your PTIN or e-file provider status for failure to maintain adequate data security. Tax preparers who experience a breach without adequate security controls also face civil liability from affected clients.
Yes. The FTC Safeguards Rule and IRS Publication 4557 apply to sole practitioners who handle 11 or more federal returns annually — there is no small-firm or sole-practitioner exemption. However, the rule does require controls that are proportionate to the size and complexity of your operations. A sole practitioner's WISP can be simpler than a regional firm's, but it must still address all required elements: designated qualified individual, risk assessment, specific safeguards, testing, service provider oversight, and an incident response plan.
Your WISP must be reviewed at least annually, with the qualified individual providing a written report to firm leadership on the program's status. You must also update the WISP after any material change to your business or security environment — new software, new staff, new vendors, a new office location, or a security incident. Many firms tie their annual review to the post-filing-season wind-down period (May–June) when workflow permits thorough review.
IRS Publication 4557 requires tax preparers to: (1) contain the incident by isolating affected systems; (2) contact the IRS Stakeholder Liaison within 24–48 hours of discovery; (3) file IRS Form 14039-B (Business Identity Theft Affidavit); (4) notify affected clients whose data may have been compromised; and (5) comply with applicable state breach notification laws. If the breach affects 500 or more customers in a single state, you must also notify the FTC. Document all response actions for your WISP post-incident review.
Yes. The 2023 updates to the FTC Safeguards Rule — which Publication 4557 implements — require MFA on all systems that access taxpayer data. This includes tax preparation software, cloud platforms, remote access tools, and email systems used to transmit taxpayer information. The only exception is if you document a written compensating control that provides equivalent security and have that exception reviewed and approved by your qualified individual. In practice, MFA is the expected standard.
Yes, but using cloud-based software does not transfer your compliance obligations to the software vendor. Your WISP must identify the cloud platform as a service provider, document how you verified the vendor's security practices, and include a written agreement requiring the vendor to implement appropriate safeguards. You remain responsible for access controls on your side — MFA, user account management, and monitoring access logs. Review your vendor's security documentation and SOC 2 reports as part of your annual WISP review.
The IRS Security Six is a set of six baseline security measures the IRS recommends as a starting point: antivirus software, a firewall, two-factor authentication, drive encryption, VPN for remote access, and data backup. These are foundational controls, not a complete compliance program. A WISP is the formal written document required by the FTC Safeguards Rule that describes your entire security program — including the Security Six controls and much more. Implementing the Security Six does not substitute for having a compliant WISP.
IRS Publication 4557 — Safeguarding Taxpayer Data — is available directly from the IRS at irs.gov/pub/irs-pdf/p4557.pdf. The companion WISP template, IRS Publication 5708, is available at irs.gov/pub/irs-pdf/p5708.pdf. Both documents are updated periodically; always download the current version rather than relying on a cached or printed copy. Bellator Cyber Guard also offers a free 2026 WISP template pre-structured for tax professionals.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.



