Implementing robust security six backups is a mandatory requirement for tax professionals handling sensitive client data in 2025. The IRS requires comprehensive backup strategies through Publication 4557, making security six backups the fourth critical component of the Security Six framework. According to the IRS Publication 4557, tax preparers must maintain consistent backups of all systems containing nonpublic personal information (NPPI) and implement documented contingency plans for data recovery. Non-compliance can result in IRS investigations, regulatory penalties up to $100,000 per violation under the FTC Safeguards Rule, and irreparable damage to professional credentials.
Key Takeaway
Create a tax data backup plan that meets IRS requirements. Automated backup setup, cloud vs local options, and disaster recovery for tax firms.
The Threat Landscape by the Numbers
Total business losses in 2025
Rise in tax professional targeting
Attacks that target backup systems
The threat landscape has evolved dramatically. According to FBI Internet Crime Complaint Center data, ransomware attacks cost businesses over $34.3 billion in 2025, with tax professionals experiencing a 149% increase in targeted attacks compared to 2024. The a cloud backup solution 2025 Ransomware Trends Report reveals that 96% of backup repositories are targeted during attacks, with 76% successfully compromised. This makes implementing proper security six backups not just a compliance checkbox, but a critical business survival strategy for accounting and tax firms.
Understanding IRS Security Six Backups Mandate
The IRS Security Six framework represents the minimum baseline of cybersecurity controls required for tax professionals with a PTIN (Preparer Tax Identification Number). Security six backups constitute the fourth pillar of this framework, alongside antivirus protection, firewalls, two-factor authentication, drive encryption, and virtual private networks. The mandate applies to all tax preparers regardless of firm size—there are no exemptions for solo practitioners or small firms.
Publication 4557 Backup Requirements
Contingency Planning
A documented procedure integrated into your Written Information Security Plan (WISP) that outlines step-by-step actions when data becomes unavailable due to hardware failure, cyberattack, natural disaster, or human error.
Consistent Backup Schedule
Regularly scheduled security six backups of all systems containing NPPI, including tax return files, accounting ledgers, client databases, scanned documents, email archives, and practice management systems.
CISA Backup Effectiveness
According to CISA's backup best practices, proper implementation of security six backups can prevent up to 93% of data loss incidents. The IRS expects preparers to demonstrate during audits or security reviews that backups occur at appropriate frequencies aligned with data volume, are stored offsite, and have been tested for successful restoration.
GLBA and FTC Safeguards Rule Backup Requirements
Under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule, tax preparers are classified as "financial institutions" and must maintain comprehensive information security programs. The Safeguards Rule mandates specific security six backups practices:
- Risk Assessment: Identify all systems storing customer information requiring security six backups
- Safeguard Implementation: Encrypt backup data, restrict access to authorized personnel, and continuously monitor backup integrity
- Regular Testing: Validate that security six backups can be restored without corruption or data loss
- Periodic Review: Update backup procedures when introducing new software, modifying IT infrastructure, or identifying new threats
- Documentation: Maintain written policies detailing backup frequency, retention periods, storage locations, and responsible parties
Understanding the 3-2-1-1-0 Rule
Three Copies of Critical Data
Primary production data, secondary local backup, and tertiary offsite backup for comprehensive protection.
Two Different Storage Media
Diversify across disk-based, cloud-based, and tape-based storage to protect against media-specific failures.
One Copy Offsite
Geographically separate storage location to protect against local disasters.
One Immutable Copy
Write-Once-Read-Many (WORM) technology preventing modification or encryption.
Zero Backup Errors
Regular testing and validation to ensure reliable recovery capability.
How Object Lock Protects Security Six Backups
Retention Period
Define minimum time periods during which objects cannot be modified (typically 30-90 days for tax data).
Legal Hold
Place indefinite holds on specific backup sets for compliance or investigation purposes.
Governance Mode
Allow specific privileged users to modify retention settings with audit trails.
Compliance Mode
Absolute protection where no user—including account root—can modify or delete objects until retention expires.
Backup Method Comparison
| Feature | Cloud-Based | Local/Physical | RecommendedHybrid |
|---|---|---|---|
| Offsite Protection | ✓ | ✗ | ✓ |
| Fast Recovery | Limited by bandwidth | ✓ | ✓ |
| Scalability | ✓ | Limited | ✓ |
| Cost Structure | Monthly subscription | One-time hardware | Mixed |
| Disaster Recovery | ✓ | ✗ | ✓ |
Why Tax Professionals Are Prime Targets
Tax practices possess unique characteristics making them high-value targets: concentrated sensitive data (SSNs, bank accounts, income details), seasonal business pressure creating urgency, limited IT resources, legacy systems with vulnerabilities, and regulatory consequences that amplify damage from breaches.
Essential Backup Practices
Automate All Processes
Configure scheduled jobs, incremental backups, weekly full backups, and synthetic fulls to eliminate manual intervention.
Comprehensive Monitoring
Implement success/failure alerts, dashboard visibility, trend analysis, and verification checks.
Encryption & Access Controls
AES-256 encryption at rest, TLS 1.2+ in transit, proper key management, and client-side encryption.
Regular Testing
Monthly file restores, quarterly system restores, and annual disaster recovery drills with documentation.
Frequently Asked Questions
Security six backups refer to the backup and contingency planning requirement that forms the fourth component of the IRS Security Six framework outlined in Publication 4557. Tax professionals with a PTIN must implement consistent backup procedures for all systems containing nonpublic personal information (NPPI) and maintain documented contingency plans for data recovery. This requirement is mandatory under both IRS regulations and the FTC Safeguards Rule, with non-compliance resulting in penalties up to $100,000 per violation, potential license revocation, and liability for data breaches.
The IRS requires "consistent" backups aligned with your practice's data change rate and business operations. Best practice for security six backups compliance includes daily incremental backups during tax season when returns are prepared continuously, weekly full backups to establish clean recovery points, immediate backups after significant data changes (bulk imports, major client updates), and continuous replication for critical systems requiring minimal data loss. Document your backup frequency in your WISP and ensure automated scheduling prevents gaps in backup coverage.
The 3-2-1-1-0 rule represents the modern standard for comprehensive security six backups: maintain three copies of data (production + 2 backups), store backups on two different media types (disk + cloud or tape), keep one copy offsite (geographically separate location), maintain one immutable copy (cannot be modified or encrypted), and ensure zero backup errors through regular testing and validation. This enhanced strategy addresses modern ransomware threats that specifically target backup infrastructure, providing multiple recovery options when individual backup methods are compromised.
Immutable backups use Write-Once-Read-Many (WORM) technology preventing any modification, deletion, or encryption of backed-up data for a specified retention period. According to a cloud backup solution research, 76% of ransomware attacks successfully compromise backup repositories, making immutable security six backups essential for reliable recovery. Tax professionals should implement immutable backups through cloud provider Object Lock features (AWS S3, Azure Blob Storage) or WORM-capable tape libraries. Configure 60-90 day retention periods exceeding typical ransomware dwell time (average 21 days) to ensure clean backup versions predate initial compromise.
Yes, cloud-based backups fully satisfy IRS security six backups requirements when properly configured with AES-256 encryption for data at rest and TLS 1.2+ for data in transit, multi-factor authentication for cloud account access, immutable storage features (Object Lock) preventing modification, geographically distributed storage across multiple availability zones, regular restore testing to validate recovery capability, and documented procedures in your WISP. Cloud backups provide excellent offsite protection and disaster recovery capabilities. However, best practice recommends hybrid approaches combining cloud backups for disaster recovery with local backups for rapid daily recovery.
IRS compliance requires documented evidence that security six backups can successfully restore data. Implement a three-tier testing schedule: monthly file-level restores (random files from different backup sets to verify data integrity), quarterly system restores (complete workstation or server restoration to test hardware or VMs), and annual disaster recovery drills (full practice restoration from offsite backups only, simulating complete facility loss). Document all test results including restoration duration, data validation, issues encountered, and remediation steps. Untested backups represent false security—validation through restoration is mandatory for compliance and reliable recovery capability.
IRS record retention requirements mandate keeping tax returns and supporting documentation for minimum 3 years (6-7 years recommended for additional protection against extended audit periods). Configure security six backups retention aligning with these requirements: daily/weekly backups retained for 60-90 days (ransomware protection), monthly backups retained for 1 year (quarterly recovery options), annual backups retained for 3-7 years (compliance with record retention), and permanent archival for critical documents requiring indefinite retention. Balance retention periods against storage costs and legal hold requirements for documents involved in disputes or investigations.
Comprehensive security six backups costs vary based on practice size and data volume. Solo practitioners: $50-150/month for cloud backup services plus $200-500 for local backup hardware (external drives, NAS). Small firms (2-10 employees): $200-500/month for managed backup services or enterprise backup software plus $1,000-3,000 for backup infrastructure. Mid-size firms (10+ employees): $500-2,000/month for comprehensive backup solutions including immutable storage, monitoring, and support plus $3,000-10,000 for on-premises backup appliances. Consider these costs against average ransomware recovery costs of $1.85 million and regulatory penalties of $100,000 per violation—proper backups represent essential insurance, not optional expense.
Key Implementation Priorities
Document Everything
Integrate comprehensive backup procedures into your Written Information Security Plan
Automate Backups
Eliminate manual processes through scheduled, monitored backup jobs
Implement Immutability
Deploy Object Lock-enabled cloud storage or WORM tape for ransomware protection
Test Regularly
Monthly file restores, quarterly system restores, annual disaster recovery drills
Encrypt All Data
AES-256 encryption at rest, TLS 1.2+ in transit
Monitor Continuously
Automated alerts for backup failures, anomalies, or unauthorized access
Complete Security Six Implementation
Remember that security six backups constitute just one component of comprehensive cybersecurity compliance. Complete your Security Six implementation by addressing all mandatory controls: next-generation antivirus and EDR, network firewalls, multi-factor authentication, drive encryption, and virtual private networks. Properly implemented security six backups serve as your last line of defense against data loss, ensuring business continuity and protecting client trust regardless of what challenges arise.
Protect Your Tax Practice Today
Schedule a free consultation to discuss your cybersecurity needs and IRS compliance requirements.
Free Consultation
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
