
Tax Data Backup Plan: IRS Compliance Guide for Tax Professionals
A compliant tax data backup plan is a mandatory requirement for every tax professional handling sensitive client data in 2026. The IRS mandates thorough backup strategies through IRS Publication 4557, making data backups the fourth essential component of the Security Six framework. If you prepare tax returns professionally and hold a PTIN, you must implement and document a compliant plan—there are no exemptions for solo practitioners or small firms.
Non-compliance carries real consequences: IRS investigations, regulatory penalties up to $100,000 per violation under the FTC Safeguards Rule, PTIN suspension, and lasting damage to professional credentials. For a practice managing hundreds or thousands of client returns containing Social Security numbers, bank account details, and financial records, your backup strategy determines whether you recover from a ransomware attack in hours—or lose your entire practice.
Tax Data Backup: By the Numbers
FBI Internet Crime Complaint Center, 2025
Verizon 2025 Ransomware Trends Report: targeted during attacks
IBM Cost of Data Breach Report 2026 — 23% above cross-industry average
2026 Filing Season Compliance Deadline
The IRS requires all tax preparers holding a PTIN to have a documented, tested data backup plan in place before the start of each filing season. Firms without a compliant plan face IRS Security Summit inspections, FTC Safeguards Rule penalties, and potential PTIN suspension. Update your Written Information Security Plan (WISP) to include backup procedures before January 2026.
Why Tax Professionals Are Prime Ransomware Targets
The threat environment facing tax professionals has shifted dramatically. According to FBI Internet Crime Complaint Center data, ransomware attacks cost businesses over $34.3 billion in 2025, with tax professionals experiencing a 149% increase in targeted attacks compared to 2024. The Verizon 2025 Ransomware Trends Report reveals that 96% of backup repositories are now targeted during attacks, with 76% successfully compromised—making backup isolation a survival requirement, not a best practice.
Ransomware operators specifically target backup systems because businesses with intact, isolated backups can recover without paying ransom. When backups are compromised alongside production systems, victims face an impossible choice: pay the ransom or lose years of client data permanently.
Tax preparers manage an extraordinarily valuable dataset that makes them attractive targets:
- Complete identity packages: Tax returns contain full names, Social Security numbers, dates of birth, addresses, employment information, and bank account details—everything needed for identity theft or fraudulent filings
- Seasonal vulnerability windows: January through April operations run under extreme time pressure with temporary staff, creating security gaps attackers actively exploit
- Small firm security posture: 73% of tax preparers operate as solo practitioners or firms with fewer than 10 employees, often lacking dedicated IT security resources
- Regulatory pressure to pay: The threat of IRS penalties, PTIN suspension, and malpractice liability creates pressure to pay ransoms quickly to resume operations
The IBM Cost of Data Breach Report 2026 found that breaches in the financial services sector—which includes tax preparation under the Gramm-Leach-Bliley Act (GLBA)—cost an average of $6.08 million per incident, 23% higher than the cross-industry average of $4.88 million. To understand the full scope of threats targeting your practice, see our overview of how ransomware attacks work and our 2026 online tax filing security risk assessment.
IRS Security Six Backup Requirements
The IRS Security Six framework represents the minimum baseline of cybersecurity controls required for tax professionals with a PTIN. Data backups constitute the fourth pillar of this framework, alongside two-factor authentication, antivirus protection, firewalls, drive encryption, and virtual private networks. The mandate applies universally—there are no size-based exemptions.
IRS Publication 4557, "Safeguarding Taxpayer Data," establishes specific requirements for tax preparer backup systems. These requirements align with CISA's Cyber Essentials guidance and the NIST Cybersecurity Framework 2.0, specifically the Protect (PR.IP-4) and Recover (RC.RP-1) functions:
- Complete coverage: Back up all systems, applications, and data repositories that store, process, or transmit taxpayer information—including tax software, document management systems, email servers, and client portals
- Consistent scheduling: Implement automated backup procedures on a defined schedule without requiring manual intervention—daily backups for active client data, weekly for archived records
- Isolated storage: Maintain at least one backup copy that is air-gapped or immutable, preventing ransomware from encrypting both production systems and backups simultaneously
- Encryption requirements: Encrypt all backup data both in transit and at rest using FIPS 140-2 validated cryptographic modules with AES-256 encryption
- Access controls: Restrict backup system access to authorized personnel only, implementing role-based access control (RBAC) and multi-factor authentication for administrative functions
- Regular testing: Conduct documented restore tests at least quarterly to validate backup integrity and measure recovery time objectives (RTO)
- Written documentation: Maintain current written procedures detailing backup frequency, retention periods, storage locations, encryption methods, responsible parties, and testing schedules
Your backup requirements don't exist in isolation—they're part of a broader IRS cybersecurity compliance framework that includes your Written Information Security Plan (WISP). The backup plan is a required component of any compliant WISP.
Bottom Line
Every tax preparer holding a PTIN must implement a documented, tested data backup plan. IRS Publication 4557 requires automated backups, encrypted isolated storage, quarterly restore testing, and written procedures. There are no exemptions for solo practitioners or firms with fewer than 10 employees.
The 3-2-1-1-0 Backup Rule for Tax Practices
The 3-2-1-1-0 rule is the industry standard backup strategy, evolved from the original 3-2-1 rule to address modern ransomware threats that specifically target and destroy backup systems before deploying encryption payloads:
- 3 — Maintain three copies of your data (production data plus two backups)
- 2 — Store backups on two different media types (e.g., local NAS and cloud storage)
- 1 — Keep one backup offsite or in a geographically separate cloud region
- 1 — Maintain one immutable or air-gapped backup that ransomware cannot modify or delete
- 0 — Verify zero errors through regular restore testing—backups you haven't tested aren't actually backups
For most tax practices, this translates to: local encrypted backup on a NAS device in your office (fast recovery for common scenarios), automated replication to cloud storage in a separate geographic region (disaster recovery), and immutable object-locked cloud copies that prevent deletion or modification for the defined retention period.
How Immutable Backups Protect Against Ransomware
Object lock technology, available in enterprise backup solutions and cloud storage platforms, creates backup copies that cannot be modified, encrypted, or deleted for a specified retention period—even by administrators with full system access. When ransomware operators compromise a tax practice's network, they typically spend days or weeks in reconnaissance, identifying backup systems and attempting to delete or encrypt them before deploying the encryption payload. Traditional backup systems that allow deletions or overwrites provide no protection in this scenario.
Immutable backups with object lock create an unbreakable recovery point. Even if attackers obtain administrator credentials to your backup system, they cannot delete or encrypt locked backup objects. For tax professionals, set object lock retention to match IRS recordkeeping requirements—typically 7 years for individual returns per IRS Publication 583, though three years covers most audit scenarios. Use compliance mode for the strongest protection (not even cloud provider root accounts can delete locked objects), or governance mode for operational flexibility with full audit trails.
Immutable storage typically costs $20–50 per terabyte per month for tax practices—a modest premium over standard cloud storage that provides essential ransomware protection. This approach also directly supports the incident response procedures described in your tax practice incident response plan.
Tax Software-Specific Backup Requirements
One of the most vital—and commonly overlooked—aspects of tax data backup is understanding where your tax preparation software actually stores client data. Many tax professionals assume that backing up their Documents folder or desktop provides adequate protection. In reality, most professional tax software stores live databases in custom program directories that standard file backups completely miss.
Where Professional Tax Software Stores Client Data
Professional tax platforms rarely store working data in user-accessible locations like Documents or Desktop folders. Instead, they maintain proprietary database files in protected system directories that require explicit backup configuration:
- Intuit ProSeries and Lacerte: Store client data in
C:\Users\Public\Documents\Intuit\ProSeries [Year]orC:\ProgramData\Intuit\Lacerte\[Year]. These locations are outside standard user backup paths and require explicit inclusion in backup policies. - Drake Tax Software: Maintains client data in
C:\Drake[Year]\Databy default, though custom installations may vary. Drake uses indexed database files requiring consistent backup of the entire Data directory. - Thomson Reuters UltraTax CS: Stores data in SQL Server databases or local file-based storage at
C:\CSA\Practice CS\[Year]. SQL Server implementations require database-level backups, not simple file copies. - CCH Axcess Tax: As a cloud-based platform, client data resides on CCH servers. Firms should still back up locally downloaded returns and custom templates to local storage included in their backup plan.
- Intuit QuickBooks: Company files (.QBW) are typically stored in
C:\Users\Public\Documents\Intuit\QuickBooks\Company Files, but multi-user configurations may store files on network shares requiring separate backup coverage.
Cloud-Based Tax Software Backup Obligations
Cloud-based platforms like Intuit ProConnect Tax, TaxDome, and CCH Axcess shift primary data storage responsibility to the vendor—but tax professionals retain backup obligations under IRS Publication 4557. Your responsibility doesn't end because data lives in the cloud:
- Schedule monthly exports of all client files from cloud platforms to local storage included in your backup routine
- Review your software provider's SLA to understand their backup frequency, retention periods, and restore procedures—vendor backups are not a substitute for your own
- Download and archive PDF copies of all completed returns to local storage as an independent backup layer
- Ensure supporting documentation, client communications, and engagement letters uploaded to cloud platforms are redundantly stored in your local backup system
The security of client portals and cloud platforms deserves its own attention—see our detailed analysis of tax client portal security risks for a thorough assessment of vendor security controls.
Implementing Your Tax Data Backup Plan: Step by Step
Inventory All Data Sources
Document every system, application, and storage location that contains taxpayer data: tax software directories, document management systems, email servers, client portals, and shared network drives. This inventory becomes the scope section of your written backup policy.
Choose Your Backup Architecture
Implement the 3-2-1-1-0 strategy: local NAS for fast recovery, cloud backup with geographic separation for disaster recovery, and at least one immutable copy with object lock enabled for ransomware protection. Size storage based on current data volume plus 18 months of growth.
Configure Encryption and Access Controls
Enable AES-256 encryption for all backup data at rest and TLS 1.3 for data in transit. Restrict backup system access using role-based access control (RBAC) and require multi-factor authentication for all administrative functions. Document who has access and why.
Set Schedules and Retention Policies
Configure automated daily incremental backups for active client data, weekly full backups, and monthly archival snapshots. Set retention to align with IRS recordkeeping requirements—7 years for individual returns per IRS Publication 583. Automate retention enforcement to prevent manual errors.
Conduct and Document Restore Tests
Perform a full restore test immediately after setup, then quarterly thereafter. Test both file-level restores (common scenarios) and full system restores (disaster recovery). Document test results including recovery time, data integrity verification, and any issues found. Failed tests must be resolved and retested.
Write and Maintain Your Backup Policy
Document all procedures in your Written Information Security Plan (WISP). Include backup frequency, retention periods, storage locations, encryption methods, responsible parties, testing schedules, and recovery procedures. Review and update the policy annually and after any significant IT infrastructure change.
Cloud Backup Solutions for Tax Professionals
Cloud-based backups can satisfy IRS compliance requirements when properly configured. Not all cloud backup services meet the specific security and encryption standards required for taxpayer data protection under the FTC Safeguards Rule and IRS Publication 4557.
When evaluating cloud backup providers for tax practice use, verify they meet these requirements:
- Encryption standards: AES-256 encryption at rest and TLS 1.3 in transit with FIPS 140-2 validated cryptographic modules
- Data sovereignty: Ability to specify geographic storage location and confirm taxpayer data remains within US jurisdiction
- Access controls: Support for multi-factor authentication, role-based access control, and IP address restrictions
- Immutability options: Object lock or immutable backup features that prevent deletion or modification for defined retention periods
- Audit logging: Detailed logs of all backup, restore, and administrative operations with tamper-evident storage
- SOC 2 Type II certification: Independent audit verification of security controls and operational effectiveness
Hybrid Backup Strategies for Tax Practices
Most tax practices benefit from a hybrid approach combining local and cloud backups. Local network-attached storage (NAS) in your office provides rapid recovery for common scenarios like accidental file deletion—restore times measured in minutes rather than hours. Cloud backups protect against office-wide disasters: fire, flood, theft, or ransomware that compromises all on-premises systems simultaneously.
Configure local backups to automatically replicate to cloud storage, maintaining the 3-2-1-1-0 rule without manual intervention. Store recent backups (30–90 days) in hot storage for fast access, then automatically tier older backups to cold storage for long-term retention at lower cost.
Cloud backup costs for tax practices typically range from $30–150 per month depending on data volume. A practice with 500GB of client data might pay $40–60 monthly for enterprise-grade cloud backup with immutability features. Compare that against the cost of permanent data loss: the average cost of recreating lost tax returns from source documents ranges from $150–300 per return in staff time and client inconvenience. A single ransomware attack affecting 200 client files could cost $30,000–60,000 to remediate without proper backups.
Consumer services like Google Drive, Dropbox, or personal iCloud accounts do not meet IRS compliance requirements for taxpayer data. They lack FIPS 140-2 validated encryption, immutability features, SOC 2 Type II certification, and the audit logging required by FTC Safeguards Rule §314.4(f). Using consumer storage for client tax data creates regulatory exposure independent of any security incident.
For multi-location tax offices, backup architecture requires additional planning—our guide to centralized security management for multi-location tax offices covers the specific considerations for distributed practices.
Backup Plan Documentation Requirements
The IRS and FTC require written documentation of your tax data backup plan. During Security Summit inspections or FTC investigations, regulators will request your backup policy documentation. Absent written procedures, you cannot demonstrate compliance—even if you are technically running backups correctly.
Your written plan should include:
- Purpose and scope: Statement that the plan protects taxpayer data in compliance with IRS Publication 4557 and FTC Safeguards Rule, listing all systems and data types covered
- Backup schedule: Specific frequency for different backup types (daily incremental, weekly full, monthly archival) with exact timing to minimize impact on business operations
- Technology and methods: Detailed description of backup software, storage hardware, cloud services, and encryption methods used
- Storage locations: Physical and logical locations of all backup copies including geographic regions for cloud storage
- Retention periods: How long different backup types are retained, aligned with IRS recordkeeping requirements
- Access controls: Who has access to backup systems, authentication requirements, and authorization procedures
- Testing procedures: Frequency and methodology for restore testing, documentation requirements, and acceptance criteria
- Roles and responsibilities: Named individuals responsible for backup administration, monitoring, testing, and incident response
- Recovery procedures: Step-by-step instructions for restoring data in various scenarios with decision trees and contact information
- Review and update schedule: Requirement to review plan annually and after any significant IT infrastructure changes
This documentation serves multiple purposes: it demonstrates compliance to regulators, provides operational guidance to staff, and ensures business continuity when key personnel are unavailable. Your backup policy is a required component of a compliant IRS Written Information Security Plan. For firms needing a starting point, our free WISP template includes a complete backup policy section ready for customization.
The documentation requirement also intersects with your broader IRS Publication 4557 compliance obligations and the PTIN WISP requirements that apply to every credentialed tax preparer. Firms managing the full compliance picture—backup policies, WISP, incident response—may find our all-in-one compliance package a practical starting point.
Tax Data Backup Plan Implementation Checklist
- Inventory all systems, applications, and storage locations containing taxpayer data
- Identify exact file storage paths for each tax software platform used in your practice
- Implement automated daily backups for all active client data without manual intervention
- Configure at least one immutable or air-gapped backup copy with object lock enabled
- Enable AES-256 encryption for all backup data at rest and TLS 1.3 for data in transit
- Require multi-factor authentication for all backup system administrative access
- Verify cloud backup provider holds SOC 2 Type II certification and stores data within US jurisdiction
- Set retention periods to at least 7 years for individual returns per IRS Publication 583
- Conduct and document a full restore test immediately after setup
- Schedule quarterly restore tests with documented results and issue tracking
- Write backup procedures into your WISP with named responsible parties
- Eliminate all consumer backup services (Google Drive, Dropbox) for taxpayer data storage
- Schedule annual backup policy review and update after any significant IT infrastructure change
Cost Planning for Tax Practice Backups
Implementing a compliant tax data backup plan requires investment, but costs are scalable based on practice size and complexity. The table below reflects typical ranges for practices implementing a hybrid local-plus-cloud architecture meeting IRS Publication 4557 requirements.
Practice Size
Cloud Backup (Monthly)
Local Hardware (One-Time)
Estimated Year-One Total
Solo Practitioner (Under 100 Returns)
$30–50/month
$300–500
$660–1,100
Small Firm (100–500 Returns)
$75–150/month
$800–1,500
$1,900–3,700
Medium Firm (500+ Returns)
$200–400/month
$2,000–5,000
$4,400–9,800
These investments pay for themselves during the first prevented data loss incident. A single ransomware attack affecting 200 client files could cost $30,000–60,000 to remediate without proper backups—and that excludes regulatory penalties, malpractice claims, and the client attrition that follows a publicized breach.
Practices comparing managed security options against self-managed backup should also review our comparison of EDR vs. MDR vs. XDR security solutions to understand how endpoint protection and backup interact in a full security stack. Remote work arrangements add additional complexity—our remote work security guide for small teams addresses backup considerations for distributed staff accessing client data from home offices.
Need Help Building a Compliant Backup Plan?
Our cybersecurity specialists have helped thousands of tax professionals implement backup strategies that meet IRS Security Six requirements. We assess your current setup and close compliance gaps before filing season.
What to Do If Your Backup System Fails
Backup failures during tax season are among the most stressful IT events a tax practice faces. A well-structured backup plan includes not just prevention but a defined response procedure for when backups fail or data loss is discovered.
Immediate steps when you discover a backup failure or data loss:
- Stop and contain: If you suspect ransomware or active attack rather than simple backup failure, disconnect affected systems from the network immediately before attempting recovery. Preserve forensic evidence.
- Assess scope: Determine what data is affected, what time period is uncovered, and whether production data is intact. A failed backup is different from a successful ransomware attack that destroyed both production and backup.
- Attempt recovery from alternate sources: Check immutable cloud copies, alternate backup sets, and any offsite copies. For cloud-based tax software, contact your vendor immediately—most platforms retain their own backup copies for 30–90 days.
- Notify as required: Under the FTC Safeguards Rule and applicable state breach notification laws, unauthorized access to taxpayer data triggers mandatory notification obligations. Consult your incident response plan for notification thresholds and procedures.
- Document everything: Record what failed, when it was discovered, what recovery actions were taken, and what data was affected or unrecoverable. This documentation is required for regulatory reporting and is essential for insurance claims.
- Fix and retest: After recovery, identify the root cause of the backup failure, implement corrective action, and conduct a full test before returning systems to production.
Tax practices that experience a data breach involving taxpayer information must also report to the IRS through the Security Summit. Our guide on what to do after a data breach covers the full notification and remediation process, including IRS reporting requirements specific to tax preparers.
Secure Your Practice with Expert Backup Implementation
Our cybersecurity specialists will assess your current backup strategy and implement a fully compliant solution that meets IRS Security Six requirements. Get peace of mind knowing your client data is protected.
Frequently Asked Questions
IRS Publication 4557 requires tax preparers to back up all systems containing nonpublic personal information (NPPI), implement automated backup schedules, maintain at least one isolated or immutable backup copy, encrypt all backup data using AES-256 with FIPS 140-2 validated modules, restrict access with multi-factor authentication, conduct quarterly restore tests, and maintain written documentation of all backup procedures. These requirements apply to every tax preparer holding a PTIN—there are no exemptions based on firm size.
IRS Publication 4557 and NIST Cybersecurity Framework 2.0 guidance both recommend testing backup restore procedures at least quarterly. Conduct a full restore test immediately after initial setup, then at quarterly intervals. Document each test including the date, what was restored, how long recovery took, data integrity verification results, and any issues discovered. Undocumented tests provide no compliance value during a regulatory inspection.
Yes, cloud backups can satisfy IRS Publication 4557 requirements when properly configured. The provider must offer AES-256 encryption at rest and TLS 1.3 in transit with FIPS 140-2 validated cryptographic modules, data storage within US jurisdiction, multi-factor authentication, immutability or object lock features, detailed audit logging, and SOC 2 Type II certification. Consumer services like Google Drive, Dropbox, or personal iCloud accounts do not meet these requirements and should not be used for taxpayer data storage.
Most professional tax software stores client data outside standard user folders like Documents or Desktop. For example, Intuit ProSeries stores data in C:\Users\Public\Documents\Intuit\ProSeries [Year], Drake Tax stores data in C:\Drake[Year]\Data, and Thomson Reuters UltraTax CS may use SQL Server databases requiring database-level backups. You must explicitly identify and include these paths in your backup configuration. Check your software's documentation or contact the vendor's support team to confirm the exact data storage locations for your specific installation and version.
IRS Publication 583 recommends retaining records supporting tax returns for at least 3 years from the filing date (the standard audit window), though 7 years covers the extended audit period for cases involving substantial understatements of income. Most tax practices set backup retention to 7 years as a conservative baseline that satisfies both IRS recordkeeping guidance and FTC Safeguards Rule requirements. Set automated retention enforcement in your backup software to prevent accidental early deletion.
Regular backups can be modified, overwritten, or deleted—by administrators, by software, or by ransomware that compromises backup system credentials. Immutable backups use object lock technology to create copies that cannot be modified or deleted for a defined retention period, even by users with full administrative access. When ransomware operators compromise a network, they typically destroy regular backups before deploying their encryption payload. Immutable backups survive this attack vector because the object lock cannot be bypassed through software or credential compromise. The Verizon 2025 Ransomware Trends Report found that 76% of targeted backup repositories were successfully compromised during attacks—immutability is the primary defense against this tactic.
Yes. IRS Publication 4557 explicitly requires written documentation of your backup procedures. During Security Summit inspections or FTC investigations under the Safeguards Rule, regulators will request written backup policy documentation. Your written plan must detail backup frequency, retention periods, storage locations, encryption methods, responsible parties, testing schedules, and recovery procedures. This documentation should be incorporated into your Written Information Security Plan (WISP). Running backups without written procedures does not satisfy compliance requirements.
A small firm handling 100–500 returns should budget $75–150 per month for cloud backup services and $800–1,500 one-time for local NAS hardware, totaling approximately $1,900–3,700 in the first year. Solo practitioners handling under 100 returns can implement a compliant solution for $30–50 per month in cloud costs plus $300–500 for local hardware—approximately $660–1,100 year one. These costs scale with data volume. Practices with 500+ returns or multiple locations should budget $200–400 monthly for cloud backup plus $2,000–5,000 for local infrastructure.
No. Consumer backup services including Google Drive, Dropbox, Microsoft OneDrive personal accounts, and iCloud do not meet IRS Publication 4557 or FTC Safeguards Rule requirements for taxpayer data protection. They lack FIPS 140-2 validated encryption modules, immutability features, SOC 2 Type II certification, and the audit logging required by §314.4(f) of the Safeguards Rule. Using consumer storage for taxpayer data creates regulatory exposure independent of any security incident, and the FTC has taken enforcement action against financial services firms using inadequate data protection methods. Use only business-grade, certified backup solutions with explicit compliance documentation.
Immediately assess whether the failure is a simple backup process error (common) or the result of an active attack like ransomware (requires isolation first). If you suspect active compromise, disconnect affected systems from the network before attempting recovery to prevent further spread. Check immutable cloud copies and alternate backup sets. For cloud-based tax software, contact your vendor—most platforms retain their own backup copies for 30–90 days. Document all recovery actions taken, what data was affected, and the root cause of the failure. If taxpayer data was accessed without authorization, you have mandatory notification obligations under the FTC Safeguards Rule and applicable state breach notification laws. Consult your incident response plan for the specific notification procedures and IRS Security Summit reporting requirements.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.



