A written information security plan (WISP) is a federally mandated documented cybersecurity framework required under the Gramm-Leach-Bliley Act (GLBA) and enforced through the FTC Safeguards Rule (16 CFR Part 314) for all tax professionals, accounting firms, and financial service providers handling sensitive taxpayer information. These comprehensive security programs must encompass administrative policies, technical controls, and physical safeguards protecting personally identifiable information (PII) from unauthorized access, disclosure, or destruction.
Federal regulations classify tax preparers as financial institutions subject to identical data protection standards governing banks and investment firms, with non-compliance resulting in FTC penalties up to $46,517 per violation per day, IRS revocation of PTIN credentials, voided professional liability insurance, and average breach costs exceeding $4.88 million according to IBM's 2024 Cost of a Data Breach Report.
Key Takeaway
What is a Written Information Security Plan and why do tax preparers need one? IRS requirements, FTC Safeguards Rule, and how to build yours.
WISP Compliance By The Numbers
FTC Safeguards Rule violations
IBM 2024 Data Breach Report
FTC notification requirement
The regulatory landscape intensified significantly when the IRS began requiring PTIN certification of WISP implementation on Form W-12 renewal applications in 2023. Question 11 explicitly asks: "Do you have a written data security plan to protect taxpayer information in your possession?" False certification constitutes perjury on a federal form, exposing practitioners to criminal penalties beyond civil fines.
The FTC's amended Safeguards Rule, effective June 9, 2023, expanded technical mandates requiring multi-factor authentication, encrypted data storage and transmission, annual penetration testing for larger firms, biannual vulnerability assessments, and breach reporting within 30 days when incidents affect 500 or more individuals.
Understanding Federal WISP Requirements for Tax Professionals
The legal mandate for written information security plans originates from multiple overlapping federal regulations creating comprehensive data protection obligations for tax professionals. Understanding these regulatory frameworks establishes the foundation for developing compliant documentation satisfying all applicable requirements.
Gramm-Leach-Bliley Act and the FTC Safeguards Rule
The Gramm-Leach-Bliley Act, enacted in 1999, established federal privacy and security standards for financial institutions. The law's definition of "financial institution" explicitly includes tax preparation services, subjecting practitioners to identical data protection requirements as banks, credit unions, and investment firms. The FTC enforces GLBA provisions through its Safeguards Rule, codified at 16 CFR Part 314, mandating that covered entities develop, implement, and maintain comprehensive information security programs.
Critical Compliance Update
The FTC amended the Safeguards Rule in 2021 with updated requirements effective June 9, 2023. These amendments significantly expanded technical control mandates, particularly for organizations serving 5,000 or more consumers. Enhanced requirements include annual penetration testing, biannual vulnerability assessments, multi-factor authentication implementation, encrypted data storage and transmission, secure software development practices, and incident response planning with specific breach notification timelines.
Under the amended Safeguards Rule, covered financial institutions must report security events affecting 500 or more individuals to the FTC within 30 days of discovery. This breach notification requirement creates strict reporting timelines demanding documented incident response procedures. The FTC has demonstrated aggressive enforcement, assessing penalties reaching $500,000 for notification failures and up to $46,517 per violation per day for non-compliance with safeguard requirements.
IRS Publication 4557 and Tax Professional Security Standards
The IRS established specific security requirements for tax professionals through Publication 4557: Safeguarding Taxpayer Data, a comprehensive guide outlining mandatory data protection measures. This publication explicitly states that tax professionals must create and implement written security plans documenting administrative, technical, and physical safeguards protecting taxpayer information throughout its lifecycle.
The IRS provides Publication 5708, a 28-page sample written information security plan specifically designed for tax and accounting practices. This template offers structured frameworks that practices can customize based on size, scope, complexity, and specific operational circumstances. Additionally, Publication 5709 provides detailed guidance on how to create a WISP from scratch.
Essential Components of a Compliant Written Information Security Plan
Federal regulations and industry standards define specific elements that comprehensive written information security plans must address. The NIST Cybersecurity Framework provides an authoritative structure organizing these components into logical categories demonstrating holistic security program implementation.
Core WISP Components
Security Governance
Designated responsible personnel and clear governance structures
Risk Assessment
Comprehensive data inventory and vulnerability analysis
Administrative Safeguards
Policies, procedures, and training programs
Technical Safeguards
Technology controls protecting information systems
Physical Safeguards
Facility and equipment protection measures
Incident Response
Breach notification and response procedures
Security Governance and Designated Responsible Personnel
Every compliant WISP begins with clear governance structures designating specific individuals responsible for security program oversight, implementation, and maintenance. The FTC Safeguards Rule mandates that covered institutions designate a "qualified individual" who coordinates the information security program, possesses sufficient knowledge and experience to assess security risks, and has authority to implement necessary controls across the organization.
Comprehensive Risk Assessment and Data Inventory
Risk assessment forms the analytical foundation supporting all other WISP components. This systematic evaluation identifies where sensitive information resides, how it moves through organizational systems, who can access it, and what vulnerabilities could enable unauthorized disclosure. The FTC Safeguards Rule requires that risk assessments identify "reasonably foreseeable internal and external risks" to customer information security, confidentiality, and integrity.
Effective risk assessments begin with detailed data inventories cataloging all personally identifiable information the organization collects, processes, stores, and transmits. For tax practices, this includes Social Security numbers, Individual Taxpayer Identification Numbers, dates of birth, financial account information, income details, employment records, and correspondence containing sensitive personal data.
Administrative Safeguards: Policies, Procedures, and Training
Administrative safeguards establish the governance framework controlling how organizations manage information security through policies, procedures, and personnel practices. These foundational controls define organizational security expectations, assign responsibilities, establish accountability mechanisms, and ensure consistent security practices across all operational areas.
Core administrative policies that comprehensive WISPs must address include acceptable use policies governing technology utilization, access control policies defining information access principles, password policies establishing credential requirements, data classification schemes categorizing information by sensitivity, encryption policies specifying when and how to protect data, remote work policies controlling distributed workforce security, vendor management policies governing third-party relationships, and incident response policies establishing procedures for detecting and responding to security events.
Technical Safeguards: Technology Controls Protecting Information Systems
Technical safeguards comprise the technology controls protecting electronic information systems from unauthorized access, disclosure, modification, or destruction. These measures form the technical infrastructure supporting secure information processing, storage, and transmission throughout the organization.
Endpoint protection represents the first line of defense against malware, ransomware, and other malicious code. Modern endpoint detection and response (EDR) solutions provide comprehensive threat prevention, detection, investigation, and remediation capabilities far exceeding legacy antivirus software.
Network security controls regulate traffic flow between systems and external networks. Next-generation firewalls combine traditional packet filtering with application awareness, intrusion prevention, threat intelligence integration, and encrypted traffic inspection. Properly configured firewalls implement default-deny policies blocking all inbound connections except those explicitly required for business operations, significantly reducing attack surface exposure.
Physical Safeguards: Protecting Facilities and Equipment
Physical safeguards prevent unauthorized individuals from accessing locations containing sensitive information or equipment processing taxpayer data. These controls address traditional physical security concerns often overlooked in technology-focused security discussions but essential for comprehensive protection.
Facility access controls restrict entry to offices and areas containing sensitive information. Controlled access mechanisms include keyed locks, electronic keycard systems, biometric readers, reception area sign-in procedures, and visitor escort requirements. Physical access logs document who entered controlled areas and when, creating audit trails supporting incident investigations.
Incident Response Planning and Breach Notification Procedures
No security program prevents every possible incident, making documented response procedures essential for minimizing damage when breaches occur. Comprehensive incident response plans establish clear protocols for detecting security events, assessing severity, containing active threats, investigating root causes, remediating vulnerabilities, recovering normal operations, and conducting post-incident reviews capturing lessons learned.
Breach notification requirements carry strict regulatory timelines varying by jurisdiction and affected data types. Federal law requires notifying the IRS Stakeholder Liaison Office within 24 hours of confirming breaches involving taxpayer information. The FTC Safeguards Rule mandates notification within 30 days when security events affect 500 or more individuals.
Implementation Challenge Solution
Solo practitioners and small firms often lack dedicated IT staff, security expertise, and budget for comprehensive security programs. However, regulatory requirements apply equally regardless of practice size. Solutions include leveraging free or low-cost security tools appropriate for small organizations, utilizing IRS Publication 5708 as a starting template reducing development time, joining professional associations offering shared resources and security guidance, and engaging managed security service providers offering affordable packages specifically designed for tax professional needs.
Frequently Asked Questions
A written information security plan (WISP) is a formally documented cybersecurity framework detailing how organizations identify, assess, and manage information security risks to protect sensitive data. Federal law under the Gramm-Leach-Bliley Act requires all financial institutions, including tax preparers, accounting firms, bookkeepers, and financial advisors, to maintain written information security plans regardless of organization size. The IRS explicitly requires WISP implementation for all tax professionals, with certification of compliance mandatory for PTIN renewal beginning in 2023.
Federal regulations require annual reviews of written information security plans at minimum, assessing whether existing controls remain adequate against current threats and reflect organizational changes. Beyond scheduled annual reviews, organizations must update WISPs immediately when significant changes occur including security incidents, adoption of new technologies, opening or closing office locations, substantial workforce changes, discovery of vulnerabilities, and issuance of new regulatory requirements.
Templates provide excellent starting points for WISP development, but they require substantial customization reflecting specific organizational circumstances, operational characteristics, and risk profiles. The IRS offers Publication 5708 as a basic framework, though it provides only high-level structure requiring considerable detail additions. Organizations must modify templates to address their specific technology infrastructure, office configurations, employee counts, service areas, vendor relationships, and identified risks from comprehensive risk assessments.
Penalties for WISP non-compliance are severe and multi-faceted. The FTC can assess civil penalties up to $46,517 per violation per day under Safeguards Rule enforcement. The IRS may suspend or revoke PTIN credentials and EFIN authorization. Falsely certifying WISP compliance during PTIN renewal constitutes perjury on federal forms, creating potential criminal liability. State attorneys general enforce state-level data security laws with penalties ranging from $5,000 to $500,000 per violation. The absence of written information security plans typically voids professional liability insurance coverage, leaving practitioners personally liable for all breach-related costs.
Yes, written information security plans must explicitly address remote work arrangements with specific policies and controls governing distributed workforce security. Required elements include technical controls ensuring remote devices meet security standards, network security requiring VPN connections, physical security mandating locked storage for client documents, access controls implementing automatic screen locks, and secure communications prohibiting discussion of client information in public spaces or over unsecured connections.
While all tax practices must maintain written information security plans regardless of size, the FTC Safeguards Rule establishes enhanced requirements for larger organizations serving 5,000 or more consumers. These enhanced mandates include annual penetration testing, biannual vulnerability assessments, implementation of additional technical safeguards, and more rigorous monitoring programs. Smaller organizations are exempt from these specific enhanced requirements but must still implement comprehensive security programs addressing all fundamental Safeguards Rule elements.
IRS and FTC requirements for written information security plans originate from different legal authorities but overlap substantially in practical requirements. IRS requirements stem from Publication 4557 and Publication 5708, emphasizing protection of taxpayer data specifically, with enforcement through PTIN and EFIN credential management. FTC requirements derive from the Gramm-Leach-Bliley Act Safeguards Rule, which classifies tax preparers as financial institutions subject to comprehensive customer information protection standards. Best practice is developing single integrated WISPs explicitly referencing both regulatory frameworks.
Taking Action: Your WISP Implementation Path Forward
The regulatory environment governing tax professional data security continues intensifying annually with escalating enforcement activity, coordinated multi-agency investigations, and increasingly sophisticated cyber threats targeting practices of all sizes. Organizations without documented security plans face mounting risks from regulatory penalties, credential revocation, insurance coverage denial, and devastating financial consequences following data breaches that compliant practices could withstand.
The question isn't whether your practice needs a written information security plan—federal law already mandates one. The question is whether you'll implement proper protections proactively through systematic planning or reactively after incidents force compliance at exponentially greater cost with potentially irreparable reputational damage.
Begin today by conducting an honest assessment of current security posture using the frameworks and checklists provided throughout this guide. Identify where documentation gaps exist, prioritize immediate actions addressing critical vulnerabilities, and develop a systematic implementation plan for comprehensive WISP development.
Protect Your Tax Practice Today
Schedule a free consultation to discuss your cybersecurity needs and IRS compliance requirements.
Free Consultation
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
