Incident Response Plan for Tax Professionals
Every tax firm handling client data needs a written incident response plan. IRS Publication 4557 and the FTC Safeguards Rule both mandate one. Download our free template built specifically for tax preparers and EA/CPA firms.
- Step-by-step breach response procedures tailored for tax firms
- IRS and state attorney general notification checklists with deadlines
- Client communication templates for data breach disclosure
- Evidence preservation and forensic documentation worksheets
- FTC Safeguards Rule and IRS Publication 4557 compliance mapping
- Roles and responsibilities assignment matrix for your team
AICPA Certified | A+ BBB Rating | No credit card required
Download Your Free IR Plan Template
Of small tax practices lack a written incident response plan despite IRS requirements
Mean cost of a data breach for small professional services firms in 2025
Maximum time to report a data breach to the IRS per Publication 4557 guidance
Firms with tested IR plans recover from breaches 50% faster than those without
Why Tax Firms Need an Incident Response Plan
Two federal frameworks explicitly require tax professionals to maintain a written incident response plan. Failing to have one isn't just risky — it's a compliance violation that can result in fines, license suspension, and loss of your PTIN.
IRS Publication 4557
"Safeguarding Taxpayer Data" requires all tax professionals to create and maintain a written information security plan that includes incident response procedures. Specifically, your plan must address:
- Procedures for responding to a data security incident
- Notification protocols for the IRS, states, and affected clients
- Steps to contain and remediate the breach
- Documentation and evidence preservation requirements
- Annual review and testing of the response plan
FTC Safeguards Rule
The updated FTC Safeguards Rule (16 CFR Part 314) classifies tax preparers as "financial institutions" and mandates a comprehensive security program. For incident response, the rule requires:
- A written incident response plan as part of your information security program
- Goals of the plan: contain, control, and remediate security events
- Designation of a qualified individual to oversee the response
- Procedures to address any identified security event or weakness
- Post-incident review to update your security program accordingly
What a Proper IR Plan Includes
A compliant incident response plan covers six critical areas — from initial detection through full recovery. Our template addresses each one with tax-specific procedures.
Threat Detection & Identification
Procedures for recognizing signs of a breach — unauthorized e-file submissions, suspicious CAF activity, client identity theft reports, and system intrusion indicators specific to tax software environments.
Containment & Isolation
Step-by-step instructions to isolate affected systems, disable compromised credentials, lock EFIN/PTIN accounts, and prevent further data exfiltration while preserving evidence for investigation.
IRS & Regulatory Notification
Complete notification checklists with contact information, required forms, and deadlines for the IRS Stakeholder Liaison, state attorneys general, FTC, and law enforcement agencies.
Client Notification & Support
Template letters and scripts for notifying affected clients, instructions for placing fraud alerts and identity protection PINs, and guidance on credit monitoring service obligations.
Evidence Preservation
Forensic documentation procedures including system log collection, screenshot protocols, chain of custody forms, and preservation steps that meet both IRS and legal discovery requirements.
Recovery & Remediation
Structured plan to restore operations, implement additional safeguards, update your WISP, conduct a post-incident review, and file required IRS Form 14039 for affected taxpayers.
How Bellator Helps You Prepare
We don't just hand you a template — we help you build, test, and maintain a plan that actually works when you need it most.
Plan Creation
We customize your incident response plan based on your firm's size, software stack, and client data volume. Every procedure maps directly to IRS Publication 4557 and FTC Safeguards Rule requirements.
Testing & Training
We run tabletop exercises that simulate real tax-industry breaches — stolen EFINs, fraudulent e-file submissions, ransomware during tax season — so your team knows exactly what to do.
Incident Support
If a breach occurs, our team provides 24/7 response support: forensic analysis, IRS liaison coordination, client notification management, and remediation to get your firm back to filing safely.
The Cost of Not Having an Incident Response Plan
Tax firms that experience a data breach without a documented incident response plan face severe consequences that go far beyond the breach itself:
- PTIN Revocation: The IRS can suspend or revoke your Preparer Tax Identification Number, effectively shutting down your practice
- EFIN Deactivation: Your Electronic Filing Identification Number can be deactivated, preventing you from e-filing returns for all clients
- FTC Penalties: Violations of the Safeguards Rule carry fines up to $100,000 per violation, with each affected client record counted separately
- State Penalties: All 50 states have breach notification laws — late or missing notifications trigger additional fines ranging from $5,000 to $750,000 per incident
- Client Lawsuits: Affected taxpayers can sue for damages, and courts have consistently ruled that lack of a documented plan demonstrates negligence
- Reputational Damage: On average, tax firms lose 38% of their client base within 12 months of a publicized data breach
“After a close call with a phishing attack during tax season, we hired Bellator to build our incident response plan. Three months later, when we detected an actual intrusion attempt, the team followed the plan step by step — we contained it in under two hours and didn't lose a single client record. The IRS review afterward confirmed we were fully compliant.”
Incident Response Plan FAQ for Tax Professionals
Yes. IRS Publication 4557, "Safeguarding Taxpayer Data," explicitly requires all tax professionals to maintain a written data security plan that includes incident response procedures. The FTC Safeguards Rule (16 CFR Part 314) reinforces this by classifying tax preparers as financial institutions subject to mandatory security program requirements, including a written incident response plan. Failure to maintain one can result in PTIN suspension, EFIN deactivation, and FTC enforcement actions.
The first step is containment: disconnect affected systems from your network, change all passwords immediately, and disable remote access. Do not turn off or wipe any computers — you need to preserve forensic evidence. Next, contact your IRS Stakeholder Liaison (find yours at irs.gov) and report the breach. You should also file a report with local law enforcement and the FBI's IC3. Our incident response plan template includes a prioritized checklist with exact contact information and required forms for each notification.
Both the IRS and FTC recommend reviewing and testing your incident response plan at least annually, and updating it whenever there are material changes to your business — such as new software, additional staff, or changes in the types of taxpayer data you handle. Best practice is to conduct a tabletop exercise before each tax season (December or January) so procedures are fresh in everyone's mind. You should also update the plan after any actual security incident, incorporating lessons learned.
A Written Information Security Plan (WISP) is your overall security program document — it covers how you protect taxpayer data day to day, including access controls, encryption, employee training, and risk assessments. An incident response plan is a specific component within your WISP that details what to do when something goes wrong. Think of the WISP as your defense strategy and the IR plan as your emergency playbook. The IRS requires both, and the FTC Safeguards Rule treats the IR plan as a mandatory element of your broader information security program.
You should notify the IRS as soon as possible — ideally within 72 hours of discovering a breach. Contact your local IRS Stakeholder Liaison and submit Form 14039 (Identity Theft Affidavit) for each affected taxpayer. For client notification, timelines vary by state: most states require notification within 30 to 60 days, though some like Florida require it within 30 days and others allow up to 90 days. Our IR plan template includes a state-by-state notification deadline chart so you know exactly how long you have for each client based on their state of residence.
Does your firm have an incident response plan?
Download our free IRS-compliant incident response plan template.