Since almost all communications, transactions, and documentation are now stored digitally, tax professionals are prime targets for cybercriminals. These criminals target more than a name or email address. Complete financial records, such as Social Security numbers, bank account details, and private tax returns, are what they are aiming for.
In recognition of the growing threat, the IRS Security Summit, a partnership between the IRS, state tax authorities, and the private tax sector, has released an important reminder:
Written Information Security Plans (WISPs) are required for all tax professionals. This cannot be chosen. It is required by law.
Whether you work as a solo tax preparer from your home office or as a member of a large firm with dozens of employees, this rule still applies. Client data protection is now more than just best practices. That's the law.
What Is a Written Information Security Plan (WISP)?
A Written Information Security Plan is a formal, documented plan that outlines the security measures your business will take to protect client information from unauthorized access, data breaches, and cyberattacks.
A complete WISP should include:
- Access Controls – Rules defining who can access sensitive data and under what conditions.
Data Security Policies – Clear guidelines for how you store, transmit, and safeguard client data.
Risk Assessment – Identification and evaluation of possible threats to client information.
Incident Response Plan – Step-by-step instructions on what to do if a data breach occurs.
Employee Training – Programs to educate staff about phishing scams, password safety, and security protocols.
A WISP is not just a technical checklist. It is a living document that should be updated regularly as threats evolve and your business grows.
Why Is a WISP Required?
The IRS, in partnership with the Federal Trade Commission (FTC), has made it clear: protecting taxpayer information is a legal obligation under the FTC Safeguards Rule.
Here is why this requirement is in place:
Cybercrime Is Rising – Criminals are using increasingly sophisticated methods to target tax professionals.
Tax Data Is Extremely Valuable – A single stolen tax record can be worth thousands of dollars to identity thieves.
It Protects Client Trust – Clients expect and deserve to know their data is safe in your hands.
It Is the Law – The FTC Safeguards Rule applies to all tax preparers, regardless of firm size.
Failing to comply can result in serious consequences, including fines, penalties, legal action, and loss of reputation.
The Real-World Risks of Skipping a WISP
If you do not have a WISP in place, you are not just breaking compliance rules. You are taking a serious gamble with your clients’ data and your business future.
Potential consequences include:
Data Breaches – Criminals could gain access to your entire client database.
Financial Penalties – Noncompliance with the FTC Safeguards Rule can result in steep fines.
Loss of Clients – Once trust is broken, it is extremely difficult to rebuild.
Business Closure – A severe breach could lead to bankruptcy or forced shutdown.
What’s New in 2025?
The IRS has shared new data showing that enforcement is increasing. In 2025, the IRS is taking data protection compliance more seriously than ever before.
Recent program updates include:
$123.5 million awarded to whistleblowers in FY 2024.
$474.7 million recovered in unpaid taxes.
14,926 award claims filed, which is a 13 percent increase over previous years.
For data security specifically, the IRS and FTC are:
Developing a digital claim submission portal for easier reporting.
Upgrading case management systems to handle security reports faster.
Making direct deposit the standard method for award payments.
What Counts as a Good WISP?
Not all security plans are created equal. To meet IRS and FTC standards, your plan must be:
Detailed – Avoid vague or generic statements.
Up-to-Date – Review and update the plan at least annually.
Action-Oriented – Include clear steps to prevent and respond to breaches.
Provable – You should be able to demonstrate compliance if requested by the IRS or FTC.
Example:
“We protect client data.” (Too vague.)
“All client files are stored in an encrypted, access-controlled database. Employees must use multi-factor authentication, and access is limited to authorized personnel only.” (Specific and verifiable.)
Quick Data Protection Tips for Tax Pros
Even before you create your WISP, you can take immediate steps to secure client data:
Encrypt all sensitive files and email communications.
Use multi-factor authentication for all logins.
Regularly update antivirus and software security patches.
Store backups securely off-site or in the cloud.
Limit access to client data strictly to those who need it.
Train staff to spot phishing and social engineering attacks.
How TaxProNext Helps You Comply and Protect Your Clients
At TaxProNext, we understand the importance of both IRS compliance and client trust. We help tax professionals by:
Creating a Customized WISP that fits your firm’s needs, visit TaxProNext to get started.
Implementing Secure Filing Systems that meet all IRS and FTC requirements.
Training Staff on data security best practices.
Providing Ongoing Support to keep your plan current and effective.
We do not just process tax returns. We protect your business, your clients, and your reputation.
The Bigger Picture: Data-Driven Compliance
Compliance is more than just meeting legal requirements. It is about building a culture of security and accountability. This means:
Tracking all IRS submissions.
Keeping accurate, transparent records.
Identifying and fixing issues before they become legal problems.
Having documentation ready for any IRS or FTC inquiry.
With these measures in place, you are not just following the law. You are strengthening your business.
Final Thoughts
The IRS reminder is clear.
If you are a tax professional, you must have a Written Information Security Plan. It is your best defense against data breaches, legal penalties, and loss of client trust.
TaxProNext can help you:
Stay compliant with IRS and FTC regulations.
Protect sensitive client data from cyber threats.
Avoid costly penalties and business disruptions.
Contact TaxProNext today to put your WISP in place and keep your business and your clients safe.
