IRS & FTC Data Security Requirements for Tax Preparers

Purpose

Under federal law and IRS regulations, all paid tax return preparers must develop and maintain a Written Information Security Plan (WISP) to safeguard taxpayer information. This aligns with the FTC Safeguards Rule (16 CFR Part 314) and IRS guidelines for data protection.

2. Core Requirements for a WISP

A. Data Inventory and Risk Assessment

• Identify all systems storing or transmitting taxpayer data.
• Evaluate physical and digital risks (e.g., loss, hacking, phishing).
• Document risk assessments and actions taken.

B. Safeguards and Security Measures

Administrative Safeguards

• Restrict access to authorized personnel only.
• Train staff on confidentiality and data protection.
• Appoint a Security Coordinator.

Technical Safeguards

• Use strong passwords and multi-factor authentication.
• Encrypt sensitive data at rest and in transit.
• Install firewalls, antivirus, and regular backups.

Physical Safeguards

• Secure file cabinets and devices.
• Lock office doors and restrict access.
• Shred paper records and destroy old devices securely.

C. Vendor and Third-Party Oversight

• Vet cloud or software vendors for data protection compliance.
• Include security requirements in vendor contracts.

D. Incident Response and Breach Notification

• Document a response plan for data breaches.
• Include steps for containment, reporting, and client notification.
• Report breaches promptly to the IRS and affected clients.

E. Ongoing Monitoring and Updates

• Review and update your WISP at least once per year.
• Reassess when systems, staff, or risks change.

4. Summary of Responsibilities

• Develop and maintain a written WISP.
• Appoint a data security coordinator.
• Protect taxpayer data digitally and physically.
• Train employees on confidentiality and security.
• Monitor, test, and update safeguards regularly.
• Report and respond promptly to data breaches.