In today’s digital age, safeguarding sensitive data is more crucial than ever, especially for tax professionals who handle vast amounts of personal and financial information. Recognizing the ongoing threat of identity theft and data breaches, the IRS, in partnership with the Security Summit, has released an updated Written Information Security Plan (WISP) to help tax pros protect their clients and businesses.
What Is the WISP?
The WISP is a comprehensive, 28-page template designed to assist tax and accounting practices—particularly smaller firms—in creating a robust data security plan. This plan is not just a recommendation but a requirement under federal law, specifically the Gramm-Leach-Bliley Act (GLBA), which mandates that financial institutions, including tax professionals, protect customer data.
The newly updated WISP, detailed in Publication 5708, is the product of a year-long collaboration among tax and industry professionals. The aim? To make data security planning more accessible and effective, ensuring that every tax professional, regardless of the size of their practice, can develop a security plan that meets legal obligations and protects sensitive client information.
Key Updates and Best Practices
Multi-Factor Authentication: The WISP now emphasizes the importance of implementing multi-factor authentication (MFA) for anyone accessing information systems. This adds an essential layer of security by requiring more than just a password to gain access.
Incident Reporting: In the event of a security breach affecting 500 or more people, tax professionals are now required to report the incident to the Federal Trade Commission (FTC) as soon as possible, but no later than 30 days from the discovery date. Additionally, these incidents must also be reported to an IRS Stakeholder Liaison and state tax authorities.
Tailored Security Plans: The WISP template is designed to be adaptable, recognizing that there is no one-size-fits-all approach. Each security plan should be appropriate to the size, scope, and complexity of the practice, as well as the sensitivity of the data handled.
Why It Matters
Tax professionals are often the first line of defense in protecting taxpayer data. With identity thieves constantly evolving their tactics, having a well-crafted and up-to-date WISP is vital. The IRS Commissioner, Danny Werfel, highlighted the importance of this initiative, noting that the WISP provides a “helpful road map” for tax professionals to protect their clients and themselves from the ever-present threat of data breaches.
Legal Obligations and Professional Responsibility
Under the GLBA, tax professionals are legally required to implement and maintain a WISP. This includes:
- Designating a Security Coordinator: Appointing one or more employees to manage the information security program.
- Risk Assessment: Identifying and assessing risks to customer information and evaluating the effectiveness of current safeguards.
- Program Development: Designing and implementing a comprehensive safeguards program, with ongoing monitoring and testing.
- Service Provider Oversight: Ensuring that service providers are capable of maintaining appropriate safeguards and are contractually obligated to do so.
- Continuous Evaluation: Regularly reviewing and adjusting the security program in response to business changes, operational shifts, or results from security testing.
Looking Ahead
The IRS’s updated WISP is part of a broader educational effort that includes the annual Nationwide Tax Forum events. These forums offer tax professionals an opportunity to learn from experts and stay updated on the latest security trends and best practices.
As the threats to data security continue to evolve, so must the strategies to combat them. The IRS and Security Summit partners are urging tax professionals to stay proactive in protecting their practices and client data. The newly updated WISP is a critical tool in this ongoing effort, providing a practical, easy-to-understand framework for developing a strong data security plan.
Tax professionals who haven’t yet reviewed or updated their WISP are encouraged to do so promptly. By staying vigilant and informed, they can help safeguard the integrity of their business and the trust of their clients.