IRS WISP: Crafting an Effective IRS-Compliant Written Information Security Plan (WISP)

Data security is no longer just a best practice; it’s a legal obligation. For tax preparers and accounting firms, the IRS (Internal Revenue Service) requires a Written Information Security Plan (WISP) to comply with federal regulations like the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule. While these regulations may seem daunting, a WISP is an essential tool to protect sensitive client information, mitigate risks, and establish trust with stakeholders.

In this blog, we’ll walk you through the essential components of an IRS-compliant WISP and provide practical guidance for creating a plan that works for your firm. Whether you’re a solo practitioner or part of a larger organization, a well-crafted WISP can provide peace of mind and robust legal compliance.

Why You Need an IRS WISP

A WISP is more than a document; it’s a comprehensive strategy for keeping customer data safe and ensuring your firm meets its regulatory obligations. The IRS, GLBA, and FTC require financial institutions—including tax professionals—to protect client data from misuse, theft, or unauthorized access. An effective WISP does the following:

• Promotes Legal Compliance: Regulatory requirements are stringent, and a failure to comply could lead to penalties, reputational damage, and loss of client trust.

• Mitigates Risks: A well-crafted WISP identifies potential vulnerabilities and outlines safeguards to prevent data breaches.

• Demonstrates Responsibility: Showing that you take client data security seriously is vital for maintaining professional credibility.

Beyond compliance, a WISP helps foster a culture of accountability within your organization. By clearly defining roles, responsibilities, and processes, it ensures everyone in your firm understands their part in safeguarding sensitive information.

Legal Requirements for Tax Professionals and Accounting Firms

Tax administrators and accounting professionals are required by law to have a Written Information Security Plan (WISP) in place to protect sensitive client data. The Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule mandate that financial institutions, including tax and accounting professionals, implement a data security plan to safeguard customer data. The IRS also requires tax professionals to have a WISP in place to protect taxpayer information from identity thieves.

The legal requirements for tax and accounting professionals include:

• Creating and Implementing a Data Security Plan: This plan must include administrative, technical, and physical safeguards to protect sensitive client data.

• Designation of a Security Coordinator: An employee must be designated to coordinate and report on information security efforts.

• Conducting Risk Assessments: Regular risk assessments are necessary to identify potential shortcomings in existing safeguards.

• Data Handling Inventory: Maintain an inventory of data handling practices to ensure all potential vulnerabilities are addressed.

• Employee and Contractor Code of Conduct: Draft a well-defined code of conduct and an implementation clause to ensure all personnel understand their responsibilities.

• Regular Monitoring and Testing: Continuously monitor and test the protocols defined in the WISP to ensure they remain effective.

• Service Provider Compliance: Ensure that all service providers are compliant with the established safeguards.

Failure to comply with these legal requirements can result in penalties and fines, as well as damage to a tax and accounting professional’s reputation. By adhering to these regulations, tax professionals can protect sensitive client data and maintain the trust of their clients.

Key Components of a Robust Data Written Information Security Plan

Objectives, Purpose, and Scope

The objectives section of a WISP should articulate why the plan exists. For example, a primary objective might be to comply with the Safeguards Rule or to mitigate risks associated with handling Personally Identifiable Information (PII). Objectives set the tone and provide a framework for the rest of the document.

The purpose section explains the plan’s specific goals—such as protecting PII (Personally Identifiable Information) against unauthorized access, fraud, or identity theft. This part also connects the WISP to its legal basis, demonstrating compliance with IRS and FTC standards.

The scope defines the boundaries of the WISP, including what data, systems, and processes it covers. For instance, does the plan apply to digital records only, or does it also cover paper documents? By clarifying these details, the scope ensures that the WISP is both comprehensive and specific to your firm’s operations, considering the size, scope of activities, complexity, and sensitivity of customer data.

Designation of Responsible Individuals

Every WISP must designate a Data Security Coordinator (DSC), or a similar role, responsible for implementing and maintaining the plan. The DSC oversees daily operations, monitors compliance, and coordinates incident responses. This role is critical, as it ensures that someone is accountable for safeguarding PII.

For larger firms, it’s also advisable to appoint a Public Information Officer (PIO) or Data Protection/Privacy Officer (DPO). This individual handles external communication during a security event, such as notifying affected clients or responding to inquiries from law enforcement and regulators. Separating these roles allows the DSC to focus on remediation while the PIO manages outward-facing responsibilities. Additionally, it is important to report security incidents to the appropriate state tax agency as part of the data theft response plan.

Assigning clear responsibilities not only ensures that your WISP is actionable but also prevents confusion during critical moments. A lack of accountability can lead to delayed responses, making breaches worse.

Risk Assessment

Risk assessments are the foundation of any effective WISP. Start by identifying the types of data your firm handles, such as tax returns, employee records, and financial statements. Consider where this data is stored—on office servers, laptops, or cloud storage—and how it could be accessed by unauthorized parties.

Next, evaluate potential risks, such as physical theft of files, hacking attempts, or data loss due to natural disasters. For example, a firm with remote employees may face heightened risks from insecure Wi-Fi networks or unencrypted devices.

Finally, establish procedures to monitor and test for vulnerabilities. Regular audits, penetration testing, and software updates are essential to staying ahead of emerging threats. Incorporating security testing as part of these procedures ensures compliance with federal laws like the Gramm-Leach-Bliley Act (GLBA) and helps maintain robust data security. A thorough risk assessment not only protects client data but also prepares your firm to respond quickly to unforeseen incidents.

Inventory of Hardware and Software

Creating a detailed inventory of all devices and software that handle PII is crucial for maintaining oversight. This includes everything from workstations and mobile phones to routers and tax preparation software. Each item should be cataloged with information about its user, location, and the type of data it processes.

For example, a firm might list:

• A workstation used for tax filing, equipped with encryption software and restricted access.

• A router located in a locked storage room, configured with strong firewall settings.

By maintaining an up-to-date asset inventory, you can quickly identify potential vulnerabilities, such as outdated software or unauthorized devices. This proactive approach ensures that every piece of hardware and software meets your firm’s security standards. Access to information systems should be granted only under secure access controls approved in writing.

Document Safety Measures

Safety measures to protect customer data are the backbone of your WISP. These should cover:

• Data Retention Policies: Specify how long data is stored and when it should be securely destroyed.

• Access Controls: Limit data access to authorized personnel based on job roles.

• Incident Reporting: Define the steps for reporting and addressing security breaches.

For physical records, secure storage solutions—like locked filing cabinets—are a must. For digital data, encryption and strong password protocols are essential. Consider adding a clean desk policy to reduce the risk of sensitive information being exposed to unauthorized eyes.

By implementing robust safety measures, your firm can significantly reduce its vulnerability to data breaches and regulatory violations.

Technical Safeguards

Technical safeguards protect your systems and networks from cyber threats and help manage any security incident effectively. This includes:

• Firewalls and Antivirus Software: Regularly update these tools to block unauthorized access and detect malware.

• Multi-Factor Authentication (MFA): Require MFA for all system logins, adding an extra layer of protection.

• Data Encryption: Encrypt sensitive data during storage and transmission to prevent interception.

Additionally, establish policies for remote access. For example, limit access to after-hours periods when fewer staff are available to monitor network activity. These technical safeguards help ensure that your systems remain secure, even as cyber threats evolve.

Training and Accountability

Professional tax preparers must prioritize employee training to foster a security-conscious culture. Conduct annual sessions to educate staff on WISP (Written Information Security Program) protocols, phishing awareness, and safe data handling practices. New hires should receive training before accessing sensitive data, and ongoing refreshers should be scheduled to reinforce best practices.

Accountability measures, such as signed acknowledgments of understanding, ensure that employees take their responsibilities seriously. Include guidelines for addressing non-compliance, which might range from verbal warnings to termination for severe breaches.

A well-trained workforce is your first line of defense against data breaches. When employees understand the importance of their roles, they are more likely to follow protocols and report potential vulnerabilities.

Incident Response and Notification Plans for Data Breaches

A clear incident response plan minimizes confusion during a security event. Define who will lead the response, what steps will be taken to secure affected systems, and how evidence will be preserved for forensic analysis. The IRS recommends tax professionals create such a plan.

The notification plan should outline how to inform affected clients, regulators, and third-party vendors. For example, the FTC requires breaches affecting 500 or more individuals to be reported within 30 days. Having a well-defined notification plan ensures compliance and helps rebuild trust after an incident.

Written Information Security Plan Implementation and Maintenance

A WISP is not a set-it-and-forget-it document. Regularly monitor and schedule annual reviews to update policies, incorporate new regulations, and address changes in your business operations as part of your data security planning. For instance, if your firm begins using a new cloud storage provider, update the WISP to include their security protocols.

Regular audits, employee feedback, and lessons learned from security incidents should inform updates to the WISP. By keeping the document current, your firm can adapt to new threats and maintain compliance over time.

Conclusion

An effective WISP is a strategic investment in your firm’s future. By securing client data, meeting regulatory requirements, and fostering a culture of accountability within the nation's tax system, you can reduce risks and build trust with your clients.

Start crafting your WISP today to stay ahead of threats and demonstrate your commitment to data security. Because in today’s world, protecting information is not just a legal obligation—it’s a cornerstone of good business.