The Internal Revenue Service (IRS) and Security Summit partners have announced the release of an updated Written Information Security Plan (WISP) to help tax professionals safeguard against identity thieves and data breaches. This announcement is part of the IRS’s ongoing Protect Your Clients; Protect Yourself campaign, now in its ninth year, aimed at enhancing tax professional security.
Updated Written Information Security Plan
The new WISP, outlined in Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice PDF, is a 28-page template designed to assist tax professionals, particularly those in smaller practices, in securing sensitive data. This updated version includes several new features and best practices, such as implementing multi-factor authentication and mandatory reporting of security events affecting 500 or more individuals to the Federal Trade Commission (FTC) within 30 days of discovery.
Importance of the WISP
Tax professionals are required by federal law to have a security plan to protect their clients’ data. The updated WISP provides a clear and easy-to-understand roadmap for creating and maintaining this essential document. IRS Commissioner Danny Werfel emphasized the critical role tax professionals play in the nation’s tax system, holding vast amounts of taxpayer information that can be highly valuable to identity thieves.
Key Updates in the New WISP
- Multi-Factor Authentication: Highlighting best practices for implementing multi-factor authentication for any individual accessing information systems.
- Reporting Requirements: Tax professionals must now report security events affecting 500 or more people to the FTC within 30 days of discovery, in addition to notifying the IRS Stakeholder Liaison and state tax authorities.
Protect Your Clients; Protect Yourself Series
This announcement marks the sixth part of a special summer news release series focused on tax professional security. The Protect Your Clients; Protect Yourself campaign provides timely tips to help protect sensitive taxpayer data and the businesses of tax professionals from identity thieves. The series is a part of the annual education effort by the Security Summit, a coalition that includes tax professionals, industry partners, state tax agencies, and the IRS.
Nationwide Tax Forums
The updated WISP and other security tips are key features of the Nationwide Tax Forum, which takes place in several cities throughout the U.S. These forums offer three-day continuing education events with sessions focused on security-related topics. Tax professionals can hear from experts at the IRS, the tax professional community, and special sessions from Salve Regina University’s Pell Center.
Developing and Implementing a WISP
Creating a WISP involves several critical steps, including:
- Designating a Coordinator: Appoint one or more employees to manage the information security program.
- Risk Assessment: Identify and assess risks to customer information and evaluate the effectiveness of current safeguards.
- Safeguards Program: Design and implement a program to control risks, regularly monitor and test it.
- Service Providers: Ensure service providers maintain appropriate safeguards.
- Program Evaluation: Continuously evaluate and adjust the program based on business changes or security testing results.
Reporting Security Incidents
Tax professionals should also create a data theft response plan, which includes contacting their IRS Stakeholder Liaison to report security incidents and sharing information with the appropriate state tax agency. Detailed information about the FTC data breach response requirements can be found here.
Additional Resources
For further assistance, tax professionals can refer to the following publications:
- Publication 5709, How to Create a Written Information Security Plan for Data Safety PDF
- Publication 5293, Data Security Resource Guide for Tax Professionals PDF
- Publication 4557, Safeguarding Taxpayer Data PDF
- Small Business Information Security: The Fundamentals PDF by the National Institute of Standards and Technology
Tax professionals should also stay updated by subscribing to e-News for Tax Professionals and following the IRS on social media.
By implementing and maintaining a robust WISP, tax professionals can better protect their clients’ sensitive information and their own businesses from the ever-evolving threats of identity theft and data breaches.