Log in
Resources & News

How the IRS WISP Helps Prevent Data Breaches: Key Security Measures Explained

January 9, 2025
IRS WISP Builder Tool | How the IRS WISP Helps Prevent Data Breaches: Key Security Measures Explained

An IRS WISP is required

With the increasing threats to cyber security for tax payers, the IRS is insisting that tax professionals take the required steps to help protect their client’s information by creating a Written Information Security Plan, or WISP.

This IRS required WISP consists of a plan and putting procedures in place at your firm to help prevent client’s confidential information from being stolen. To be in compliance with the FTC’s Safeguard Rule every tax and accounting firm must have an auditable security plan written, acknowledged by all employees, and maintained when changes come up. In a recent article on the Internal Revenue Service website during National Tax Security Awareness week, it stated, “Identity thieves who are on the hunt for taxpayer data aren’t just targeting taxpayers, they’re going after the tax professionals, who hold enormous amounts of sensitive taxpayer data, in hopes of filing fraudulent tax returns.“ The article went on to point out that tax professionals act as a first line of defense when it comes to helping to protect taxpayers who also happen to be your most important clients.

Key security measures found in an IRS WISP

When creating a Written Information Security Plan, you are able to evaluate and consider all possible areas that could be a threat to the safety of your client’s information. From how you access your client’s data to how you train your employees, there are best practices to include in your WISP and in your day to day practice.

Multi-factor authentication, or MFA, is another requirement of the federal law to help protect client’s sensitive information. In your security plan it’s important to note your firm’s policies on passwords and multi-factor authentication. Restricting who has access to your client’s information will help keep your client’s data in the right hands. Only authorized employees should be able to access personal information for clients, and the specifics to your plan should be included in your WISP.

Encryption provides protection in how you store and transfer data between you, your clients, and the IRS. It’s suggested to use a standard level of encryption like TLS or SSL for transferring information and adding a layer of encryption like AES for storing confidential data. Be sure to note your firm’s specifics for encryption into your WISP.

Ongoing training about how to handle data, reporting any suspicious activity, and how to prevent phishing go a long way in preventing data breaches. It’s important to note your employee training plan in your WISP and even more important to make certain that every employee is trained and acknowledges your firm’s security plan.

Data breach response protocol should also be included in your security plan. Building in prevention and security measures to try and avoid a data breach is important and required, and having a plan of action could help you to more swiftly recover from an unforeseen incident and help to prove compliance to the FTC in case of a lawsuit. A response plan should include specifics on where to report the incident, how to stop the breach, and protocols in communication regarding the incident with clients so that you can preserve your business relationship and trust with your clients. All of these details should be included in your Written Information Security Plan and all employees should be trained on the plan so that quick action can be taken and mitigate your risks.

Preventing data breaches with an IRS WISP

Total prevention is not possible, but having a detailed security plan does help. Since cyber threats, employees, and systems are always changing it’s important to be proactive in evaluating the protocols set out in your Written Information Security Plan. The responsible person in charge of implementing your firm’s security plan should schedule regular audits on cybersecurity trends, IRS regulations, and employee training. Service providers should be put in place to continually monitor your systems for any suspicious activity. Also regularly updating your firm’s IRS WISP is not only required to stay compliant, but updates can also be impactful to help strengthen your plan.

What should you do in case of a data breach?

The FTC provides specific guidelines to help you make quick and smart decisions promptly following a data breach.

Secure your operations

This step is important to act quickly to avoid further breach by physically locking and changing access codes, assembling your breach response team, and stopping additional data loss.

Fix vulnerabilities

Consider who has access to your network and how your network connects to itself to pinpoint vulnerabilities. Make changes to improve as you uncover information about the breach, and communicate effectively with your customers to further protect them.

Notify the appropriate parties

Communicate with law enforcement and understand your legal requirements. You may be required to report your data breach to the FTC or sometimes the media.

Benefits of an IRS WISP

Your firm’s Written Information Security Plan is required for you to be in compliance with the FTC according to the Safeguard Rule. Having a thorough plan written for the security of your client’s data helps you to prove compliance in case of a data breach, but it also greatly reduces the likelihood of client data being stolen in the first place. These protocols put in place help build trust between you and your clients showing them that you will handle their private information with care and compliance.

In today’s world with increased threats to personal data security, it is the duty and obligation of tax and accounting pros to create and maintain a Written Information Security Plan. WISP Builder’s editable template helps make creating your plan simple and thorough. Regular reminders for updates and employee training resources provided by WISP Builder help you to stay up to date with the ever changing world of cyber security. WISP Builder is the all in one tool to help you get and stay compliant so you can start to build a plan to protect your clients data, your business, and stay in compliance.

do i need a wispIRS WISPpub 5709written information security plan
Previous
What is the IRS WISP and Why Is It Crucial for Your Practice?
Next
How to Stay Updated on IRS WISP Requirements Changes and Compliance Guidelines
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Save