The Role of a WISP in IRS data breach prevention and response.
As a tax accountant, you never want to hear the words “data breach.” However, the truth is that the best way to prevent identity theft as a tax professional is to be ready for a data breach at any time. This is when having an IRS WISP, or written information security plan, comes into play. The FTC requires an IRS WISP for compliance, and for good reason. Because, when you have a data breach prevention plan in place you are often able to catch identity thieves sooner rather than later, and, in most cases, you can even prevent the thieves from accessing your client’s personal information at all.
Cybersecurity Awareness is key.
You can’t prevent something if you aren’t looking for it. When creating an IRS WISP for your business, it takes intentionality to look at every angle that a potential data thief could attack and carefully list your company’s procedures for data breach prevention.
What should you be looking for when creating your data breach prevention plan?
Every single step that your client’s private information experiences between the initial client contact to filing their tax return should be considered such as methods used to
- Send emails
- Exchange social security and account numbers
- Store client confidential information, etc.
When considering each step of the process with the perspective of how a hacker could potentially gain access (including who on your team has access to this important information), you are able to create data breach prevention procedures with these access points in mind. Cybersecurity awareness is key to helping you create the right preventative security plan and procedures.
Getting the right data breach prevention procedures in place.
How are your employees expected to handle client information? And, more importantly, do they even know what your private information policy is if you were to ask them? The mishandling of client information by a negligent employee plays a big role in how hackers are able to easily gain access to thousands of confidential client accounts every year. When you create your WISP not only are you expected to create a specific cybersecurity plan and procedure for how to safely transport and store client information, but you are also required to train all of your employees often in order to keep data breach prevention top of mind.
Updating to stay alert with new trends in theft or changes in personnel.
Cybercriminals and data thieves are getting smarter and constantly learning new ways to access your client’s private information. This is why it’s vital to your tax and accounting practice to make regular updates to your IRS WISP. Regularly scheduled updates to your WISP help you adjust your cybersecurity policies and procedures regarding any new trends in cybercrime that arise. Anytime you bring on a new employee, make a change in software, or create new access points to your client’s information, be sure to update your IRS WISP to reflect these changes so that you stay compliant. Creating a WISP may make you compliant with the FTC initially, but in order to stay compliant you must regularly update your WISP and keep your staff aware of these changes.
How to respond to a data breach using your WISP.
So, what happens if the worst-case scenario still happens, even with these safety procedures in place, and your client’s information is stolen? A WISP, when done correctly, can act as a shield between you and the IRS, which will come knocking. In an investigation or audit, if you are able to show your WISP proving that prior to the data breach you in fact did have a cybersecurity plan in place with your employees properly trained then you are able to protect yourself by proving compliance. This proof of compliance can save you up to $100,000 in fines and even jail time which is why ensuring that your WISP is done correctly is so important – not only the first time, but anytime you make updates.
When faced with a data breach, you want to be able to act as fast as possible and put a stop to the leak while aiming to save your client’s identity and your reputation. An IRS WISP includes a detailed data breach response plan dictating which actions to take, and by whom, so that your firm is able to act fast in this serious situation. Ultimately, you want to stop the breach from continuing, analyze your security in place, and alert both the authorities and your clients when this happens. When you and your employees have clarity in advance regarding who does what in response to a data breach, you are able to minimize the damage, prove your compliance, and save your reputation in the long run.
Tools to help you stay on top of data breach prevention.
It’s imperative to the health of your practice and to the safety of your client’s identity to not only create a WISP, but to create a security plan that is done correctly, updated at least annually, and is familiar to all employees. WISP Builder is an all-in-one tool that helps you create, manage, maintain, and update your WISP so that you can get and stay compliant even in the case of a data breach. This tool helps you to set up your WISP, attain all of the needed signatures, and store offsite – all of which are required to get compliant. WISP Builder helps you stay compliant with simplified updates to keep your WISP evergreen and ready for what is to come.
