IRS says tax pros should have a written security plan

The Internal Revenue Service and its security partners want practitioners, particularly in smaller tax practices, to use a new template to create a data security plan.

The Written Information Security Plan, or WISP, is a 28-page document developed by and for tax professionals to safeguard their clients and their own businesses.

The Security Summit, which includes tax pros, industry partners, state tax authorities and the IRS — co-developed the WISP. Members of the summit will highlight the template at each of the five IRS Nationwide Tax Forums that will be held this summer across the country. It's part of the IRS's annual "Protect Your Clients; Protect Yourself" public awareness campaign. The forums continue next week in Atlanta followed later in the summer in the Washington, D.C. area., San Diego and Orlando. 

Andrew Harrer/Bloomberg

"Tax professionals form a critical part of the defense against identity thieves and scammers," said IRS commissioner Danny Werfel in a statement Tuesday. "The IRS and Security Summit partners remain vigilant to emerging identity theft schemes and scams, but tax professionals following the steps outlined in the security plan will provide valuable protection to their practices as well as their clients."

The Security Summit members — led by its Tax Professionals Working Group — spent months developing the WISP, including a special sample document that enables tax professionals to quickly focus on developing their own written security plans.

"It's more important than ever for tax pros to protect their data, passwords and other information," said Kimberly Rogers, director of the IRS Return Preparer Office and co-chair of the Summit's Tax Pro Working Group, in a statement. "With cyberattacks against tax professionals continuing, having a sound security plan makes not only good business sense, it's also the law. But knowing where to start can be challenging. The Security Summit members worked together on this plan to make it easier for all tax professionals to develop an approach that is right for them."

The WISP, available on IRS.gov and in IRS Publication 5708, walks users through the process of getting started on a plan, understanding security compliance requirements and professional responsibilities. It continues with an outline for a basic WISP and a sample template that gives tax pros a place to start in understanding and trying to draft a plan for their own business. The security plan needs to be adapted to be appropriate to the firm's size, scope of activities, complexity and the sensitivity of the customer data it handles, as there's no one-size-fits-all plan. The WISP should include employee management and training; information systems; and detecting and managing system failures. Given the rapidly evolving nature of cyber threats, tax pros should also consult with technical experts to help them with security issues and ways to protect their systems.