IRS Reminds Tax Pros of Federally Mandated Written Security Plans

The plan is designed to help protect client data from identity theft and data breaches.
IRS Reminds Tax Pros of Federally Mandated Written Security Plans
The Internal Revenue Service in Washington on July 21, 2025. Madalina Kilroy/The Epoch Times
|Updated:
0:00
Tax professionals are federally obligated to prepare a Written Information Security Plan (WISP) for their business, the IRS said in a July 29 statement.
The WISP document details an organization’s security controls and is aimed at ensuring that clients’ personally identifiable information is protected from unauthorized access. It lays out actions that must be taken in case of a security incident such as a data breach.

An effective WISP focuses on three key areas—employee management and training, information systems, and detecting and managing system failures, the IRS said.

“The Gramm-Leach-Bliley Act (GLBA) requires all financial institutions to protect customer data. Under this law, tax and accounting professionals are considered financial institutions and must implement a data security plan,” the agency said.

The Federal Trade Commission (FTC) requires tax professionals to designate one or more of their employees to coordinate the information security program.

Safety processes have to be regularly monitored and tested. Tax preparers are advised to hire external service providers who can maintain effective security safeguards.

According to the IRS, tax professionals must assess, test, and update their WISP on a regular basis.

“Adjustments should be made based on changes in the firm’s operations or security testing and monitoring results,” the agency said.

The WISP reminder is related to a series of notifications the agency is releasing as part of the Protect Your Clients; Protect Yourself campaign.

The IRS warned that every tax professional in the United States—from major accounting companies to one-person firms—is a potential target for cybercriminals.

These criminals seek to steal client data for filing fraudulent tax returns.

“Their tactics: using email, the phone, or other means to trick you into giving up computer passwords, e-Services passwords, to steal your EFINs or CAF numbers, or even to take remote control of your entire computer system,” the IRS said.

As part of the security plan, tax professionals should also consider developing a data theft response plan, including contacting their IRS stakeholder liaison when an incident occurs.

Tax professionals who are victims of a security incident must report the event to the FTC within 30 days of the breach when 500 or more people are affected, the agency said.

On July 15, the IRS issued another notice as part of the Protect Your Clients; Protect Yourself campaign, warning professionals to be wary of phishing emails and other scams used by fraudsters to steal taxpayer data.

Phishing emails are messages sent by scammers attempting to trick a recipient into clicking a link and filling out a form or downloading malware.

Besides phishing, there is the whaling attack, which targets “leaders or other executives with access to large amounts of information at an organization or business,” the IRS said.

Some scammers may pose as potential new clients.

“Tax pros have been particularly vulnerable to emails where the sender is posing as a potential client. Criminals use the ‘new client’ scam to trick practitioners into opening email links or attachments that infect computer systems to steal existing client information,” said the agency.

IRS warned tax professionals to be careful when receiving an unexpected email or text, a duplicate email from what seems to be a trusted source containing a new link or attachment, or a message persuading them to open a link or attachment.

The agency advised installing anti-virus software and keeping it updated, using multi-factor authentication when storing data, and setting up firewalls to shield networks from malicious traffic.

In November, the government unsealed charges against two individuals for their scheme to allegedly break into computer networks of tax preparation services in Massachusetts, the Department of Justice said in a November 2024 statement.

The defendants wanted to swipe client information and file fraudulent tax returns to secure refunds, it said.

Google LogoMark Us Preferred on Google
Naveen Athrappully
Naveen Athrappully
Reporter
Naveen Athrappully is a news reporter covering business and world events at The Epoch Times.