By law, all tax preparers are required to create and implement a Written Information Security Plan (WISP) to protect clients’ data. Even if you’ve been in the tax business for years, writing a comprehensive data security plan can be daunting. To take out the guesswork, we’ve outlined a step-by-step process for researching and writing a data security plan for your tax business.
Step 1: Read Relevant IRS and Security Summit Guides
The IRS and the Security Summit (a partnership of the IRS, state tax agencies, and tax professionals) have compiled several resources to educate tax professionals on data security.
This 20-page guide provides a concise but thorough introduction to the most common security threats faced by tax professionals and how to combat them. It outlines basic security steps such as creating secure passwords, installing security software, and securing any wireless networks used in your tax office.
It also addresses common tactics used by data thieves, helping you learn how to spot and avoid them and train your employees to do the same. It also addresses what you should do in the event of data loss and provides a checklist for creating your plan.
- Small Business Information Security: The Fundamentals by the National Institute of Standards and Technology:
This guide further outlines best practices all small businesses should take to protect sensitive information.
- IRS Publication 5708: Creating a Written Information Security Plan for your Tax & Accounting Practice:
This relatively new publication was released in August 2022. The Security Summit recognized that creating an adequate WISP was still challenging for many tax professionals. It outlines the minimum requirements a data security plan needs to comply with the Federal Trade Commission standards:
- Designate one or more employees to coordinate its information security program
- Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks
- Design and implement a safeguards program and regularly monitor and test it
- Select service providers that can maintain appropriate safeguards by ensuring your contract requires them to maintain safeguards and oversee their handling of customer information
- Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring
However, the guide remains fluid on exactly what should be included in each tax business’s WISP, emphasizing that there is no “one-size-fits-all.” Instead, each WISP should be tailored to the needs of the practice. For example, a 10-person accounting firm with multiple computers and a network will need a more detailed plan than a single- person business that uses cloud-based tax software.
While we encourage you to read the guides above, below, we’ve broken down the key points of Publication 5708 into actionable steps you can take to create your data security plan.
Step 2: Identify Your Data Security Risks
After reading the IRS guides above, you’ll have a strong understanding of the most common security threats targeted at tax preparers, and you’ll be able to identify which ones are relevant to your tax practice. Common schemes that every tax professional should be aware of include the following:
- Phishing scams: Phishers usually pose as trusted parties such as the IRS, banks, your tax preparation software company, employees, or clients. They will usually contact you through email but sometimes use other forms of communication as well. They often contain an urgent message that requires you to click a link, log in, or provide sensitive information or passwords. Always check the domain name of the email address, be wary of any message that requires you to divulge passwords or sensitive information and know that the IRS will never initiate contact through email.
- Spear phishing scams: Spear phishing scams are more successful than typical phishing scams because the scammer creates messages that target your specific business. They may gather information from your website and pose as an employee by name. Again, check the domain name on email addresses and never click links or download attachments from suspicious emails.
- Malware, ransomware, and viruses: Scammers often use the techniques above in order to install malware or viruses on your computers or networks. One of the most common types of malwares allows them to track your keystrokes, which eventually divulges your usernames and passwords, allowing them to access your clients’ information. Ransomware allows them to hold your clients’ information “hostage” until you pay them to release it.
If you have a tax practice with multiple employees and/ or network computers, you’ll need to identify additional security risks, especially if you use a wireless network.
- Wireless network attacks: Cybercriminals often try to hack into wireless networks to steal information. Be sure to read Publication 4557’s guidelines for securing wireless networks, including reducing the range of your network, removing identifying network names that could make you a target (such as Bob’sTaxPractice), and changing the default password of your wireless router.
- Remote access scams: If you and your employees ever access the company network remotely, you’ll need to be aware of remote access scams. Cybercriminals may pose as an employee trying to gain access to the network to work from home.
Again, the exact risks you face depend on the size and scope of your tax practice. Once you’ve listed the threats that pose a risk to your business, you can write down the security steps to avoid falling victim to these threats.
Step 3: Take an Inventory of Your Hardware
The sample data security plan for tax preparers included in IRS Publication 5708 includes a section that lists every piece of technology or other data storage system used by your practice. You’ll list the types and locations of each item and the type of client information stored there. Doing so can help you identify data security risks you may have overlooked. For example, if you ever back up client information on external hard drives such as a USB, you’ll need to take steps to encrypt that data and create a secure place to store the USB.
Step 4: Write Down Every Safety Measure Your Tax Practice Will Implement
Once you’ve identified your tax practice’s data security threats and every piece of inventory you need to protect (i.e., computers, networks, external hard drives, etc.), you’ll be able to identify each safety measure your practice should put into place. Some of the areas the Security Summit recommends including the following areas in your WISP:
- Data collection and retention Data disclosure
- Network protection
- User access
- Electronic data exchange Wi-Fi access
- Remote access
- Connected devices
- Reportable Incidents
Of course, some of these areas may not be relevant to your specific tax practice. For example, if you don’t use a network or never work remotely, you may not need to address network protection or remote access in your WISP.
We also encourage you to include a section on basic updates. Keeping your security software, tax software, and web browsers up-to-date helps ensure you always have the latest security features.
Learn more: TaxSlayer Pro Recommended Security Practices
For an idea of how to word your safety measures and protocols, reference the sample WISP on pages 9-12 of Publication 5708.
Step 5: Learn the Signs of a Data Breach & Identify Next Steps
In addition to knowing how to prevent data breaches, it’s also essential that you and your employees know the signs that a data breach has already occurred. Here are a few of the most common signs outlined in Publication 4557:
- Client e-filed tax returns begin to reject because returns with their Social Security numbers have already been filed.
- Clients who haven’t filed tax returns begin to receive authentication letters (5071C, 4883C, 5747C) from the IRS.
- Clients who haven’t filed tax returns receive refunds.
- Clients receive tax transcripts they did not request.
- Clients who created an IRS online services account receive an IRS notice that their account was accessed or IRS emails stating their account has been disabled, or clients receive an IRS notice that an IRS online account was created in their names.
- The number of returns filed with a tax practitioner’s Electronic Filing Identification Number (EFIN or Preparer Tax Identification Number (PTIN)) exceeds the number of returns you actually filed.
- Tax professionals or clients respond to emails that practitioners did not send.
- Network computers run slower than usual, or computers turn themselves on.
- Computer cursors move or change numbers without touching the keyboard.
- Network computers lock out tax practitioners.
Our guide, What To Do In The Event of a Tax Data Breach, gives you practical steps you can include in your WISP, such as contacting the IRS and FBI and offering identity theft protection to your clients.
Step 6: Create Your Employee Training Plan
A security plan is only effective if everyone in your tax practice follows it. Therefore, addressing employee training and compliance is essential to your WISP. After you’ve written down your safety measure and protocols, include a section that outlines how you will train employees in data security. Address questions like:
- Will you run background checks or check references for new employees?
- How are new employees onboarded? What training must they complete before they are given access to usernames, passwords, and client data?
- How will you train employees to recognize common security threats?
- What measures will you take if an employee fails to follow protocols?
Step 7: Review Your WISP Annually
The Security Summit encourages you to see your WISP as an evergreen document. It should evolve with your business’s scope and the increasingly sophisticated security threats against the tax industry. When your tax business adds new technology, employees, or services, or as cybercriminals develop new tactics, you should update your WISP accordingly.
Learn more: An Upgrade Strategy for Your Office Computers
How TaxSlayer Pro Can Help You Create a Data Security Plan
Data security is always at the forefront of our minds. We ensure all our software, both desktop and cloud-based, is equipped with the industry’s best encryption and security features. To help you avoid security threats and comply with FTC standards, we’ve also drafted a sample data security plan outline for TaxSlayer Pro users. You can open the template in Microsoft Word and modify it to meet the needs of your tax practice.
This article was last updated on 1/9/2023.