Attention FAE Customers:
Please be aware that NASBA credits are awarded based on whether the events are webcast or in-person, as well as on the number of CPE credits.
Please check the event registration page to see if NASBA credits are being awarded for the programs you select.

IRS Issues New Security Plan Designed to Help Protect Tax Pros

By:
NYSSCPA Staff
Published Date:
Aug 14, 2024

GettyImages-1197780051-cybersecurity-240

The IRS and its Security Summit partners announced that they have released an updated Written Information Security Plan (WISP) designed to help protect tax professionals against continuing threats from identity thieves and data breaches.

This WISP has been updated and expanded to make data security planning easier for tax pros, particularly smaller practices. The result of a year-long effort, the WISP is an easy-to-understand document developed by and for tax and industry professionals to keep customer and business information safe and secure. Tax pros are required to have a security plan under federal law.

The new WISP includes several new information updates since the first version came out. They include highlighting best practices for implementing multifactor authentication for any individual accessing any information system, unless their qualified individual has approved in writing the use of reasonably equivalent or more secure access controls.

As part of a security plan, the IRS also recommends that tax professionals create a data theft response plan, which includes contacting their IRS Stakeholder Liaison to report a security incident. Tax professionals can also share information with the appropriate state tax agency by visiting a special Report a Data Breach page with the Federation of Tax Administrators.

Tax professionals should also understand the FTC data breach response requirements as part of their overall information and data security plan. The new WISP also includes information on the requirement to report an incident to the FTC as soon as possible, but no later than 30 days after discovery of the incident, when 500 or more people are affected .

The FTC also required tax pros by law to create and implement a security plan. As a part of the plan, the FTC requires each firm to designate one or more employees to coordinate its information security program; identify and assess risks to customer information in each relevant area of the company's operation and evaluate the effectiveness of the current safeguards for controlling these risks; design and implement a safeguards program and regularly monitor and test it; select service providers that can maintain appropriate safeguards by ensuring that the contract requires them to maintain safeguards and oversee their handling of customer information; and evaluate and adjust the program considering relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring.

“Tax professionals play a vital role in the nation’s tax system, and they hold a vast amount of taxpayer information that can be a treasure trove to identity thieves,” said IRS Commissioner Danny Werfel in the announcement. “The newly updated Written Information Security Plan provides a helpful road map for tax pros to help protect their clients and themselves from the constant threat of data breaches. The IRS and the Security Summit partners urge tax pros to stay on top of these evolving threats, and this updated plan is an important part of that effort.”

Because tax professionals are required by law to secure their clients’ data, to help them meet this obligation, the IRS and the Security Summit partners are advising them to use the WISP template designed to make data security planning easier.

“It’s more important than ever for tax pros to protect their data, passwords and other information,” said Kimberly Rogers, director of the IRS Return Preparer Office and co-chair of the Summit's Tax Pro Working Group, in the announcement. “The updated Written Information Security Plan is a result of months of work by tax professionals across the country. The Security Summit members worked together on this plan to make it easier for all tax professionals to develop a plan and an approach that is right for them.”

Tax pros are legally required to maintain an accessible, written form of a WISP as a component of implementing and maintaining a WISP in their practices. It is recommended for them to review, test and update their WISPs.

A good WISP focuses on three areas, according to the IRS: employee management and training; information systems; and detecting and managing system failures.

Click here to see more of the latest news from the NYSSCPA.