IRS, Security Summit remind tax pros they must have a Written Information Security Plan to protect client data

IR-2025-79, July 29, 2025

WASHINGTON — The Internal Revenue Service and its Security Summit partners today reminded tax professionals about the federal mandate to have a Written Information Security Plan (WISP) designed to help protect them against threats from identity thieves and data breaches. IRS provides resources to help with this process.

As part of a special five-part series, the IRS and Summit partners highlight the importance of tax pros creating and maintaining a WISP.

This marks the third installment of a summer news release series focused on tax professional security. The "Protect Your Clients; Protect Yourself" campaign provides timely tips to help protect sensitive taxpayer data while protecting businesses from identity theft.

These security tips and the WISP are a key focus of the Nationwide Tax Forum, held this summer in cities across the U.S. In addition to this series, a tax professional security component is featured at the three-day continuing education events. The forums continue next week in New Orleans, with remaining events in Orlando, Baltimore and San Diego.

What tax pros should know about WISPs

• Required by law. The Gramm-Leach-Bliley Act (GLBA) requires all financial institutions to protect customer data. Under this law, tax and accounting professionals are considered financial institutions and must implement a data security plan. As a part of the plan, the Federal Trade Commission (FTC) requires each firm to:

• Designate one or more employees to coordinate the information security program.
• Identify and assess risks to customer information in relevant areas of the company's operation and evaluate the effectiveness of safeguards.
• Create, implement and regularly monitor and test security safeguards.
• Select service providers that can maintain appropriate safeguards and ensure their contracts require compliance.

• The basics of a WISP. A good WISP focuses on three areas:
  • Employee management and training
  • Information systems
  • Detecting and managing system failures
• IRS offers WISP tools and resources. IRS Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice PDF is a 28-page template designed to:
  • Help tax professionals, especially smaller practices, develop a WISP.
  • Guide users through starting a plan, including understanding security compliance requirements and professional responsibilities.

Tax professionals are legally required to have a written, accessible plan and should review, test and update it regularly. Adjustments should be made based on changes in the firm’s operations or security testing and monitoring results.

As part of a security plan, the IRS also recommends that tax professionals develop a data theft response plan, including contacting their IRS Stakeholder Liaison to report a security incident. Tax professionals can also share information with the appropriate state tax agency by visiting the Federation of Tax Administrators’ webpage: Report a Data Breach.

Tax professionals should understand the FTC data breach response requirements PDF as part of their overall information and data security plan. The WISP also includes information on the requirement to report an incident to the FTC when 500 or more individuals are affected within 30 days of the incident.

Additional resources

Tax professionals should also stay connected to the IRS through subscriptions to e-News for tax professionals and IRS social media sites.