National Tax Security Awareness Week, Day 5: Tax pros urged to guard against identity theft with updated Written Information Security Plan

IR-2024-308, Dec. 6, 2024

WASHINGTON – On the final day of National Tax Security Awareness Week, the Internal Revenue Service and its Security Summit partners urged tax professionals to reassess their plans for protecting themselves and their clients’ sensitive information amid increasing attempts by identity thieves to steal tax data.

Identity thieves on the hunt for taxpayer data aren’t just targeting taxpayers, they’re going after the tax professionals, who hold enormous amounts of sensitive taxpayer data, in hopes of filing fraudulent tax returns. This year, the IRS has already received more than 250 reports of data breach incidents from tax professionals affecting approximately 200,000 clients.

Amid these continuing reports of tax professionals encountering data breaches, the Security Summit partners urged practitioners to review the newly updated Written Information Security Plan (WISP) PDF.

Tax professionals are required by federal law to have written plans identifying foreseeable data security risks and safeguards, and a plan of action to take in the event of a security breach. To simplify this complex task, a special team of Security Summit members from the tax community released an updated WISP that tax professionals can use as a roadmap to apply to their own practice.

The IRS also reminds taxpayers that additional safeguards, like multi-factor authentication (MFA), are required by federal law to better protect themselves and their clients. MFA provides an extra layer of security to ensure the proper people are accessing sensitive accounts and systems.

“Countering identity theft is a collective effort, and tax pros are the first line of defense when it comes to protecting taxpayer information,” said IRS Commissioner Danny Werfel. “Millions of taxpayers entrust their personal data to tax professionals, and we want to make it as easy as possible for tax pros to know what they need to do to keep themselves and their clients’ information safe. The Written Information Security Plan forms an essential part of the tax professionals’ defense against data breaches and identity thieves, helping protect their clients and protect themselves.”

The WISP, available in IRS Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice PDF, walks tax professionals through the steps of assembling a plan, including understanding security compliance requirements and professional responsibilities. It also provides a sample template that tax professionals can use as they draft a plan for their business.

The new version of the WISP, the result of a year-long collaborative effort between the IRS and its Security Summit partners, includes several updates, like highlighting best practices for implementing multi-factor authentication.

During National Tax Security Awareness Week, now in its ninth year and concluding today, the Security Summit partnership of the IRS, tax professionals, tax software and financial companies as well as state tax agencies work to raise awareness among taxpayers and tax professionals about the importance of safeguarding information to protect against identity theft. The Security Summit formed in 2015 to combat tax-related identity theft through better public-private sector coordination as well as strengthening internal protections in the tax community and raising public awareness about security threats.

Tax pros are on the front lines of defense in protecting taxpayer information. The Summit partners highlighted several key steps that tax pros – regardless of the size of their practice – should take to protect their systems and comply with federal standards.

WISPs and MFA are crucial – and necessary

Members of the Summit's tax professional team developed a helpful guide that allows practitioners to quickly develop their own WISP to provide a blueprint for information security.

“This helpful guide with sample templates provides a starting point for businesses large or small, and can be scaled for a company's size, scope of activities, complexity and customer data sensitivity,” said Kimberly Rogers, the IRS Return Preparer Office director and co-chair of the Summit’s tax pro group. “There's not a one-size-fits-all WISP. A sole practitioner can use a more abbreviated and simplified plan than a 10-partner accounting firm. This flexibility is reflected in the sample policies and pre-populated templates included in the publication.”

Addressing security issues for a tax professional can be difficult and expensive. A WISP addresses risk considerations for inclusion in an effective plan and provides a blueprint of applicable actions in the event of a security incident, data loss or theft.

Tax pros can also review IRS Publication 5709, How to Create a Written Information Security Plan for Data Safety PDF, for more information on WISPs.

In addition to requirements to have a WISP, the IRS also reminds the tax community that the Federal Trade Commission last year updated its safeguards standards and now require tax professionals to use MFA to protect client information. MFA, which can include sending text/SMS verification codes to a user or asking additional questions to confirm the identity of a person logging into a system, provides an extra layer of security to ensure the proper people are accessing sensitive accounts and systems.

"Building and maintaining a resilient security plan is more than just a requirement — it's a safeguard for both tax professionals and their clients," said Jared Ballew, president of the National Association of Computerized Tax Processors and one of the Summit members who helped develop the WISP.

"There’s no single silver bullet for security; effective protection requires multiple layers of defense,” Ballew continued. “Our goal with these resources is to help tax pros create and reinforce those layers, with the WISP providing a solid foundation to start or enhance that process. The Security Summit partners remain committed to helping every tax professional stay proactive and protected in today’s digital landscape."

IRS Tax Pro Account: Protects pros and their clients’ data and saves time, too

The IRS and Summit partners also emphasize another way to help protect sensitive information from identity thieves is through secure online tools such as the Tax Pro Account. These tools can help manage client information to safeguard sensitive taxpayer and financial data from cyberthreats.

The Tax Pro Account is a secure, mobile-friendly, digital, self-service application that enables tax professionals to act on a taxpayers' behalf, view the taxpayers' information and manage their authorization relationships more efficiently.

As part of IRS transformation efforts, the IRS will continue adding new features to the Tax Pro Account in the future to help tax professionals securely and efficiently serve their clients.

Currently, tax professionals can use Tax Pro Account to send Power of Attorney and Tax Information Authorization requests directly to a taxpayer's individual IRS Online Account. Once the taxpayer approves the request, it's processed in real time — no faxing, mailing, uploading or long waits.

Visit the Tax professionals page on IRS.gov to learn more about E-Services, Tax Pro Account, Employer Identification Numbers, filing, forms, third-party authorizations as well as other safe and secure online tools to serve clients.

Data breaches: What to do when the worst happens

The IRS also recommends tax professionals create an action plan to outline the steps to take in the event of a breach or data theft, in addition to the required Written Information Security Plan. Tax pros now need to report a security event affecting 500 or more people to the Federal Trade Commission as soon as possible, but no later than 30 days from the date of discovery.

A key component to an effective action plan is knowing who to contact. In addition to reporting data loss to the IRS, tax professionals should contact law enforcement, the appropriate states, clients and security professionals.

Places to get help in case of a data breach:

• IRS Stakeholder Liaison – The IRS recommends reporting data theft to the local Stakeholder Liaison first. Liaisons will notify IRS Criminal Investigation and others within the agency on the tax professional's behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients' names.
• Federal Trade Commission – Data breaches involving 500 or more people are now required to be reported to the FTC as soon as possible, but no later than 30 days from the date of discovery.
• Federal Bureau of Investigation – The local office.
• Secret Service – The local office (if directed).
• Local police – To file a police report on the data breach.

Contacting states in which tax pros prepare state returns:

Additional resources

Tax professionals should also stay connected to the IRS through subscriptions to e-News for tax professionals and its social media sites.