IRS Mandates Annual Written Data Security Procedures (WISP) for All PTIN Holders

The IRS mandates that all PTIN holders, Tax Preparers, and EROs implement an annual Written Data Security Procedures (WISP) to protect sensitive client data and comply with federal regulations. A WISP is crucial for ensuring your business adheres to the highest standards of data security, safeguarding Personally Identifiable Information (PII) and demonstrating a commitment to protecting your clients' trust.

Why Does the WISP Have to Be Written?

A written WISP provides a clear, actionable framework for securing sensitive data and meeting IRS requirements. It ensures that every employee understands their responsibilities and adheres to established protocols. By having a written plan, businesses can streamline compliance, document efforts to secure data, and provide evidence of compliance in case of an audit.

Do All Employees Review and Sign the Authorization?

Yes, all employees must review the WISP and provide signature authorization. This step ensures that every team member acknowledges and understands their role in safeguarding client data. Regular reviews and updates of the WISP keep the entire team aligned with the latest security practices and IRS requirements.

Key Roles in Implementing a WISP

1. Data Security Coordinator (DSC)
   The DSC oversees the development, implementation, and maintenance of the WISP. This includes conducting regular risk assessments, ensuring compliance with data security standards, and coordinating employee training to address potential vulnerabilities.
2. Public Information Officer (PIO)
   The PIO handles communication about the organization's data security policies, both internally and externally. This role ensures transparency with clients regarding how their sensitive information is protected and addresses any inquiries or incidents involving data breaches.
3. Personally Identifiable Information (PII)
   The WISP must identify and secure all PII handled by the organization, including sensitive client data managed by PTIN holders, Tax Preparers, and EROs. PII includes Social Security Numbers, financial details, addresses, and other private information critical to tax preparation.

Protect Your Business and Clients with a Comprehensive WISP

Developing and implementing a WISP is not just a regulatory requirement—it’s a vital step in protecting your business and clients. Appointing a DSC and PIO, training employees, and securing client PII are essential components of staying compliant and maintaining trust. Regularly updating your WISP ensures your business remains resilient against evolving cybersecurity threats.

Start today by creating your IRS-mandated WISP. Stay compliant, protect sensitive data, and build a secure future for your business.

• Protect Your Clients; Protect Yourself
• IRS Guides on identity theft (All links are on below and the Appendix on 2025 WISP)

  Individuals
  Businesses
  Tax professionals

• Report a Breach - State Data Breach Contacts (All state links are on the Appendix on 2025 WISP)
• State Attorneys General - Most states require that the state attorney general be notified of data breaches.
• IRS "6" Mandated Standards - IRS Publication 1345
• Data Security Coordinator Compliance Person - Responsiblities
• Data Security Coordinator Compliance Person - Agreement and Attachment #3
• Public Information Officer - Responsibilites
• Public Information Officer - Agreement
• Document Safety Measures in Place with Suggested Policies to Include in your WISP - Template #8
• Firm Employees Authorized to Access PII - Template #9
• Employee Acknowledgement of Understanding - Agreement - Attachment #5
• Contractor Acknowledgement of Understanding - Agreement- Attachment #5
• Government Agencies - Ongoing
• Remote Working Employees - Template and Agreement
• Remote Working Contractors - Template and Agreement
• PII Disclosure Policy
• Reportable Events Policy
• WISP and HIPPA - Satisfying PII Protection Requirements through a Written Information Security Plan (WISP) in Compliance with HIPAA, IRS, and FTC Regulations
• WISP Duties of ERO Electronically File - Template to capture the key duties of an EFIN and PTIN holder serving as an ERO
• IRS Publication 1345 - Templates of:
  • Key E-File Requirements Outlined
  • What are the EFIN, PTIN and ERO Duties After Submitting the Return to the IRS
• IRS Publication 5461 - Protect personal and financial information online
• IRS Publication 5461d - Tax professionals should review their security protocols
• IRS Publication 4557 - Template of: Safeguarding Taxpayer Data
• WISP Reportable Event Policy
• IRS Publication 5708 - Templates of:
  • What Does the FTC Require for WISP Compliance
• IRS Publication 5709 - Templates of:
  • IRS Mandated "6" Standards;
  • WISP security procedures Authorized IRS e-file Providers;
  • Intermediate Service Provider receives tax information from an Electronic Return Originator (ERO);
  • IRS e-file Rules and Requirements
• IRS Publication 5293 - Templates of:
  • track and document ERO duties...;
  • Learn the Signs of Data Theft;
  • Proactive Security Practices...;
• Professional Responsibility and Data Security: Practitioners’ Obligation to Have a Written Information Security Plan (https://www.writtendatasecurityplan.com/documents/2023-10-careful-wisp(ef)-professional-responsibility-and-data-security.pdf) IRS Publication 5293 - Content and Templates
• WISP - EFIN, PTIN and ERO - Content and Templates