What IRS Publication 4557 Actually Requires from Tax Professionals
If you prepare federal tax returns professionally, IRS Publication 4557 — Safeguarding Taxpayer Data — is not a suggestion. It is the IRS's definitive guidance on your legal obligations under the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Safeguards Rule to protect the sensitive financial data you handle every day.
At its core, Publication 4557 requires every tax professional or firm — regardless of size — to implement a formal, written data security program. That program is called a Written Information Security Plan, or WISP. If you handle 11 or more federal returns annually, the FTC Safeguards Rule mandates you have one in place. The IRS reinforces this obligation through Publication 4557 and Publication 5708, which provides a sample WISP template.
This guide breaks down exactly what Publication 4557 covers, what your WISP must include, and the practical steps to achieve and maintain compliance in 2026. For a broader view of security obligations specific to your profession, see our guide on cybersecurity for tax professionals.
Tax Preparer Data Security: By the Numbers
IBM Cost of a Data Breach Report 2024
Verizon 2024 Data Breach Investigations Report
FTC Safeguards Rule threshold for tax preparers
The Legal Foundation: GLBA, FTC Safeguards Rule, and IRS Guidance
Tax preparers operate at the intersection of three overlapping regulatory frameworks, all of which converge on the same core requirement: protect taxpayer data with a documented security program.
Gramm-Leach-Bliley Act (GLBA)
The GLBA classifies tax preparers as "financial institutions" because they receive nonpublic personal financial information. This classification means you are subject to the FTC's implementing regulations — specifically the Safeguards Rule under 16 CFR Part 314 — which was significantly updated in 2023.
FTC Safeguards Rule (Updated 2023)
The revised Safeguards Rule requires covered financial institutions, including tax preparers filing 11 or more returns, to maintain a written information security program that includes:
- A designated qualified individual responsible for the program
- A written risk assessment identifying reasonably foreseeable threats
- Safeguards addressing identified risks, including encryption, access controls, and multi-factor authentication (MFA)
- Annual testing or monitoring of those safeguards
- Oversight of service providers who handle taxpayer data
- An incident response plan
- Annual reporting to the board or governing body
IRS Publication 4557
Publication 4557 translates these regulatory requirements into actionable IRS guidance. It maps directly to the FTC Safeguards Rule requirements while adding IRS-specific expectations around reporting data theft, responding to identity theft on tax returns, and securing e-file credentials (EFIN and PTIN). The IRS updates this publication periodically; the current version reinforces that a WISP is non-negotiable for any practicing tax professional.
Non-compliance carries real consequences. The FTC can impose civil penalties up to $50,120 per violation per day. State attorneys general can also bring independent enforcement actions. Beyond regulatory penalties, a breach of taxpayer data exposes your firm to civil liability and reputational damage that few small practices can survive. Review our page on tax safeguard compliance 4557 for enforcement context.
What Must Be in Your WISP: The Required Elements
The FTC Safeguards Rule and IRS Publication 4557 together define the minimum elements your WISP must address. A compliant WISP is not a one-page acknowledgment — it is a living document that describes your actual security environment and how you manage risk within it.
1. Designated Qualified Individual
You must name a specific person — internal or an external service provider — responsible for overseeing, implementing, and enforcing the security program. For sole practitioners, this is typically the preparer themselves. For larger firms, it may be an office manager, IT director, or a managed security services partner.
2. Risk Assessment
Before you can protect data, you have to know what threats face it. Your WISP must document a formal risk assessment that identifies where taxpayer data lives (workstations, servers, cloud storage, email), who can access it, and what the realistic threats are — including phishing, ransomware, insider misuse, and physical theft. For guidance on assessing cloud exposure specifically, see our article on is cloud storage IRS compliant.
3. Safeguards Proportionate to Risk
Based on the risk assessment, your WISP must specify the controls you use to mitigate each identified threat. The FTC Safeguards Rule prescribes several controls explicitly:
- Encryption of taxpayer data in transit and at rest
- Multi-factor authentication (MFA) for any system accessing taxpayer data (or a documented equivalent compensating control)
- Access controls limiting data access to those who need it
- Secure disposal of data and devices no longer needed
- Patch management keeping systems current against known vulnerabilities
- Anti-malware protection on all endpoints handling taxpayer data
4. Testing and Monitoring
Safeguards must be tested. For firms with fewer than 5,000 customer records, annual penetration testing is not mandated, but vulnerability assessments are. Larger firms must conduct annual penetration testing and bi-annual vulnerability scans. All firms must monitor systems for unauthorized access or anomalous activity.
5. Service Provider Oversight
If you use cloud tax software, hosted servers, or any vendor who accesses taxpayer data, your WISP must identify those providers and document how you verify their security practices — typically through written contracts requiring them to implement appropriate safeguards.
6. Incident Response Plan
Your WISP must include a written incident response plan describing how your firm will detect, contain, assess, notify, and recover from a security event. The IRS requires you to report data theft to the IRS Stakeholder Liaison within 24–48 hours of discovery. The NIST incident response framework provides a proven structure you can adapt for your practice.
IRS Reporting Obligation After a Data Breach
If taxpayer data is stolen or compromised, IRS Publication 4557 requires you to contact your IRS Stakeholder Liaison immediately — within 24 to 48 hours. You must also notify affected taxpayers, your state tax agency, the FTC, and your professional liability insurer. Delayed reporting can escalate both regulatory exposure and client harm. Keep your liaison's contact information current in your WISP.
Building a WISP That Passes Scrutiny: Practical Guidance
Many tax preparers have a WISP on file that was written once, filed away, and never updated. That approach satisfies the letter of the requirement at the moment of creation but fails almost immediately — your technology, staff, and threat environment all change. Regulators and auditors look for evidence that your WISP reflects your current operations.
Start With IRS Publication 5708
The IRS published IRS Publication 5708, which includes a sample WISP template tailored specifically for tax professionals. It is the most practical starting point available and is structured to satisfy both FTC Safeguards Rule requirements and IRS-specific expectations. Use it as a framework, not a finished product — your WISP must reflect your actual environment, not a generic template.
Inventory Your Data First
You cannot protect data you have not mapped. Before drafting your WISP, document every place taxpayer data lives: local workstations, external hard drives, cloud tax software, email servers, client portals, and paper files. Include data in transit — email attachments, file transfers, fax. This inventory becomes the foundation of your risk assessment.
Match Controls to Actual Risk
A two-person firm operating on a single network with three workstations faces different risks than a 20-person regional CPA firm with remote staff. Your controls — and your WISP — should reflect that reality. Overengineered controls that staff do not follow are worse than simpler controls that are actually implemented. For detailed implementation guidance, review our WISP checklist for CPA firms.
Address Phishing Explicitly
Phishing is consistently the leading initial access vector in tax sector breaches, with the IRS issuing annual warnings about targeted campaigns against preparers. Your WISP should describe your email security controls, employee training cadence, and procedures for verifying suspicious client communications. See our analysis of phishing attacks on tax professionals for current threat patterns.
Review and Update Annually — At Minimum
The FTC Safeguards Rule requires your qualified individual to report to the board (or equivalent) at least annually on the state of the security program. Tie your WISP review to that reporting cycle. Also update your WISP whenever you experience a material change: new software, new staff, new office location, new service providers, or a security incident.
How to Build a Compliant WISP: Step-by-Step
Designate Your Qualified Individual
Formally name the person responsible for your security program. Document this in your WISP with their name, title, and contact information. External security partners can fill this role.
Conduct a Written Risk Assessment
Inventory all systems, locations, and personnel that touch taxpayer data. Identify realistic threats — phishing, ransomware, insider access, physical theft — and assess the likelihood and impact of each.
Document Your Safeguards
For each identified risk, specify the control in place: MFA configuration, encryption standards, access control policies, patch management schedule, anti-malware solution, and secure disposal procedures.
Address Service Providers
List every vendor with access to taxpayer data. Obtain and document their security commitments — ideally via written contract — and verify their safeguards at least annually.
Write Your Incident Response Plan
Define your detection, containment, assessment, notification, and recovery procedures. Include IRS Stakeholder Liaison contact info, state agency contacts, and client notification templates.
Train Your Staff
Security awareness training is required, not optional. Document the training provided, who received it, and when. Phishing simulations provide measurable evidence of program effectiveness.
Test, Review, and Update Annually
Run vulnerability assessments, review your risk assessment for changes, update controls as needed, and generate the annual report to your governing body. Date and version your WISP each time.
IRS Publication 4557 and the Broader Compliance Picture
Publication 4557 does not exist in isolation. Tax professionals increasingly face overlapping obligations from state-level data security laws, professional licensing bodies, and cyber insurance underwriters — all of which align with or exceed IRS/FTC requirements.
State-Level Requirements
At least 11 states have enacted their own data security laws for tax preparers or financial service providers, with requirements that may exceed the federal baseline. Massachusetts (201 CMR 17.00), New York (SHIELD Act and 23 NYCRR 500), and California (CCPA/CPRA) are among the most demanding. Your WISP should be reviewed against any state requirements applicable to your practice location and your clients' residences.
FTC Safeguards Rule vs. IRS Publication 4557
These two frameworks are complementary, not duplicative. The FTC Safeguards Rule is the enforceable regulation with civil penalty authority. IRS Publication 4557 is the IRS's interpretive guidance that applies the Safeguards Rule to the specific context of tax preparation and adds IRS-specific reporting requirements. Compliance with Publication 4557 generally satisfies the FTC Safeguards Rule for tax preparers, but you should verify compliance with both frameworks independently.
For firms that also handle payroll, benefits administration, or financial planning, additional frameworks — including FTC Safeguards Rule obligations specific to those services — may apply. Firms exploring a zero trust security architecture will find that approach well-aligned with Publication 4557's access control and least-privilege requirements.
Cyber Insurance Requirements
Insurers writing cyber coverage for tax practices increasingly require documented WISP existence as a condition of coverage — and some require evidence of specific controls (MFA, endpoint detection and response (EDR), encrypted backups) before binding a policy. A well-maintained WISP is not just a compliance document; it directly affects your insurability and premium.
Core Security Controls Required by IRS Publication 4557
Multi-Factor Authentication
Required for all systems accessing taxpayer data. Applies to tax software logins, email, remote access, and cloud storage.
Encryption at Rest and in Transit
Taxpayer data must be encrypted on all devices and when transmitted — including email attachments and client portals.
Monitoring and Anomaly Detection
Systems must be monitored for unauthorized access. Logs should capture login attempts, access events, and configuration changes.
Access Controls and Least Privilege
Only personnel who need taxpayer data for their role should be able to access it. Terminate access immediately upon staff departure.
Patch Management
All operating systems, tax software, and applications must be kept current. Unpatched systems are the most common ransomware entry point.
Secure Disposal
Taxpayer data on decommissioned hardware or expired records must be securely wiped or destroyed — not simply deleted or recycled.
Common WISP Failures and How to Avoid Them
Having a WISP is necessary. Having a compliant, current WISP is what actually matters. The following are the most frequently observed failures in tax preparer security programs — and practical ways to address each one.
Using a Generic Template Without Customization
The IRS sample WISP in Publication 5708 is a starting point, not a finished document. A WISP that lists security controls your firm does not actually use — or omits controls you do use — is both inaccurate and potentially deceptive to regulators. Every section should reflect your real environment.
Not Updating After Changes
Adding a new staff member, switching tax software, or moving to cloud-based storage all change your risk profile. Each of these events should trigger a WISP review. Build a recurring calendar reminder tied to your tax season wind-down to conduct an annual full review.
Missing the Incident Response Component
The incident response plan is the most commonly omitted section in small-firm WISPs. It is also the most operationally important — in the stress of a breach, you need a documented playbook, not improvisation. At minimum, document who to call, in what order, within what timeframe, and what evidence to preserve.
No Documentation of Training
Training requirements without records do not count. Maintain a log of all security awareness training completed — dates, topics covered, and who attended. If you use an online training platform, export completion certificates and store them with your WISP.
Ignoring Physical Security
Publication 4557 covers physical as well as digital safeguards. Unlocked file cabinets containing client folders, unattended workstations, and unsecured printers storing tax returns in memory are all within scope. Your WISP should address office access controls and paper document handling.
Ransomware is a particular concern for tax practices during filing season, when attackers know you cannot afford downtime. Our guide on ransomware protection for tax practices covers prevention and recovery strategies aligned with Publication 4557 requirements.
Get a Free IRS Publication 4557 Compliance Assessment
Bellator Cyber Guard's security specialists will evaluate your current WISP and data security controls against IRS Publication 4557 and FTC Safeguards Rule requirements — and give you a prioritized action plan at no cost.
Frequently Asked Questions
Any tax professional or firm that prepares 11 or more federal tax returns annually is required by the FTC Safeguards Rule — which the IRS enforces through Publication 4557 — to have a written information security plan. This applies to sole practitioners, CPA firms, enrolled agents, and any other paid return preparer, regardless of firm size.
Publication 4557 is the IRS's primary guidance document outlining your data security obligations and what a compliant security program must include. Publication 5708 is a companion document that provides a sample WISP template you can use as a starting framework. Both documents should be read together when building or updating your WISP.
The FTC can impose civil penalties up to $50,120 per violation per day for violations of the Safeguards Rule. State attorneys general can bring independent enforcement actions under state data security laws. Beyond regulatory penalties, a breach without a documented security program significantly increases your civil liability exposure to affected clients and can result in loss of your EFIN or professional license.
Yes. The FTC Safeguards Rule and IRS Publication 4557 do not provide a size exemption for sole practitioners who file 11 or more returns. The WISP for a one-person practice will naturally be simpler than that of a larger firm, but it must still address all required elements: risk assessment, designated qualified individual, safeguards, testing, service provider oversight, and an incident response plan.
At minimum, annually — the FTC Safeguards Rule requires an annual report to your governing body on the status of your security program, which should include a WISP review. You should also update your WISP whenever a material change occurs: new staff, new software, new office locations, new service providers, or following any security incident. Date and version your document each time you update it.
IRS Publication 4557 requires you to contact your IRS Stakeholder Liaison within 24 to 48 hours of discovering that taxpayer data was stolen or compromised. You must also notify affected taxpayers so they can protect themselves from identity theft, report to your state tax agency, file a complaint with the FTC at reportfraud.ftc.gov, and notify your professional liability insurer. Your incident response plan should have all contact information documented in advance.
Yes. The updated FTC Safeguards Rule — which Publication 4557 incorporates — explicitly requires multi-factor authentication (MFA) for any employee accessing customer information systems, unless you implement an equivalent compensating control and document why MFA is not feasible. In practice, MFA should be enabled on tax software logins, email accounts, remote access tools, and any cloud storage containing taxpayer data.
Yes, but with conditions. Your WISP must identify the cloud provider as a service provider, document how you verified their security practices, and include written contract terms requiring them to implement appropriate safeguards. You remain responsible for access controls on your end — including MFA, user access management, and monitoring. See our guide on is cloud storage IRS compliant for a detailed breakdown.
The IRS Security Six refers to six baseline security actions the IRS recommends for all tax professionals: anti-virus software, a firewall, MFA, drive encryption, backup software, and virtual private network (VPN) use. The Security Six represents a minimum security baseline, not a substitute for a full WISP. A compliant WISP must address all FTC Safeguards Rule requirements, which go well beyond the Security Six to include written risk assessment, incident response planning, staff training, and service provider oversight.
The current version of IRS Publication 4557 is available directly from the IRS at irs.gov/pub/irs-pdf/p4557.pdf. The sample WISP template (Publication 5708) is available at irs.gov/pub/irs-pdf/p5708.pdf. Both documents are updated periodically; always use the current version when reviewing compliance requirements. You can also review our detailed breakdown of IRS Publication 4557 requirements 2026.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
