WISP penalties: the real cost of non-compliance
Many tax professionals assume that cybersecurity compliance is optional or that the IRS will not enforce the rules against small practices. They are wrong. The consequences of non-compliance are severe, immediate, and increasingly common.
The numbers speak for themselves
What happens when you do not comply
Non-compliance exposes you to overlapping penalties from federal agencies, state regulators, and private lawsuits. Here is what you are risking.
IRS Civil Penalties Under IRC Section 6713
The IRS can impose civil penalties of $250 per unauthorized disclosure of taxpayer information, with a maximum of $10,000 per calendar year under IRC Section 6713. For willful or reckless disregard of the rules, penalties jump to $1,000 per disclosure with a $50,000 annual cap. A single data breach exposing hundreds of client records can reach the maximum in one incident.
Criminal Penalties Under IRC Section 7216
The knowing or reckless disclosure of tax return information is a federal crime. Each violation can result in a fine of up to $1,000 and imprisonment for up to one year. While criminal prosecution is relatively rare, the IRS has increased referrals to the Department of Justice in recent years, particularly in cases involving large-scale data breaches where the preparer had no security measures in place.
PTIN Revocation and Practice Suspension
The IRS Office of Professional Responsibility can revoke or suspend your Preparer Tax Identification Number for failing to maintain adequate security safeguards. Without a valid PTIN, you cannot legally prepare federal tax returns. Over 4,000 tax preparers lose their PTIN annually, and an increasing number of those cases involve security compliance failures rather than tax preparation errors.
FTC Safeguards Rule Enforcement
The FTC classifies tax preparers as financial institutions under the Gramm-Leach-Bliley Act. The updated Safeguards Rule requires specific security controls including encryption, MFA, access controls, and a designated qualified individual. FTC enforcement actions can result in consent orders, mandatory compliance programs, and civil penalties of up to $100,000 per violation under the FTC Act.
State Data Breach Notification Penalties
All 50 states have data breach notification laws. If you suffer a breach and fail to notify affected individuals within the required timeframe (typically 30-60 days), you face state-level penalties that can accumulate rapidly. California, New York, and Texas are particularly aggressive, with penalties that can reach $750 per affected individual under the CCPA or $5,000 per day of delayed notification.
Client Lawsuits and Class Actions
Clients whose data is compromised due to your lack of security measures have strong grounds for malpractice and negligence lawsuits. Without a documented WISP and security controls, you have virtually no defense. Courts have consistently found that tax professionals owe a duty of care to protect client data. Class action lawsuits from mass data breaches regularly result in settlements exceeding $500,000 for small practices.
It happens to practices like yours
These are not hypothetical scenarios. These are real consequences that real tax professionals faced because they did not have adequate security in place.
Tax Preparer Sentenced for Failing to Protect Client Data
A Florida-based tax preparer was sentenced to 12 months probation and ordered to pay restitution after client records were stolen from an unsecured office computer. The preparer had no WISP, no encryption, and no access controls. The IRS referred the case for criminal prosecution under IRC Section 7216.
CPA Firm Hit with $2.3M Breach Costs
A mid-size CPA firm in the Midwest suffered a ransomware attack during tax season that encrypted all client files. With no incident response plan and no tested backups, the firm paid a $180,000 ransom, spent $950,000 on forensic investigation and remediation, $400,000 on client notification and credit monitoring, and lost an estimated $800,000 in client attrition over the following year.
Solo Practitioner Loses PTIN After Phishing Attack
A solo enrolled agent had her PTIN revoked after a phishing attack compromised 340 client returns. The IRS investigation revealed she had no WISP, no security training, and was using a shared personal email account to receive client documents. She was unable to prepare returns for 18 months while fighting the revocation.
FTC Action Against Tax Preparation Chain
The FTC brought enforcement action against a multi-state tax preparation chain for failing to implement the required safeguards under the Gramm-Leach-Bliley Act. The consent order required the company to implement a comprehensive security program, submit to biennial third-party audits for 20 years, and pay civil penalties exceeding $1.5 million.
Don’t wait for an audit to find out you’re not compliant
The IRS, FTC, and state attorneys general are actively enforcing WISP requirements. Getting compliant now costs a fraction of what a single penalty or breach would cost your practice.
The hidden costs of a data breach
Regulatory fines are just the beginning. The true cost of a breach extends far beyond the penalties and can threaten the survival of your entire practice.
Forensic investigation to determine what was stolen ($50,000-$200,000)
Legal counsel for regulatory response and client notification ($30,000-$100,000)
Client notification, credit monitoring, and identity theft protection ($10-$30 per client)
Business interruption and lost revenue during recovery (weeks to months)
Client attrition as affected individuals take their business elsewhere (30-50% typical)
Increased insurance premiums or inability to obtain cyber insurance
Reputational damage in your community that persists for years
Personal stress, anxiety, and time spent on recovery instead of serving clients
WISP penalties — frequently asked questions
Penalties come from multiple sources. The FTC can fine you up to $50,000+ per Safeguards Rule violation. The IRS can revoke your PTIN under IRC Section 6713 and Section 7216, ending your ability to prepare returns. State attorneys general can impose additional fines ranging from $5,000 to $500,000 depending on your state. And if a client’s data is breached, you face civil lawsuits with no documented security measures to defend yourself.
Yes. The IRS added WISP certification to the PTIN renewal process (Form W-12, Line 11). If you certify compliance without actually having a WISP, that’s false certification under penalty of perjury. The IRS can revoke your PTIN, suspend your EFIN, and refer the matter for criminal prosecution. Without a PTIN, you cannot legally prepare tax returns for compensation.
Yes. The FTC began enforcement of the Safeguards Rule in 2023, and the IRS added WISP attestation to PTIN renewal in 2024. Tax preparers have faced PTIN revocation, criminal charges under IRC Section 7216, and FTC enforcement actions. The IRS has signaled that audit frequency will increase through 2026. The question is no longer if enforcement will happen — it’s whether you’ll be compliant when it reaches your practice.
Without a documented WISP, you have no evidence of reasonable security measures. This exposes you to malpractice lawsuits from affected clients, voided professional liability insurance (carriers view lack of a WISP as willful negligence), mandatory breach notification costs ($10–30 per client for credit monitoring), forensic investigation fees ($50,000–$200,000), and regulatory fines from every jurisdiction where affected clients reside. The average data breach costs $4.35 million — for a solo practitioner, even a fraction of that is practice-ending.
Get your WISP started today
IRS Publication 4557 requires every tax preparer to have a Written Information Security Plan. We make it easy.