Here is an uncomfortable fact: if you prepared even a single tax return for a paying client last season and you do not have a Written Information Security Plan (WISP) on file, you are technically operating outside federal law. The Federal Trade Commission can fine you up to $46,517 per violation per day. The IRS can yank your PTIN. And your malpractice insurer can deny a claim after a breach by pointing at the missing document.
Most tax preparers and bookkeepers have heard the acronym "WISP" but treat it as someone else's problem — the kind of thing big firms with compliance officers worry about. That assumption is roughly five years out of date. The amended FTC Safeguards Rule, fully effective since June 2023, dragged solo preparers, small CPA practices, and bookkeeping shops directly into the same regulatory regime that governs community banks. Every paid tax preparer who applies for or renews a PTIN must now attest, on Form W-12 Line 11, that they understand their data security obligations.
This guide walks through what a WISP actually is, the nine elements the FTC and IRS expect to see, the technical controls that have moved from "best practice" to "required," and how to build a plan that holds up in a real audit instead of just looking pretty in a binder.
The Two Laws That Got You Here
Two overlapping regulatory tracks converge on the same outcome: you need a written plan.
Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. Congress passed GLBA in 1999 to govern how financial institutions handle customer information. The FTC's implementing regulation — the Safeguards Rule (16 CFR Part 314) — defines "financial institution" broadly enough to sweep in any business "significantly engaged" in financial activities. The FTC has long held that tax preparation, bookkeeping, and similar services qualify. The Rule was substantially amended in December 2021, and the new technical requirements (MFA, encryption, qualified individual, written program) took full effect on June 9, 2023.
IRS Publication 4557 and the PTIN attestation. Section 7216 and Section 6713 of the Internal Revenue Code already imposed penalties for unauthorized disclosure of tax return information. The IRS layered on Publication 4557 ("Safeguarding Taxpayer Data") and Publication 5708 ("Creating a Written Information Security Plan for Your Tax & Accounting Practice") as the practical roadmap. The 2024 PTIN renewal cycle added a hard checkbox: tax preparers must acknowledge their WISP compliance on Form W-12 Line 11. Lying on that line is its own problem.
The net effect: a one-person tax shop in a strip mall is held to the same baseline as a regional CPA firm. The Rule scales the controls to your size and complexity, but the obligation to have a written plan is binary — you either do or you do not.
Who Actually Has to Have One
You need a WISP if you:
- Prepare any federal tax return for compensation (including occasional side work for a paying client)
- Hold a PTIN, EFIN, or are an Authorized IRS e-File Provider
- Provide bookkeeping, payroll, or accounting services that involve customer financial information
- Operate as a virtual CFO, fractional controller, or outsourced accountant
- Run a Registered Investment Advisor (RIA), mortgage broker, check casher, or other GLBA-covered entity
Volume does not matter. The Rule does not give you a pass for preparing fewer than X returns or earning less than Y in fees. A solo Enrolled Agent preparing twenty returns a year is covered identically to a 200-person firm — both must have a written, current, signed plan.
A narrow exemption exists in the Safeguards Rule for institutions that maintain customer information on fewer than 5,000 consumers, which relaxes a handful of documentation requirements (written risk assessment, incident response plan, annual report to the board). But the core obligation — designating a qualified individual, implementing safeguards, and having a written program — applies regardless of size.
The Nine Elements Your WISP Must Address
The amended Safeguards Rule specifies nine required components. Your WISP does not need to use these exact headings, but every one of them must be addressed somewhere in the document. The IRS Publication 5708 template tracks the same structure.
1. Designate a Qualified Individual
You must formally name one person responsible for overseeing the information security program. For a solo preparer, that is you. For a firm, it is usually the managing partner, an IT lead, or — increasingly — an outsourced vCISO. The qualified individual does not need to be a security expert, but they need authority to make decisions and report to ownership or the board.
Document the appointment in writing. Include the start date, scope of authority, and reporting line.
2. Conduct a Written Risk Assessment
Identify what customer information you collect, where it is stored, who can access it, and what could go wrong. The assessment must be in writing and updated periodically — at least annually and any time your environment materially changes (new software, new staff, new office, breach).
Minimum coverage:
- Data inventory: Social Security numbers, dates of birth, financial account numbers, copies of W-2s and 1099s, bank statements, prior-year returns, EIN data, K-1s
- Storage locations: tax software databases, cloud backups, email attachments, client portals, paper files, mobile devices, USB drives
- Threat scenarios: phishing, ransomware, lost laptop, rogue employee, vendor breach, physical break-in
- Likelihood and impact: rank each scenario so your safeguards can be proportionate
3. Design and Implement Safeguards
This is the meat of the WISP. The Rule expects specific technical and administrative controls, several of which are no longer optional:
- Access controls: limit access to customer data on a need-to-know basis; remove access immediately when an employee leaves
- Encryption at rest and in transit: AES-256 (or equivalent) on all devices, hard drives, backups, and removable media; TLS 1.2 or higher for data in motion; full-disk encryption on every laptop and workstation
- Multi-factor authentication: required for anyone accessing customer information from any system — tax software, e-file portals, cloud storage, email, remote access tools. SMS-only MFA is being deprecated; use authenticator apps or hardware keys where possible
- Secure development and configuration: if you build or customize software, apply secure coding standards; patch systems on a defined cadence
- Inventory and disposal: track devices and dispose of media securely (shredded or wiped to NIST 800-88 standards)
- Change management: document and approve changes to systems that handle customer data
4. Regularly Monitor and Test Safeguards
You must verify that the controls actually work. The Rule offers two acceptable paths:
- Continuous monitoring: tools like SIEM, EDR, or managed detection-and-response services that log and alert on suspicious activity
- Annual penetration testing plus semi-annual vulnerability assessments: traditional third-party testing if you do not have continuous monitoring in place
For a solo preparer, "continuous monitoring" can mean a properly configured endpoint protection product that alerts on anomalies. For a larger firm, expect to engage an outside testing service.
5. Train Your Workforce
Annual security awareness training is mandatory for all personnel with access to customer data — including contractors and seasonal preparers. Topics must include phishing recognition, password hygiene, device security, social engineering, and incident reporting.
Keep attendance records. "I told them in a team meeting" does not count.
6. Oversee Service Providers
Every vendor with access to customer data — tax software, cloud storage, document management, IT support, payroll providers, e-signature tools, even your shredding company — must be:
- Selected with due diligence on their security practices
- Bound by a written contract requiring appropriate safeguards
- Periodically reassessed (typically annually)
Ask vendors for a SOC 2 Type II report or equivalent. The contract should include a breach-notification clause with a defined timeline — most firms require notice within 72 hours of discovery.
7. Keep the Program Current
Reevaluate and adjust the WISP whenever the threat landscape shifts or your operations change. New office? New software? Acquired a small practice? Update the plan.
8. Establish a Written Incident Response Plan
The plan must cover:
- Internal escalation: who learns about the incident, in what order
- Containment and remediation: who stops the bleeding
- External notification: clients, state attorneys general, the FTC, and the IRS
- Documentation: preserve logs, evidence, and a timeline
- Lessons learned: postmortem with documented corrective actions
The IRS expects tax preparers to report data theft within 24 hours of discovery through the IRS Stakeholder Liaison and the Federation of Tax Administrators. Under the Safeguards Rule amendments effective May 13, 2024, you must also notify the FTC of any security event affecting 500 or more consumers no later than 30 days after discovery — that filing is public.
9. Report to the Board (or Ownership)
The qualified individual must submit at least an annual written report to the board of directors or, for smaller firms, the senior officer in charge. The report covers the overall state of the program, risk assessment results, significant events during the year, and any recommended changes.
Solo preparer? You write it to yourself, sign it, and put it in the file. Yes, really.
Bookkeeping Records: The Forgotten Compliance Exhibit
If a regulator or auditor ever shows up, the first thing they ask for is documentation. Your WISP says you trained staff in March, paid an outside pen-test vendor in July, replaced a workstation in September, and renewed your cyber insurance in November — and you need receipts, invoices, and ledger entries to back up every one of those claims. Practices that treat security spending as a miscellaneous line on a credit card statement end up scrambling.
Set up clear chart-of-accounts segregation for security-related expenses (training, software, audits, insurance, hardware) so you can pull a clean year-over-year report on demand. The same plain-text records that satisfy your CPA at tax time become your evidence file when the FTC asks how you operationalized your plan.
The Technical Controls That Trip People Up
Two requirements account for the majority of WISP failures in practice.
Multi-factor authentication, everywhere. The Rule does not allow MFA "where convenient." It applies to anyone accessing customer information from any system. That includes your tax software, your e-file portal, your client portal, your email (which carries attachments containing tax data), cloud storage, accounting software, and any remote-access tools. The IRS strongly favors authenticator apps or hardware tokens over SMS, which is vulnerable to SIM-swap attacks.
A quick self-check: log out of every business application you use. Try to log back in. If any one of them requires only a password, you have a finding.
Encryption of data at rest. Full-disk encryption is required on every device that stores customer information — including the personal laptop your seasonal preparer brings to the home office. BitLocker on Windows Pro and FileVault on macOS satisfy the requirement when properly configured. Encrypt backups, USB drives, and any portable media. Encrypt email when it contains customer data (a client portal is usually a better solution than encrypted email).
The other commonly missed control is vendor oversight. Many firms have a SOC 2 report from their tax software vendor but no contract or assessment for the boutique cloud-storage tool they signed up for last year, the e-signature plug-in they trialed, or the IT contractor who has admin credentials. Build a vendor inventory and update it annually.
What Happens When You Get It Wrong
The penalties are not theoretical:
- FTC civil penalties of up to $46,517 per violation per day under the amended Safeguards Rule
- Notification failure penalties that have reached $500,000 in published actions
- PTIN suspension or revocation by the IRS, which effectively ends your ability to prepare returns
- State attorney general actions under state breach-notification laws (which exist in all 50 states)
- Private litigation from affected clients, with statutory damages in some states
- Insurance denials when a malpractice or cyber policy excludes claims arising from non-compliance
- Reputational fallout, which for a tax practice often means losing a meaningful share of the client roster within twelve months
The IRS has been explicit that a missing WISP is treated as evidence of a broader compliance failure, not as a paperwork issue.
A Realistic Roadmap to a Defensible WISP
Going from zero to a defensible plan is a four-to-six-week project for a solo preparer and a multi-month effort for a larger firm. A realistic sequence:
Week 1: Inventory. List every system that touches customer data, every employee or contractor with access, every vendor in the data chain, and every device you own. This is your raw material.
Week 2: Risk assessment. Walk through plausible threats against the inventory. Score each scenario. Identify your top five exposures.
Week 3: Gap analysis. Compare your current controls to the nine required elements. Note every gap. The biggest gaps for small firms are typically MFA coverage, vendor contracts, and incident response procedures.
Week 4: Remediation. Turn on MFA everywhere. Roll out full-disk encryption on every device. Sign written agreements with key vendors. Schedule training. Document everything.
Week 5: Write the WISP. Use the IRS Publication 5708 template as a starting point and customize ruthlessly — a copy-pasted plan is worse than no plan because it shows bad faith. Have the qualified individual sign it.
Week 6 (and annually): Test, train, report. Run a tabletop exercise on your incident response plan. Conduct annual training. Generate the annual report to ownership. Schedule the next review.
Set calendar reminders for the annual cycle. The most common compliance failure is not the initial WISP — it is the firm that wrote one in 2023 and never touched it again.
A Few Common Misconceptions
"My tax software is SOC 2 certified, so I am covered." No. The software provider's compliance covers their environment, not yours. You still need a WISP for everything you do outside their platform — email, local files, your office network.
"I work from home, so the rules are different." They are not. A home-based practice has the same WISP obligations as an office-based one. If anything, the controls are harder because the line between personal and business systems blurs.
"I outsource bookkeeping to an offshore team, so they handle security." They are your vendor under the Rule. You are responsible for assessing them, contracting with them, and overseeing their controls.
"I have cyber insurance, so I am protected." Most cyber policies now require a WISP as a condition of coverage. Reading the fine print after a breach is a bad time to learn this.
Keep Your Finances Organized from Day One
A defensible WISP is built on documentation — and so is a defensible set of books. Whether you are tracking the security software subscriptions, training invoices, and audit fees that prove your compliance program is real, or simply keeping the bookkeeping records that your own clients trust you to handle, plain-text accounting gives you something black-box software cannot: complete transparency, version control, and an audit trail you actually own. Beancount.io provides plain-text accounting that is transparent, version-controlled, and AI-ready — no vendor lock-in, no opaque exports. Get started for free and see why developers and finance professionals are switching to plain-text accounting.