It’s January, which means you’re probably doing one of two things: frantically preparing for tax season or pretending you’re not frantically preparing for tax season. Either way, “update my Written Information Security Plan” is probably sitting near the bottom of your to-do list, somewhere between “organize the supply closet” and “figure out what half these buttons in the tax software actually do.”
I get it. The mere mention of a WISP makes most tax professionals want to suddenly lose their internet connection. It sounds bureaucratic, technical, and deeply unfun. But here’s the good news: creating and maintaining a WISP does not have to feel like a compliance root canal. And ignoring it can turn into something far worse than an IRS audit.
Let’s talk about why you need one, what it’s actually supposed to do, and how to get it done without wrecking your sanity in the middle of filing season.
The “Financial Institution” Plot Twist
Quick quiz: what do JPMorgan Chase, your local credit union, and your tax practice have in common?
According to the federal government, you’re all financial institutions.
Under the Gramm-Leach-Bliley Act,[1] tax preparation firms are classified as financial institutions and are subject to the FTC’s Safeguards Rule.[2] This applies whether you’re a national firm or a solo practitioner working from a spare bedroom.
I have talked to more than one solo tax pro who genuinely believed this only applied to banks or “big firms.” One of them found out otherwise when their cyber insurance renewal asked for a copy of their WISP, and they did not have one.
The FTC enforces this rule. Compliance is mandatory. That means you need a Written Information Security Plan that meets specific requirements.
Noncompliance can carry real consequences: civil and criminal penalties, personal liability, PTIN renewal issues, and problems with cyber liability insurance. More importantly, a weak or nonexistent WISP leaves you exposed when something eventually goes wrong.
And something will go wrong eventually.
Why Ignoring This Gets Expensive Fast
Small firms are not flying under the radar. Nearly half of data breaches involve small businesses, and tax firms are especially attractive targets because we sit on a goldmine of personal and financial data.
I’ve seen firms assume they were “too small to matter” until a staff member clicked a phishing email during tax season. In one case, the firm was locked out of its systems for days in March. No returns could be filed. Clients were furious. The actual ransom was only part of the damage.
Most breaches are not caused by elite hackers in dark rooms. They are caused by ordinary, well-meaning people making ordinary mistakes, like reusing passwords, delaying updates, or leaving an unencrypted laptop in a car overnight.
That is exactly what a WISP is designed to address.
What a WISP Is Actually Trying to Do
At its core, your WISP is about three things, often called the CIA Triad:
- Confidentiality: Only authorized people can access client data
- Integrity: Client data stays accurate and unchanged
- Availability: You can access information when you need it
For example, confidentiality is why client documents should go through a secure portal instead of email. Integrity is why only preparers, not administrative staff, should be able to edit returns. Availability is why backups matter when a server crashes on April 14.
Your WISP documents how you protect all three in your actual, day-to-day practice.
What the Safeguards Rule Actually Requires
The Safeguards Rule requires specific elements, scaled to the size and complexity of your firm. You are not expected to operate like a multinational bank, but you are expected to be intentional and reasonable.
Designate a Responsible Individual
Someone must be in charge of your security program. In a small firm, that is usually you.
I have worked with firms where everyone assumed “the IT guy” was responsible, but no one internally actually owned the process. When a security incident happened, no one knew who was supposed to make decisions. Your WISP should make that clear ahead of time.
Conduct a Risk Assessment
You need to identify where things could realistically go wrong.
Common examples I see:
- A laptop that moves between home, office, and car.
- An office manager who keeps passwords written down.
- A seasonal preparer using their personal computer to work remotely.
This is not about perfection. It is about honesty. If you know a risk exists, you can address it. If you pretend it does not exist, your WISP becomes fiction.
Implement Core Safeguards
These are non-negotiable:
- Access controls: Staff should only access what they need. I have seen firms where an admin could open every tax return simply because it was easier than setting permissions. That is exactly what access controls are meant to prevent.
- Encryption: All client data should be encrypted at rest and in transit. A stolen laptop should be an inconvenience, not a reportable breach.
- Multi-factor authentication: Passwords alone are not enough.
- Secure portals: No receiving tax documents through regular email.
Yes, MFA is annoying. But the firms that disable it because “it slows us down” are often the same firms dealing with account takeovers later.
Train Your Staff
Most breaches are caused by human error. Training matters.
I have seen staff forward phishing emails because they looked like a software update notice, and no one had ever shown them what to look for. Training does not have to be fancy, but it does have to exist.
Password managers are a great example of a safeguard that solves a real problem. Instead of sticky notes under keyboards, staff remember one strong master password and let the software handle the rest.
Have an Incident Response Plan
If something happens, you need to know who does what.
I once spoke with a firm that had a breach but waited weeks to notify anyone because they were unsure whether it “counted.” A basic incident response plan would have answered that question immediately.
If a breach involves information from 500 or more consumers, you must notify the FTC within 30 days.
The IRS Template Is Often Enough
This is where many tax professionals overthink things.
For a large percentage of solo practitioners and small firms, the IRS has already done most of the work. IRS Publication 5708[3] includes a WISP template designed specifically for tax professionals and aligned with the Safeguards Rule.
For example, a solo EA using commercial tax software, encrypted devices, MFA, and a secure client portal can often complete the IRS template with minimal customization. A small firm with two or three staff members and standard cloud tools can usually do the same.
What matters is that the template reflects what you actually do. A completed template that does not match reality can cause more problems than having no document at all.
When Professional Help Makes Sense
There are situations where outside help is a smart investment. Examples include:
- Firms with multiple locations or many remote preparers
- Practices using local servers instead of cloud systems
- Growing firms onboarding new staff frequently
In those cases, a qualified IT or security professional can help identify gaps you might not see on your own.
This does not mean you outsource responsibility. It means you get expertise where it adds value.
Why You Still Need to Be in Control
One of the most common mistakes I see is firms assuming their IT provider “handles security.”
Your WISP, your data, and your regulatory obligations remain your responsibility.
You should always have:
- Administrative access to your systems
- Access to backups and the ability to restore them
- Clear ownership of your data
If an IT provider will not give you admin access or cannot explain your setup in plain language, that is a red flag.
Vetting IT Providers and Software Is Part of Your WISP
When people hear “vet your IT provider,” they often think only about the person or firm managing their computers. Your WISP needs to go broader than that.
Any vendor that stores, processes, transmits, or has access to client data should be documented in your WISP. That includes IT firms, tax software, client portals, cloud storage, backup services, and other tools you rely on every day.
If they touch your data, they matter.
Before hiring or renewing an IT provider, or continuing to rely on a critical service, you should be able to answer questions like:
- Who has administrative access to my systems?
- How are backups handled, and can I restore data without you?
- How is remote access secured?
- What happens to my data if we part ways?
You are not expected to be a security expert, but you are expected to understand how the services you rely on operate and what they are doing with your data and your clients’ data.
Good providers expect this. They work with regulated professionals and understand why these questions matter. If a provider cannot answer them clearly, that is a sign to slow down and ask why.
Client Pushback Happens
At some point, a long-time client will say, “That portal is too complicated. I’ll just email my documents.”
If your WISP prohibits receiving PII via unsecured email, you cannot make exceptions.
I have seen firms make “just this once” exceptions that later came back to haunt them. The fix is not confrontation. It is support. Walk the client through the portal or offer secure alternatives.
Most clients appreciate knowing their data is protected.
Updates, AI, and Other Modern Traps
Security updates always show up at the worst possible time. Delaying critical patches during tax season feels tempting, but attackers know that is when firms are distracted.
AI tools deserve special mention. Never paste client PII into AI platforms. Even well-intentioned use can violate your WISP and your privacy policy.
Keeping Your WISP Alive
A WISP is not a one-time document. It needs to be reviewed at least annually and updated when your business changes.
The easiest way to manage this is by keeping inventories and access lists as attachments that can be updated without rewriting the entire plan.
A beautifully written WISP that does not reflect reality is worse than useless.
A January Action Plan
If you do not have a current WISP:
- Download IRS Publication 5708
- Block a few hours to complete it, (honestly, that’s all it takes)
- Inventory devices, access, and safeguards
- Enable MFA and encryption everywhere
- Require a password manager
- Use a secure client portal
- Schedule annual reviews
That is it. You just have to do it.
The Part Where I Tell You It’s Going to Be Okay
You did not become a tax professional because you love cybersecurity compliance. But protecting client data is part of the job now.
A WISP is not about becoming a security expert. It is about being thoughtful, consistent, and honest.
Do the setup once. Maintain it reasonably. Treat it as a living document.
Your clients are trusting you with their financial lives. Protecting that trust is worth a couple of hours in January.
[1] GLBA – https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
[2] FTC Safeguards – https://www.ftc.gov/legal-library/browse/rules/safeguards-rule
[3] IRS Publication 5708 – https://www.irs.gov/pub/irs-pdf/p5708.pdf
