Protecting Taxpayer Data is the Law – Sign Up to Protect Your Firm for as Low as $297/year

Protecting taxpayer data is not only a good business practice, it’s the law for professional tax preparers. Creating and putting into action a written data security plan is critical to protecting your clients and protecting your business.

IRS Commissioner Chuck Rettig, July 23, 2019

A recent update of the IRS’ W-12 (PTIN Application Renewal) form includes the following security requirement:

IRS Regulations, including Revenue Procedures and the FTC Safeguards Rule, require professional tax preparers to create and maintain a Written Information Security Plan (WISP) which documents how your company stores and protects customer data. IRS Publication 4557 details critical security measures that all tax preparers should enact.

IRS Publication 4557

IRS Publication 4557 requires professional tax preparers to comply by creating and maintaining a Written Information Security Plan (WISP) to protect client data. The publication also includes information on how to comply with the FTC Safeguards Rule, including a checklist of items for a prospective data security plan. Tax professionals are asked to focus on key areas such as employee management and training, information systems, and detecting and managing system failures.

FTC Safeguards Rule

Per IRS Publication 4557: “Under the Safeguards Rule, financial institutions must protect the consumer information they collect. The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as ‘financial institutions’ to ensure the security and confidentiality of this type of information. The ‘financial institutions’ definition includes professional tax preparers... The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information.”

Per the IRS Tax Security 2.0 checklist: “The Security Summit partners noted that many in the tax professional community do not realize they are required under federal law to have a data security plan. According to the FTC Safeguards Rule, tax return preparers must create and enact security plans to protect client data. Failure to do so may result in an FTC investigation.”

IRS Revenue Procedure

The IRS also may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure which sets the rules for tax professionals participating as an Authorized IRS e-file Provider. This legal guidance requires authorized IRS e-file providers to have security systems in place to prevent unauthorized access to taxpayer accounts and personal information by third parties. It also specifies that violations of the GLB Act and the implementing rules and regulations put into effect by the FTC, as well as violations of non-disclosure rules addressed in IRC sections 6713 and 7216, are considered violations of Revenue Procedure. These violations are subject to penalties or sanctions specified in the Revenue Procedure.

Additional Data Protection Provisions May Apply

The IRS and certain Internal Revenue Code (IRC) sections also focus on protection of taxpayer information and requirements of tax professionals. Here are a few examples:
• IRS Publication 3112
• IRC, Section 7216
• IRC, Section 6713

Many CPA and tax preparation firms, even smaller ones, often have clients who themselves or their dependents reside in different states. This and other resources on this site will help users understand what kind of laws are in effect in different states which will help them to build and keep their WISPs up to date. Select one of the four types of data protection laws below to see the states (in blue) that have generally applicable laws regarding that type of data protection.

1. Is a WISP required for professional tax preparers?

Yes. A WISP is a requirement of the FTC’s Safeguards Rule, applicable to businesses that are “significantly engaged” in providing financial products or services, including professional tax preparers.

2. In addition to the FTC, do state laws require a WISP?

At least 14 states have statutory requirements for businesses to maintain safeguards to protect personal information of residents. Some states have broadly applicable requirements to maintain a written information security program which detail the comprehensive safeguards that must be in place. You may want to consult with an attorney for specific compliance requirements by state and industry.

3. What is a WISP?

In general, a “WISP” is a Written Information Security Program which is a set of comprehensive administrative, physical and technical safeguards designed to safeguard information, usually personal information, maintained by your business, and to comply with applicable laws.

4. If I purchase the 360 Plus Plan, which includes a WISP, will I automatically be compliant with IRS rules?

Using a WISP will not guarantee compliance with IRS rules. Leveraging a WISP tool through First Watch is the first step to developing your Written Information Security Plan. Depending on your level of expertise, you may want to consult with your IT security experts and legal resources for help and guidance.

5. How can I get a copy of my Certificate of Insurance and Master Policy?

You can access these documents after you log into your First Watch Small Business Plan.
• Click on Cyber Liability Insurance on the home page
• Click Certificate of Insurance

6. When can I get a copy of my Certificate of Insurance and Master Policy?

New enrollee information is sent to the Risk Purchasing Group after the close of each month. Therefore, your Certificate of Insurance and Master Policy will be available online after the 10th of the month following the month you enrolled. For example, if you enrolled on January 8, those documents will be available after February 10.

7. When does my coverage begin?

Your coverage begins at the time you enrolled and paid for the First Watch plan.

8. What is a Risk Purchasing Group (RPG) and who is North American Data Security RPG?

North American Data Security RPG (the “Company”) is a risk purchasing group formed in Michigan and authorized under the Liability Risk Retention Act (the “LRRA”), which is a federal law enacted in 1986 to facilitate access to liability insurance on a more cost-efficient basis. As a risk purchasing group and pursuant to the LLRA, the Company is permitted to collectively purchase liability insurance on behalf of group members to cover their similar exposures that result from the members’ common practices or activities.

9. Who is the insurance carrier?

The Company purchases liability insurance from one or more insurance carriers with an AM Best rating of “A” or better.

10. What is the limit of liability?

The annual aggregate of liability per business is $100,000 or $250,000 depending on which coverage limit you choose for your First Watch Plan.

11. Who is eligible to become a member of the Company?

Any business not deemed a Level 1 Merchant by a card brand such as Visa or Mastercard.

12. Must a business be compliant with PCI?

No, there is no PCI compliance requirement to be enrolled.

The information provided in these FAQs are for general information purposes only. The actual policy should be reviewed for specific terms, conditions, limitations, and exclusions that will govern in the event of loss.