CPA firms that have access to confidential client data are responsible for how this data is stored, processed, and disseminated. Given the sensitivity of this information, tax preparers are expected by the IRS to follow specific and strict tax preparer security requirements. These firms must adhere to these standards and ensure compliance at all times.
These requirements, established under the Gramm-Leach-Bliley Act (GLBA) and enforced by the IRS, apply to all CPA firms.
Failure to comply with IRS tax preparer security requirements can result in fines of up to $100,000 per violation. In addition to financial penalties, firms may face legal consequences and significant reputational damage following a data breach. Once a data leak is identified, government regulators often increase investigations and audits. Perhaps most damaging is the loss of client trust.
To avoid fines and maintain the integrity and confidence of their clients, CPA firms must strictly follow IRS security rules.
This blog serves as a guide for CPA firms on the security requirements expected by the IRS.
IRS security requirements for tax preparers
According to IRS mandates, there are two major IRS tax preparer security requirements that CPA firms must follow. Both of these security standards were recently developed by the IRS and cover data security practices CPA firms are obligated to implement.
A Written Information Security Plan (WISP)
A Written Information Security Plan (WISP) is an official, documented program that outlines a CPA firm’s methods for protecting sensitive information, especially client data, through a combination of administrative, technical, and physical controls. It essentially serves as a roadmap for a CPA firm’s data protection efforts, ensuring compliance with IRS tax preparer security requirements, FTC, and state regulations.
One important point: a WISP isn’t just a check-the-box, single-document requirement; it’s a living template that must evolve. As the CPA firm’s systems, staff, and technology change, so should its WISP. Regular reviews, testing, and updates are essential to keep it current against emerging threats and aligned with evolving data security standards.
To gain a deeper understanding of the IRS tax preparer security requirements and guides on addressing data breaches, read The Complete IRS Data Security Guideline Update for 2025
A well-developed WISP for a CPA firm typically includes these key elements:
Governance
WISP’s governance clearly states which individuals are responsible for the WISP’s implementation and oversight. Those designated with these responsibilities include an individual called the “information security officer, who manages the WISP program, enforces WISP policy, and makes recommendations based on the organization’s strategy related to information security. This allows for consistency across all areas of decision-making and allows the organization to consider security initiatives to be a top priority.
Risk assessment
A risk assessment is a process to identify, evaluate, and prioritize the various threats and vulnerabilities that may pose a risk to the systems and data of an organization. It enables an organization to identify and assess its potential exposure to various forms of risk such as data breaches, ransomware attacks, and the inadvertent loss of data due to human error. Through the analysis of the results from a risk assessment, an organization can manage its resources more effectively and develop appropriate strategies to reduce the potential severity of the highest risk areas within its organization.
Access controls & authentication
Access controls limit access to certain systems and data to only those with permission. Access Controls can be implemented using techniques such as least privilege (which only allows access needed to do the job), multi-factor authentication (MFA), and strong password requirements to create additional layers of defense against unauthorized access. All Access Controls limit the impact that a compromised account will have and keep sensitive information safe from being misused.
Encryption and protection of data in transit and at rest
Encryption, which employs technical control, renders data unintelligible unless the recipient possesses the appropriate decryption key. In addition to securing information while traveling through the network (transit), encryption also protects data from being read or interpreted while it is stored on computers or other storage devices (rest). Encryption serves as an essential safety measure against either the interception of electronic communications or the destruction of a computer system. As long as the key is not compromised, data is protected from unauthorized access to its contents.
Employee training and background checks
Human error is a leading reason for significant security threats through human beings; thus, it is essential that all staff members of a company be trained in how to develop and maintain an environment of security consciousness. Staff members must also be made aware of what their roles are in the protection of the company’s assets. To assist in this effort, background investigations will conduct background checks prior to hiring potential employees. By coupling employee training with background checks, businesses will significantly reduce the likelihood of accidental mistakes and intentional acts of sabotage against them committed by irresponsible and uninformed employees.
Incident response and breach notification procedures
A security incident response plan is a document that outlines the specific actions an entity must take to respond effectively to a security breach or cyberattack. Pre-defining the necessary processes for detecting, containing, eliminating and recovering from security breaches reduces the amount of loss and delay caused by the incident. The incident response plan will also include processes the business must follow to comply with government and regulatory requirements for timely notice of breaches to affected parties and the appropriate authorities.
Data retention and secure disposal policies
Through the establishment of retention requirements for various data types, policies also specify what types of secure destruction methods can be utilized to eliminate data that is no longer needed (e.g., physical shredding or data wiping). In addition, by reducing the amount of sensitive data the organization retains and securely disposing of that data, the overall Data Footprint of the organization will decrease, thus lowering the organization’s Risk Profile and liability due to data breaches.
Vendor management and due diligence
Many businesses use outside vendors that require access to the company’s systems or data. Management (Vendor Management) of vendors consists of conducting due diligence on the vendor (vetting) to make certain the vendor has appropriate security controls in place. This due diligence helps to manage the risk associated with the vendor supply chain. Vendor Management also ensures that an organization does not create new risks by forming partnerships with third-party vendors.
Security Six
The IRS’s “Security Six” encompasses six critical cybersecurity measures that CPA firms must implement to safeguard against data breaches and cyberattacks.
Antivirus Software
To protect yourself against potential exposure to sensitive information and malicious software, maintain an active, regularly updated antivirus program that incorporates IRS-recommended Security Six practices. By regularly updating your antivirus software, you can ensure it scans for, detects, and removes malware (malicious software), providing better protection for your systems. Additionally, keeping antivirus systems updated is essential to support overall cyber hygiene and comply with cybersecurity policy best practices.
Firewalls that are properly set up
The best way to improve security in compliance with IRS requirements is to install both hardware and software firewall products. A firewall (network appliance) will serve as an effective barrier against unwanted internet traffic and help prevent attacks on the network or systems connected to the internet. To further protect sensitive information and maintain the integrity of an organization’s online presence, it is recommended that the firewall be part of a multi-layered defense strategy.
Multi-Factor Authentication (MFA)
The importance of having a Multi-Factor Authentication (MFA) mechanism in place for all accounts cannot be overstated, as it enhances the security of taxpayer data. MFA involves the use of two-factor or multi-factor authentication, which provides additional verification of the user’s identity by requiring multiple forms of identification. MFA also provides additional protection against unauthorized access. Proper implementation of MFA will also help ensure compliance with regulations concerning the protection of sensitive data.
Secure backups of data
Backing up your data frequently is an important part of protecting your organization’s cybersecurity and following the IRS Security Six. Having three copies of your data (in at least two formats) with one copy kept off-site, according to the 3-2-1 backup standard, will help keep your organization’s data available and protected in the event of hardware failure, cyberattacks, or other events that prevent you from accessing or using it.
Encryption of data for stored and transmitted data
Data Encryption is a method that encrypts data on an organization’s computer hard disks to protect data at rest. Drive Encryption is one of the six elements of the IRS Security Six and is an essential building block for protecting an organization’s data from unauthorized access, enabling recovery of lost or stolen devices while preserving the confidentiality and integrity of sensitive data.
Virtual Private Network (VPN)
To protect sensitive information and provide an added layer of security against unauthorized access, Virtual Private Networks (VPNs) are used to connect users remotely to networks that require protection from unauthorized entry. The IRS Security Six’s focus on strong security practices can be complemented by a VPN. The use of a VPN creates and maintains encrypted, protected data transmissions; therefore, it provides an added layer of security. Furthermore, by using a VPN while connected to a protected network, organizations can comply with federal law and protect taxpayer information when conducting remote business activities.
Conclusion
The IRS security requirements for tax preparers are changing the way CPA firms protect their clients’ personal data through implementing strong data protection measures, but beyond just meeting compliance, CPA firms need to demonstrate that protecting client information is an important way to establish confidence with current and potential clients.
Data protection should continue to be seen by CPA firms as a commitment to their clients. The obligation is to implement strong security policies and procedures, create a culture of security awareness, develop strategies for dealing with incidents quickly, and create means of supporting clients in the event of a breach. If CPA firms implement these steps now, they will be able to help ensure compliance with the IRS security requirements for tax preparers and minimize the risk of future data breaches or data loss.
