If your firm prepares tax returns for a fee, you are legally required to have a Written Information Security Plan — a WISP — and to be able to produce it on request. Many small practices don't realize this applies to them, or assume it's only a big-firm obligation. It isn't. The requirement reaches every paid preparer, from the solo practitioner working from a home office to the regional CPA firm with a dozen staff. Here's what the rule actually requires, where it comes from, and how to build a plan that holds up rather than one that documents your own gaps.
Where the Requirement Comes From
The WISP obligation flows from the FTC's Safeguards Rule under the Gramm-Leach-Bliley Act, which treats professional tax preparers as "financial institutions" — yes, really. The IRS reinforces it from its own side: Publication 4557, Safeguarding Taxpayer Data, lays out preparers' duties, and the annual PTIN renewal now includes an attestation that you have a data security plan in place.
In other words, having a WISP isn't optional, aspirational, or a nice-to-have. It's a condition of operating as a paid preparer, and the absence of one is a finding waiting to happen — in an audit, after a breach, or when a client's identity is stolen and the trail leads back to your office.
Who Needs One
Every firm or individual that prepares returns for compensation needs a WISP, regardless of size. A one-person shop needs one every bit as much as a multi-office firm; the plan simply scales to the size and complexity of the practice. "We're too small to be a target" is precisely the assumption attackers count on — small firms hold exactly the same Social Security numbers, bank details, and financial records as large ones, often with thinner defenses. The rule rejects the size excuse on purpose.
What a WISP Must Include
A credible WISP is a living operational document, not a one-page form you sign and file. At minimum it should cover:
- A designated security coordinator — a named person (or people) accountable for the program.
- A risk assessment — what taxpayer data you hold, where it lives, who can reach it, and the threats to it.
- Safeguards — the actual controls: access control, encryption, multi-factor authentication, secure disposal, and network and endpoint protection.
- Vendor oversight — assurance that the third parties touching your data (tax software, cloud, your IT provider) protect it too.
- An incident response plan — what you do, and who you notify, when data is exposed, including the IRS and state requirements.
- Employee training — because phishing and human error are how the overwhelming majority of breaches actually start.
- Periodic review — evidence that the plan is revisited and updated, not written once and forgotten.
You Don't Have to Start From Scratch
The IRS publishes a sample template — Publication 5708 — that walks through each section, and it's a genuinely useful starting skeleton, especially for a smaller firm. The mistake is treating the template as the finish line. A WISP that confidently describes safeguards you don't actually have is worse than none at all, because it documents your own non-compliance in writing. The document has to describe your real controls, and those controls have to genuinely exist and be in use. Fill in the template after you've stood up the safeguards, not instead of standing them up.
The Common Gaps We See
When we review firms' security posture against their WISP, the same gaps recur with striking regularity. Multi-factor authentication is described but not actually enforced everywhere it matters. There's no real, tested incident response plan — just a paragraph. Vendor agreements were never checked for data-protection terms. And the plan hasn't been touched since the day it was created, often years ago, while the firm moved to new software and new staff. Each of these is both a compliance exposure and a genuine security weakness. The good news is that closing them satisfies more than one obligation at once — the WISP requirement overlaps heavily with the broader FTC Safeguards Rule, so the work does double duty.
It's Not a One-Time Document
A WISP is meant to evolve as your firm, your tools, and the threat landscape change — which is exactly the direction the 2026 compliance landscape is heading, with regulators expecting demonstrated practice rather than paperwork. Set a recurring review, keep evidence that you actually follow the plan, and treat it as the operating manual for protecting client data rather than a file you produce only when someone asks. That mindset is the difference between a WISP that protects you and one that simply exists.
What's at Stake If You Skip It
The consequences of not having a real WISP aren't abstract. A breach at a preparer's office can mean fraudulent returns filed in your clients' names, FTC enforcement exposure, state breach-notification obligations, and — often the most damaging — the loss of the client trust a referral-driven practice runs on. The IRS can treat the failure to maintain a security plan as a violation in its own right, and a missing plan turns an unfortunate incident into a clear compliance failure. Set against all that, the effort to stand up and document genuine safeguards is modest insurance — and most of the controls involved simply make your firm run more securely day to day, rule or no rule.
The Bottom Line
Every paid preparer needs a WISP, it has to reflect controls you actually run, and it has to be maintained. For most firms the hard part isn't the document — it's standing up and proving the safeguards behind it. We do this work for professional services firms regularly, pairing the written plan with the security controls that make it true. Get in touch and we'll help you get compliant and stay that way.
