Toggle Side Panel

Shopping Cart

No products in the cart.
Close search

IRS & FTC Data Security Requirements for Tax Pros: What You Need to Know

kenny
Kenny Berrios April 6, 2026
0 Comments

If you’re a CPA, enrolled agent, bookkeeper, tax preparer, or independent insurance professional, federal law requires you to have documented data security measures in place — and the consequences of non-compliance are severe. Fines can exceed $50,000, and that’s before factoring in reputational damage, client loss, and potential legal liability.

This guide breaks down what the IRS and FTC require, what each requirement means for your firm, and the specific tools and programs that keep you compliant and your clients protected.

Why Data Security Is Now a Federal Requirement for Finance Professionals

The IRS has long been vocal about the threat landscape facing tax and finance professionals. At the 2025 IRS Security Summit, the agency reiterated that organized identity-theft rings, phishing campaigns, and ransomware attacks continue to target CPA firms and electronic filing systems. The message is clear: cybersecurity is no longer optional — it’s a regulatory obligation.

Two federal bodies now govern data security requirements for financial professionals:

  • The IRS, through Publications 1075, 4557, and 5708
  • The Federal Trade Commission (FTC), through the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA)

Together, these regulations require firms of all sizes — from solo practitioners to large multi-partner practices — to implement, document, and maintain active data security programs.

What the IRS and FTC Require: A Plain-Language Breakdown

1. Written Information Security Plan (WISP) — Now Mandatory

A Written Information Security Plan (WISP) is a formal, written document that outlines exactly how your firm protects client data. It must describe your policies and procedures for preventing, detecting, responding to, and recovering from security incidents.

The FTC Safeguards Rule makes a WISP a hard legal requirement for financial service providers — including tax preparers, bookkeepers, and insurance professionals. The IRS reinforces this through Publication 5708, which provides a WISP template and makes clear that informal or verbal policies no longer satisfy compliance standards.

Your WISP must be:

  • Written and documented — not implied or stored in someone’s memory
  • Tailored to your firm — generic templates aren’t enough on their own
  • Updated regularly — at least annually, or whenever your business materially changes
  • Audit-ready — the IRS or FTC may request it during an inquiry or enforcement action

Whether you have one employee or fifty, a WISP is required. Firms without one are not just non-compliant — they’re exposed.

2. Access Controls and Network Security — Including VPN

The IRS (Publications 1075 and 4557) requires firms to implement controlled access protections, both physical and digital, to prevent unauthorized individuals from accessing sensitive client data, including Federal Tax Information (FTI).

One of the most foundational tools for meeting this requirement is a Virtual Private Network (VPN).

A VPN creates a secure, encrypted tunnel for your internet traffic — whether you’re working from your office, your home, or a coffee shop. Without one, data transmitted over unprotected networks is vulnerable to interception. With one, client information stays encrypted and protected on any connection.

For firms with remote staff or employees who work outside the office, a VPN is not just a best practice — it’s a core component of your access control infrastructure and a documented safeguard you can point to in your WISP.

3. Cybersecurity Awareness Training — Annual Requirement

Human error is the leading cause of data breaches — and the IRS knows it. Under Publication 1075, role-based security awareness training is required annually for all employees, alongside ongoing insider-threat programs.

Cybersecurity awareness training equips your team to recognize and avoid the most common attack vectors:

  • Phishing emails that impersonate the IRS, software vendors, or clients
  • Social engineering tactics that manipulate staff into sharing credentials
  • Malicious attachments and links that deploy ransomware or steal data

Training should include phishing simulations — realistic test scenarios that expose vulnerabilities before a real attacker does. When employees learn to spot threats in a low-stakes environment, your firm is dramatically better protected in the real world.

Documenting your training program is equally important. Your WISP should record who was trained, when, and on what topics — creating an audit trail that demonstrates compliance.

4. 24/7 Threat Monitoring — MDR with a Security Operations Center (SOC)

Even the best policies and training can’t catch every threat. Cybercriminals operate around the clock, and a breach that isn’t detected quickly can cause catastrophic damage to client data, firm operations, and your professional reputation.

Managed Detection and Response (MDR) with a 24/7 Security Operations Center (SOC) provides continuous, real-time monitoring of your systems by a dedicated team of security professionals. Unlike basic antivirus software, MDR actively hunts for threats, investigates anomalies, and neutralizes attacks before they become full breaches.

This level of protection directly supports your obligations under Publication 1075, which requires documented incident response procedures and reporting protocols for FTI-related security incidents. When your SOC detects and neutralizes a threat at 2 a.m. on a Saturday, that event is logged, documented, and available as evidence of your firm’s active risk management — exactly what regulators and auditors look for.

The Cost of Non-Compliance

The financial exposure for firms that fail to meet IRS and FTC data security requirements is significant:

  • FTC fines for Safeguards Rule violations can exceed $50,000 per violation
  • IRS sanctions may include loss of e-filing privileges, which can effectively halt your practice
  • State-level penalties may apply in addition to federal fines
  • Civil liability from affected clients adds further financial and reputational risk

Beyond the fines, a data breach can permanently damage the trust you’ve built with clients. In an industry built on confidentiality and accuracy, a security failure isn’t just a legal problem — it’s an existential one.

What a Compliant Security Program Looks Like

For most CPA firms and financial practices, meeting IRS and FTC requirements means having four core elements in place:

RequirementWhat It CoversRegulatory Basis
WISPDocumented security policies and proceduresFTC Safeguards Rule, IRS Pub. 5708
VPNEncrypted network access and remote work protectionIRS Pub. 1075, Pub. 4557
Cybersecurity TrainingAnnual employee training and phishing simulationsIRS Pub. 1075
MDR / 24/7 SOCContinuous threat monitoring and incident responseIRS Pub. 1075, Pub. 4557

Together, these four components address the technology, training, and response plan requirements the IRS emphasizes for firms of every size — from solo practitioners to large multi-partner operations.

Getting Started: Next Steps for Your Firm

If your firm doesn’t yet have these protections in place — or if your current policies are outdated, undocumented, or untested — now is the time to act. Here’s where to start:

  1. Audit your current security posture. What do you have? What’s missing? What’s documented?
  2. Create or update your WISP. Use IRS Publication 5708 as a starting framework, but tailor it to your firm’s specific systems, staff, and risks.
  3. Implement a VPN for all employees, especially those who work remotely or travel.
  4. Schedule annual cybersecurity training and document participation.
  5. Engage an MDR provider with a 24/7 SOC to ensure continuous protection and incident response capability.

The IRS has made it clear: the question is no longer whether firms need enterprise-level security — it’s whether they have it in place before an incident forces the issue.

Protect Your Clients. Protect Your Firm.

The IRS’s guiding phrase — “Protect Your Clients; Protect Yourself” — captures what’s at stake for every tax and financial professional. Your clients trust you with their most sensitive financial information. Federal regulators expect you to protect it. And cybercriminals are actively trying to steal it.

Meeting IRS and FTC data security requirements isn’t just a compliance checkbox. It’s how you demonstrate to clients, regulators, and the broader market that your firm takes its obligations seriously — and that their data is in trustworthy hands.

For more information on IRS data security guidelines for tax professionals, refer to IRS Publications 1075, 4557, and 5708, available at irs.gov.

Categories: Noticias

Related Articles

Responses

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .