Data Breach Response Checklist for Tax Preparers

A data breach at a tax practice triggers an unusual number of overlapping notification clocks: the IRS expects same-day contact, the FTC has its 30-day portal rule, state attorneys general have their own breach statutes, the e-file software provider needs to know, and the cyber insurance carrier needs to be on the phone before any forensic action is taken. Get the order wrong and the firm can void its insurance, miss a statutory deadline, or let a threat actor file fraudulent returns under its EFIN.

This checklist gives tax preparers, CPAs, enrolled agents, and bookkeepers a defensible, hour-by-hour playbook. Pair it with a tested incident response plan and a current risk assessment so the team is not improvising at 11 p.m.

The first hour: stop, document, call

Before doing anything technical, complete three actions in this exact order:

1. Document the trigger. Write down who noticed what, when, and on which system. Time-stamp every note. Every downstream notification deadline runs from discovery, and "discovery" is the time stamp on this note.
2. Call the cyber insurance breach hotline. The number is on the policy declarations page. Calling first preserves coverage. The carrier will route you to panel counsel and a DFIR firm at pre-negotiated rates.
3. Stop volunteer forensics. Do not reimage, do not delete suspicious files, do not log in to "see what happened" with admin credentials. Each of those actions destroys evidence the carrier and counsel will need.

Hours 1–4: containment and team activation

With counsel and the carrier on standby, the Incident Commander runs containment:

• Disable affected user accounts and revoke active sessions (M365: Revoke Sessions + reset password + reset MFA registration).
• Isolate affected endpoints from the network. EDR with a "network isolate" function makes this one click.
• Block the threat actor's known infrastructure at the firewall and in M365 conditional access.
• Rotate global admin and privileged service account credentials.
• Review M365 audit logs for mailbox forwarding rules, OAuth grants, and new admin role assignments — the actor's persistence mechanisms.
• Notify the internal team using an out-of-band channel (personal phones, not the compromised mail tenant).

The Microsoft 365 automation guide shows which audit logs to pull first.

Same day: regulator notifications begin

The IRS expects same-day contact for any suspected taxpayer-data compromise. Counsel typically drafts and the firm sends:

• IRS Stakeholder Liaison email covering your state. Subject line: "Reportable Data Incident — [Firm Name] — [EFIN]". Include date and time of discovery, brief facts, estimated number of affected clients, EFIN, contact for follow-up.
• FBI / IC3.gov report if ransomware, BEC, or wire fraud is involved. The Internet Crime Complaint Center form takes 10 minutes and creates the case number insurers and counsel will reference.
• E-file software provider (Drake, UltraTax, Lacerte, ProSeries, ATX). They can flag your EFIN for unusual activity and provide log data.
• State department of revenue in every state where affected clients filed. Each state has a dedicated tax-pro security contact.

IRS Publication 4557 directs preparers to take this step the same day — see the Pub 4557 guide for the underlying IRS expectations.

Days 1–3: scoping and evidence

With containment holding, the DFIR firm scopes the breach. Three questions drive the next 72 hours:

• What was accessed? Mailbox contents, SharePoint folders, the document management system, the tax software database, backups.
• What was exfiltrated? Egress to external IPs, mass download events, OAuth-grant-based downloads.
• How did they get in? Phished credential, unpatched system, third-party vendor compromise, social engineering of a staff member.

The answer to "what was exfiltrated" usually determines whether the event crosses the FTC's 500-consumer threshold and the various state thresholds. The DFIR report becomes the foundation document for every notification that follows.

Within 30 days: FTC and state notifications

Two federal-level clocks matter:

FTC Safeguards Rule. If unencrypted information of 500 or more consumers is involved, file a notification through the FTC's online portal within 30 days of discovery. The portal asks for firm name and contact, a description of the event, the type of information involved, and the number of consumers affected. The notification becomes public on the FTC's website. See the GLBA Safeguards Rule guide for the underlying authority.

State attorney general notifications. Every state has its own breach statute. Deadlines range from "as soon as possible" to 60 days. Several states (California, New York, Texas, Massachusetts, Washington) require notification regardless of consumer count if the data set includes SSNs. Counsel maintains the matrix and files in each affected state.

Client notification

Notification to affected individuals is required under both the IRS guidance and every state breach statute. The notification letter must include:

• What happened, when, and what was accessed (in plain language)
• Steps the firm is taking
• Steps the recipient should take (IRS Form 14039 Identity Theft Affidavit, IRS IP PIN enrollment, state tax-agency notification, credit-freeze instructions)
• Offer of free credit monitoring (12–24 months is industry standard; the cyber policy usually pays)
• Toll-free contact for questions

Counsel drafts and approves the letter before it goes out. Sending without legal review is the most common way firms turn a contained incident into a class action.

Within 60 days: post-incident review

Once the immediate response is complete, the firm runs a documented post-incident review:

• Timeline of every action and decision
• Root cause and any contributing factors
• Controls that worked
• Controls that failed or did not exist
• Changes to the WISP, risk assessment, and IRP
• Training updates for staff
• Vendor changes

The report is filed with the Qualified Individual and presented to the governing body. The annual WISP review checklist uses these post-incident artifacts to drive program updates.

What not to do

Four patterns turn manageable breaches into catastrophic ones:

Paying ransomware before calling the carrier and counsel. OFAC sanctions, regulatory reporting, and coverage all hinge on the order of operations. The negotiator on the carrier panel handles this.

Communicating with the threat actor on personal channels. The DFIR firm and counsel run all communication. Owners who text the attacker from personal phones create discoverable records that destroy coverage and case posture.

Sending a client notification letter before counsel reviews it. Wording that promises specific remediation, admits liability, or describes the incident incorrectly invites litigation.

Skipping the IRS Stakeholder Liaison call. The Liaison's identity-theft markers are the single most effective tool to stop fraudulent returns. Skipping the call to "wait for facts" is the most common mistake we see.

Build the muscle before you need it

The firms that handle breaches well have three artifacts ready before the event: a current WISP, a tested IRP, and an updated risk assessment. They have also run at least one tabletop exercise in the prior 12 months. The annual Pub 5708 review is when most firms test the playbook in a low-stakes setting.

Bottom line

A data breach is the moment your WISP either pays for itself or proves it was theater. Use this checklist as the cover page of your IRP and rehearse it once a year. The first call is the cyber carrier; the second is the IRS Stakeholder Liaison; everything else flows from there.