IRS Publication 4557: Safeguarding Taxpayer Data Explained

IRS Publication 4557, Safeguarding Taxpayer Data, is the document that quietly underpins every conversation tax preparers have about cybersecurity. Although the newer IRS Publication 5708 gets most of the attention because it ships with a WISP template, Pub 4557 is the original IRS reference that explains why a preparer has the obligation in the first place — and most state board guidance, e-file software security requirements, and IRS Stakeholder Liaison talking points still trace back to it.

This guide walks through what Pub 4557 actually says, who it applies to, how it interlocks with the FTC Safeguards Rule and Pub 5708, and the practical steps a tax preparer, CPA, enrolled agent, or bookkeeper should take to bring their firm into alignment.

What is Publication 4557?

Pub 4557 is an IRS publication titled Safeguarding Taxpayer Data — A Guide for Your Business. It has been periodically revised since the early 2000s and serves three purposes:

• It tells paid preparers that they are financial institutions under the Gramm-Leach-Bliley Act and therefore subject to the FTC Safeguards Rule.
• It summarizes the safeguards a practice should have in place — administrative, technical, and physical — in plain English.
• It lists IRS-specific obligations, including e-Services account protection, EFIN safeguards, and breach reporting expectations.

The publication is not a regulation. It does not create new legal obligations beyond what the FTC, GLBA, and IRS already impose. What it does is consolidate those obligations into a document a small firm can actually read in one sitting.

Who Pub 4557 applies to

Pub 4557 is written for paid preparers of federal tax returns — anyone with a PTIN. In practice, the same security framework applies to every adjacent role:

• Enrolled agents and CPAs handling tax matters
• Bookkeepers with access to client financial records
• Payroll providers
• Independent contractors working under a firm's EFIN
• Firms outsourcing return prep offshore (the U.S. firm remains responsible)

See the bookkeeper and enrolled agent WISP guide for how non-PTIN roles inherit the same obligations through the GLBA definition.

How Pub 4557 relates to Pub 5708, the FTC Safeguards Rule, and GLBA

These four documents are layered, not redundant:

• GLBA — the 1999 federal statute that makes you a financial institution if you handle taxpayer or client financial information.
• FTC Safeguards Rule (16 CFR Part 314) — the implementing regulation. Defines the nine elements every covered firm must include in its security program. Detailed walkthrough in our GLBA Safeguards Rule pillar guide.
• IRS Pub 4557 — plain-English IRS guidance translating the Safeguards Rule for tax preparers, plus IRS-specific items like e-Services and EFIN protection.
• IRS Pub 5708 — the WISP template. Takes everything in Pub 4557 and turns it into a fill-in document tailored to a tax practice. See our free WISP template guide.

When a preparer attests at PTIN renewal that they have "a written data security plan consistent with IRS guidance," they are attesting to both Pub 4557 and Pub 5708. The current 2026 WISP requirements assume the firm has read and applied both.

The Pub 4557 safeguards, summarized

The publication organizes its recommendations into three control families that mirror the FTC Safeguards Rule and NIST guidance.

Administrative safeguards

These are the policies, procedures, and people. Pub 4557 emphasizes designating someone responsible for security (the same Qualified Individual the Safeguards Rule names), training every employee at hire and annually, screening new hires with background checks where appropriate, and documenting policies in writing. Verbal understanding is not safeguarding under Pub 4557.

Technical safeguards

The technical list has expanded with every revision and now closely tracks the 2023 Safeguards Rule technical baseline:

• Strong passwords and multi-factor authentication on every system holding taxpayer data
• Encryption at rest (full-disk on every workstation and laptop) and in transit (TLS for email and file transfer)
• Up-to-date antivirus and endpoint detection
• Patched operating systems and tax software
• Backups, tested for restorability, stored off-site or in a tenant the threat actor cannot reach
• Secure wiping of devices before disposal
• Network segmentation between guest Wi-Fi and the production network

These are the same items the FTC Safeguards Rule WISP checklist grades against.

Physical safeguards

Pub 4557 still cares about paper, doors, and locks. Lock the office. Lock the file cabinets. Shred paper containing PII. Restrict access to areas where taxpayer data is processed. Track who has keys and badges. Most small firms forget this category because it feels old-fashioned; the IRS has not forgotten.

IRS-specific items Pub 4557 highlights

Three obligations in Pub 4557 are unique to tax preparers and do not appear in generic GLBA guidance:

e-Services account protection. The IRS treats compromise of an e-Services account as a Tier-1 incident. Pub 4557 recommends a dedicated, MFA-enforced credential for e-Services, never shared, never used for general email.

EFIN safeguards. The Electronic Filing Identification Number is the identity the IRS uses to attribute returns. Pub 4557 recommends checking your EFIN usage statistics in e-Services weekly during filing season. A spike means someone is filing fraudulent returns under your EFIN.

Data theft reporting. Pub 4557 directs preparers to contact their IRS Stakeholder Liaison immediately upon suspected data theft, and to notify the state tax agency in every affected state. The data breach response checklist turns this into an hour-by-hour playbook.

Where Pub 4557 falls short

Pub 4557 is excellent as a primer but has not kept full pace with the 2021/2023 FTC Safeguards Rule amendments. Three items the rule requires but Pub 4557 still under-emphasizes:

• Written risk assessment — Pub 4557 mentions risk assessment but does not provide a structured template.
• Written incident response plan — required by 16 CFR § 314.4(h) for firms over 5,000 customers; Pub 4557 treats it as best practice.
• Annual report to the governing body — required for firms above the 5,000 threshold; not addressed in Pub 4557 at all.

A firm that follows Pub 4557 line by line will be in good shape, but it will not be fully aligned with the current Safeguards Rule without adding these three items. Pub 5708 closes most of the gap.

How to use Pub 4557 in your WISP

The cleanest pattern we see in audited firms is to cite Pub 4557 as the foundational reference in the WISP's introduction, use the Pub 5708 template structure for the body, and append the FTC Safeguards Rule cross-walk so an examiner can find each of the nine elements by citation. The WISP template guide shows how the references nest.

Bottom line

IRS Publication 4557 is still the right starting point for any tax or accounting professional building a security program. It is short, free, and written by the regulator that will examine you. Pair it with Pub 5708, the FTC Safeguards Rule, and a current risk assessment, and you have the full picture of what "safeguarding taxpayer data" means in 2026.