Every paid tax preparer with a PTIN is required by the IRS and the FTC Safeguards Rule to maintain a current Written Information Security Plan. The IRS now asks about your WISP on the PTIN renewal application, and missing one can put your PTIN at risk.
In a hurry? Get your free Compliance Score, then come back to this guide.
Take the Free Quiz View Sample WISPIf you prepare federal tax returns for compensation, you hold a Preparer Tax Identification Number (PTIN) — and that single fact triggers a federal data security obligation most preparers still don't realize they have. The IRS, working alongside the Federal Trade Commission, requires every paid preparer to create, maintain, and annually review a Written Information Security Plan (WISP). This isn't guidance. It isn't a best practice. It's a requirement that already applies to you.
This article explains what the rule actually says, what your WISP must contain, what happens if you don't have one, and the most common mistakes firms make when they try to comply on their own.
1. What the IRS Requires — and When It Took Effect
The legal foundation comes from two places. The Gramm-Leach-Bliley Act classified professional tax preparers as "financial institutions," which made them subject to the FTC's Safeguards Rule (16 CFR Part 314). The Safeguards Rule was substantially revised in 2021, and the most demanding provisions — written program, designated qualified individual, annual risk assessment, encryption, MFA, vendor oversight, and incident response plan — became enforceable on June 9, 2023.
The IRS reinforced this in Publication 4557, Safeguarding Taxpayer Data, and in Publication 5708, Creating a Written Information Security Plan for your tax and accounting practice. Both publications state plainly that a written security plan is a legal obligation tied to your PTIN, not a suggestion tied to firm size. A solo preparer working from a home office is held to the same standard as a 200-person CPA firm. The element-by-element drafting walkthrough is in the 2026 WISP requirements brief.
Beginning with the 2024 filing season, the IRS also added an annual data security responsibility attestation to PTIN renewal. When you renew, you are confirming under penalty of perjury that you understand your obligation to have a WISP.
Action: Confirm your PTIN is active and note your renewal date — your WISP must be in place and reviewed before you re-attest.
2. What a WISP Must Contain Under IRS Pub 5708
IRS Publication 5708 maps directly to the FTC Safeguards Rule and outlines the elements every preparer's WISP must include. At minimum, your document must:
- Designate a Qualified Individual responsible for the program.
- Document a written risk assessment identifying foreseeable internal and external threats to client data.
- Specify administrative, technical, and physical safeguards, including access controls, encryption of data at rest and in transit, and multi-factor authentication for any system holding customer information.
- Describe employee training requirements and how training is tracked.
- Maintain a vendor management process, including written contracts requiring service providers to implement appropriate safeguards.
- Include a written incident response plan with notification procedures.
- Require annual review and a written report from the Qualified Individual to firm leadership.
The plan must be specific to your firm. A generic template that lists "we use antivirus" without naming the product, the responsible person, or the review cadence does not satisfy the rule. Start from a defensible structure — the free IRS WISP template for tax preparers — and then customize every field. For the wider statutory framing, see the GLBA Safeguards Rule pillar.
Action: Inventory every system that touches taxpayer data and assign a named owner to each safeguard.
3. What Happens If You Don't Have One
Failing to maintain a WISP exposes you to layered consequences. The FTC can pursue civil penalties under the Safeguards Rule, currently set at up to $51,744 per violation. The IRS can refer a non-compliant preparer to the Office of Professional Responsibility, which has authority to suspend or revoke your PTIN and EFIN.
A data breach magnifies everything. If client information is exposed and you cannot produce a current WISP, you face mandatory state breach notifications (47 states have separate laws), potential class-action exposure, and a near-certain cyber insurance claim denial. Carriers increasingly require a current, signed WISP as a condition of coverage — without one, your policy may not respond at the moment you need it most. The cyber insurance questionnaire walkthrough covers the specific warranties carriers are asking about today.
Action: Pull your current cyber insurance policy and check the application warranties for a "written security program" representation.
4. Common Mistakes Firms Make
Most preparers we talk to either don't have a WISP or have one that won't survive an audit. The same three failures appear repeatedly:
- The static PDF. A document downloaded in 2022, signed once, and never opened again. It references software you no longer use and people who no longer work at the firm. Auditors and insurers see this immediately.
- No annual review. The Safeguards Rule requires the Qualified Individual to provide a written annual report to firm leadership. If you cannot produce dated review documentation for each of the last three years, you are out of compliance even if the underlying plan is sound.
- No employee acknowledgment. Every employee with access to taxpayer data must be trained and must acknowledge the policy in writing. A WISP with no signed acknowledgments is treated as unenforced.
A fourth failure is worth naming: treating the WISP as a document instead of a program. The rule requires safeguards to be implemented, monitored, and updated as the firm changes — when you onboard a new staff member, switch tax software, add a cloud storage vendor, or move to a new office. A document cannot do that on its own.
Action: Date your last WISP review. If it's more than 12 months ago — or there isn't one — fix it this week.
5. Generate a Defensible WISP With WISPWolf
WISPWolf produces a firm-specific WISP aligned to the FTC Safeguards Rule and IRS Publications 4557 and 5708, then keeps it alive. It continuously monitors your controls, tracks employee acknowledgments, generates the annual review report your Qualified Individual is required to produce, and assembles the evidence packet your cyber insurance carrier asks for. Start with the free 15-question Compliance Score to see where your PTIN attestation actually stands, then pair the result with the FTC Safeguards Rule checklist. You replace a static template and a calendar reminder with a single living system that holds up under audit.
SourcesIRS Publication 4557, Safeguarding Taxpayer Data. IRS Publication 5708, Creating a Written Information Security Plan for Your Tax & Accounting Practice. Federal Trade Commission, Standards for Safeguarding Customer Information, 16 CFR Part 314.
Sources & References
Primary regulatory and standards sources used throughout WISPWolf's compliance guidance.
- IRS Publication 5708 — Creating a Written Information Security Plan
- IRS Publication 4557 — Safeguarding Taxpayer Data
- FTC Safeguards Rule (16 CFR Part 314)
- Gramm-Leach-Bliley Act (GLBA) Safeguards
- IRS Tax Security — Protect Your Clients, Protect Yourself
- NIST Cybersecurity Framework
- Microsoft Security Documentation
Get the free WISPWolf Compliance Starter Kit
Download the starter kit and identify your compliance gaps. Includes an IRS WISP starter template (not a completed customized WISP), FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist.
Get Your Free WISP Compliance Score
See how your firm's security practices compare to FTC Safeguards Rule and IRS WISP expectations. Answer 15 questions and get a personalized scorecard in minutes.
IRS Pub 5708 Compliant · FTC Safeguards Rule · AES-256 Encrypted · No Credit Card Required