What is IRS Publication 4557?

IRS Publication 4557, 'Safeguarding Taxpayer Data,' is the IRS guide that outlines security requirements for tax professionals. It details the steps tax preparers, CPA firms, enrolled agents, and other practitioners must take to protect taxpayer information, including creating a Written Information Security Plan (WISP), implementing data safeguards, and preventing identity theft.

What is a WISP and is it required for tax professionals?

A Written Information Security Plan (WISP) is a documented plan that describes how a tax professional's office protects client taxpayer data. Under the FTC Safeguards Rule (16 CFR Part 314) and the Gramm-Leach-Bliley Act, all tax professionals who handle taxpayer financial data are legally required to have a WISP. The IRS has made this a key compliance focus.

What are the penalties for not complying with IRS data security requirements?

Tax professionals who fail to protect taxpayer data face multiple consequences: IRS sanctions including suspension from e-filing, FTC enforcement actions with fines up to $100,000 per violation, state-level penalties, civil lawsuits from affected taxpayers, and potential criminal charges for willful neglect. The IRS can also revoke a preparer's PTIN.

IRS & FTC Safeguards Rule

IRS Publication 4557: every tax pro needs a security plan

The IRS requires every tax professional who handles taxpayer data to have a Written Information Security Plan. Publication 4557 spells out exactly what that means: data safeguards, identity theft prevention, physical security, and incident response. BlackSheep tracks every requirement so your practice stays compliant.

Start Free Trial See the requirements

$249/month · All frameworks included · No credit card to start

Security controls

Control categories

$100K

FTC fine per violation

Annual

WISP review required

Five categories of IRS 4557 security requirements

Based on FTC Safeguards Rule requirements, Gramm-Leach-Bliley Act obligations, and IRS-specific security practices for protecting taxpayer data.

Written Information Security Plan (WISP)

irs-wisp · 12 controls

Designated security coordinator assignment
Risk assessment of taxpayer data handling
Employee security awareness training
Document retention & destruction policies
Annual WISP review & updates
Scope covering all systems with taxpayer data

Data Security & Access Controls

irs-data · 11 controls

Strong password policies & MFA for tax software
Encryption of taxpayer data at rest & in transit
Firewall configuration & network segmentation
Anti-malware & endpoint protection
Secure Wi-Fi & remote access controls
Drive encryption on all laptops & portable devices

Identity Theft Prevention

irs-theft · 9 controls

Client identity verification procedures
EFIN & PTIN protection measures
Monitoring for unauthorized tax filings
Red flags rule implementation
Secure client data intake processes
IRS Identity Protection PIN awareness

Physical & Environmental Security

irs-phys · 7 controls

Office access controls & visitor management
Locked storage for paper tax records
Secure disposal of client documents
Clean desk policy enforcement
After-hours security procedures
Equipment theft prevention

Incident Response & Reporting

irs-ir · 8 controls

Data breach response plan & procedures
IRS notification via Form 14039
State attorney general breach notification
Client notification & credit monitoring
Law enforcement engagement protocol
Post-breach remediation & documentation

Does IRS 4557 apply to your practice?

Tax Preparers & CPA Firms

Any individual or firm that prepares federal tax returns for compensation. This includes CPAs, accounting firms with tax practices, and commercial tax preparation businesses. If you have a PTIN and file returns, Publication 4557 applies to you.

CPA firms with tax practices
Commercial tax preparation offices
Seasonal tax preparers
Bookkeepers who prepare returns
Franchise tax preparation locations

Enrolled Agents & Attorneys

Enrolled agents authorized to represent taxpayers before the IRS and attorneys who prepare tax returns or handle tax matters. Their access to taxpayer data through IRS e-Services and Transcript Delivery System creates direct security obligations.

Enrolled agents (EA)
Tax attorneys
IRS e-Services users
Practitioners with CAF numbers
Power of attorney representatives

Payroll & Financial Service Providers

Businesses that process payroll, handle W-2s, or provide financial services involving taxpayer identification numbers. The FTC Safeguards Rule captures any entity that handles consumer financial data, which includes TINs and SSNs.

Payroll service providers
Payroll tax filing services
W-2 & 1099 processing companies
Tax software hosting providers
E-filing transmission services

Common questions about IRS 4557 compliance

What exactly needs to be in a WISP?

A WISP must include: a designated security coordinator, a risk assessment identifying threats to taxpayer data, safeguards for each identified risk, employee training requirements, oversight of service providers with access to data, and procedures for evaluating and updating the plan. The IRS provides a template, but your WISP must be tailored to your specific practice, systems, and data flows.

How does the FTC Safeguards Rule apply to tax professionals?

Tax professionals are classified as 'financial institutions' under the Gramm-Leach-Bliley Act because they handle consumer financial data. The FTC Safeguards Rule (16 CFR Part 314) requires these institutions to develop, implement, and maintain a comprehensive information security program. The updated 2023 rule added specific requirements including encryption, MFA, access controls, and annual penetration testing for firms handling data of 5,000+ consumers.

What should I do if taxpayer data is breached?

Immediately contact your local IRS Stakeholder Liaison, file Form 14039 (Identity Theft Affidavit) on behalf of affected clients, notify state attorneys general per state breach notification laws, file a report with local law enforcement, and contact the FTC. You should also notify affected clients promptly and consider providing credit monitoring. Document every step of your response for potential regulatory review.

Is multi-factor authentication required for tax software?

Yes. The IRS strongly mandates MFA for all tax preparation software, IRS e-Services accounts, and any system containing taxpayer data. The updated FTC Safeguards Rule also requires MFA for accessing customer information. This is one of the most common deficiencies the IRS finds when reviewing tax professional security practices.

How often do I need to update my WISP?

At minimum annually, and whenever material changes occur to your practice — new software, new employees, new office locations, new service providers, or after a security incident. The FTC Safeguards Rule requires your security program to be regularly tested and adjusted. An outdated WISP that does not reflect your current environment provides no compliance protection.

Related frameworks

AICPA Professional Standards

Trust Services Criteria and professional ethics requirements for CPA firms performing attestation and advisory services.

NIST CSF 2.0

The cybersecurity framework recommended by CISA for small businesses including tax practices implementing security programs.

CIS Controls v8.1

Prioritized security controls that provide practical implementation guidance for meeting FTC Safeguards Rule and IRS requirements.

The IRS says you need a WISP. We make it painless.

Track every IRS 4557 requirement, build your Written Information Security Plan, and keep your practice compliant with the FTC Safeguards Rule. BlackSheep maps it all so you can focus on tax season.

Start Free Trial

$249/month. 30-day money-back guarantee.