IR-2025-79: IRS, Security Summitt remind tax pros they must have a Written Information Security Plan to protect client data

IRS Newswire

July 29, 2025

Issue Number: IR-2025-79

Inside This Issue

IRS, Security Summitt remind tax pros they must have a Written Information Security Plan to protect client data

“Protect Your Clients; Protect Yourself” series highlights the importance of having a Written Information Security Plan.

IR-2025-79, July 29, 2025

WASHINGTON — The Internal Revenue Service and its Security Summit partners today reminded tax professionals about the federal mandate to have a Written Information Security Plan (WISP) designed to help protect them against threats from identity thieves and data breaches. IRS provides resources to help with this process.

As part of a special five-part series, the IRS and Summit partners highlight the importance of tax pros creating and maintaining a WISP.

This marks the third installment of a summer news release series focused on tax professional security. The "Protect Your Clients; Protect Yourself" campaign provides timely tips to help protect sensitive taxpayer data while protecting businesses from identity theft.

These security tips and the WISP are a key focus of the Nationwide Tax Forum, held this summer in cities across the U.S. In addition to this series, a tax professional security component is featured at the three-day continuing education events. The forums continue next week in New Orleans, with remaining events in Orlando, Baltimore and San Diego.

What tax pros should know about WISPs

Required by law. The Gramm-Leach-Bliley Act (GLBA) requires all financial institutions to protect customer data. Under this law, tax and accounting professionals are considered financial institutions and must implement a data security plan. As a part of the plan, the Federal Trade Commission (FTC) requires each firm to:
- Designate one or more employees to coordinate the information security program.
- Identify and assess risks to customer information in relevant areas of the company's operation and evaluate the effectiveness of safeguards.
- Create, implement and regularly monitor and test security safeguards.
- Select service providers that can maintain appropriate safeguards and ensure their contracts require compliance.
The basics of a WISP. A good WISP focuses on three areas:
- Employee management and training
- Information systems
- Detecting and managing system failures
IRS offers WISP tools and resources. IRS Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice is a 28-page template designed to:
- Help tax professionals, especially smaller practices, develop a WISP.
- Guide users through starting a plan, including understanding security compliance requirements and professional responsibilities.

Tax professionals are legally required to have a written, accessible plan and should review, test and update it regularly. Adjustments should be made based on changes in the firm’s operations or security testing and monitoring results.

As part of a security plan, the IRS also recommends that tax professionals develop a data theft response plan, including contacting their IRS Stakeholder Liaison to report a security incident. Tax professionals can also share information with the appropriate state tax agency by visiting the Federation of Tax Administrators’ webpage: Report a Data Breach.

Tax professionals should understand the FTC data breach response requirements as part of their overall information and data security plan. The WISP also includes information on the requirement to report an incident to the FTC when 500 or more individuals are affected within 30 days of the incident.

Additional resources

Publication 5709, How to Create a Written Information Security Plan for Data Safety.
Review Publication 5293, Data Security Resource Guide for Tax Professionals, which provides an overview and resources about how to avoid data theft.
Tax professionals can also get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data, and the IRS’s Identity Theft Information Page for Tax Pros.
Read Small Business Information Security: The Fundamentals, by the National Institute of Standards and Technology.

Tax professionals should also stay connected to the IRS through subscriptions to e-News for tax professionals and IRS social media sites.

Thank you for subscribing to the IRS Newswire, an IRS e-mail service.

If you know someone who might want to subscribe to this mailing list, please forward this message to them so they can subscribe.

This message was distributed automatically from the mailing list IRS Newswire. Please Do Not Reply To This Message.

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page. You will need your email address to log in. If you have questions or problems with the subscription service, visit subscriberhelp.govdelivery.com.

This service is provided to you at no charge by the Internal Revenue Service (IRS).

This email was sent to [email protected] by: Internal Revenue Service (IRS) · Internal Revenue Service · 1111 Constitution Ave. N.W. · Washington, D.C. 20535

News Essentials

The Newsroom Topics

IRS Resources

Issue Number: IR-2025-79

Inside This Issue