IRS Publication 4557, titled “Safeguarding Taxpayer Data,” is the IRS’s official guidance document that outlines data security requirements for tax professionals. If your CPA firm prepares, processes, or stores federal tax returns, Publication 4557 applies to you. One82 is a managed service provider based in Los Gatos, California, specializing in IT, cybersecurity, compliance, and AI for professional services firms in the San Francisco Bay Area. We have worked with CPA firms across the region for over 26 years to build IT environments that meet Publication 4557’s requirements and protect the sensitive taxpayer data your firm handles every day.

This guide explains what Publication 4557 requires, how those requirements translate into specific technology controls, and how a qualified managed IT provider helps your firm maintain compliance year-round.

What Is IRS Publication 4557?

Publication 4557 is a free IRS publication that provides tax professionals with a comprehensive checklist for safeguarding taxpayer data. Originally published to address the growing threat of identity theft and data breaches targeting tax preparers, the publication has been updated regularly — most recently revised in 2024 — to reflect the evolving cybersecurity landscape.

The publication is not a regulation in itself, but it reflects the requirements of several federal laws and regulations that do carry enforcement weight, including:

  • The Gramm-Leach-Bliley Act (GLBA) — Requires financial institutions (including tax preparers) to protect customer information
  • The FTC Safeguards Rule — Enforces specific data security requirements under GLBA, updated in 2023 with stricter technical requirements
  • IRS Revenue Procedure 2007-40 — Establishes requirements for e-file providers
  • Federal Trade Commission Act, Section 5 — Prohibits unfair or deceptive practices, including failure to protect consumer data

According to the IRS, tax-related identity theft resulted in $5.7 billion in fraudulent refunds in the 2023 filing season (IRS Criminal Investigation Annual Report, 2023). CPA firms that fail to implement adequate safeguards are not just at risk of data breaches — they face potential regulatory action, loss of e-filing privileges, and malpractice liability.

Who Does Publication 4557 Apply To?

Publication 4557 applies to any individual or firm that handles federal tax information, including:

  • CPA firms that prepare individual or business tax returns
  • Enrolled agents
  • Tax attorneys
  • Bookkeeping firms that handle payroll tax data
  • Any firm with an Electronic Filing Identification Number (EFIN)

If your firm has access to Social Security numbers, Employer Identification Numbers, financial account information, or any other data used in tax preparation, Publication 4557’s guidance applies to your operations.

Key Requirements from Publication 4557

Publication 4557 organizes its security requirements into several categories. Here are the specific technical and administrative controls your firm needs to have in place:

1. Written Information Security Plan (WISP)

Publication 4557 requires every tax professional to create and maintain a Written Information Security Plan. This document must:

  • Identify the types of taxpayer data your firm collects and stores
  • Describe the safeguards in place to protect that data
  • Designate an employee to coordinate the security program
  • Identify reasonably foreseeable risks and assess the sufficiency of existing safeguards
  • Detail your firm’s incident response procedures

The AICPA’s 2024 Cybersecurity Survey found that only 52% of CPA firms with fewer than 50 employees had a documented information security plan (AICPA, 2024). If your firm is in the other 48%, this is the most critical gap to close.

2. Employee Security Training

All staff with access to taxpayer data must receive security awareness training that covers:

  • Recognizing phishing emails and social engineering attempts
  • Proper handling and disposal of taxpayer documents
  • Password policies and authentication requirements
  • Reporting procedures for suspected security incidents

Training should occur at hire and at least annually thereafter.

3. Technical Safeguards

Publication 4557 specifies a range of technical controls:

Access controls:

  • Unique user accounts for every employee (no shared logins)
  • Multi-factor authentication (MFA) for accessing tax software, email, and remote connections
  • Role-based access so staff can only reach the data they need for their work

Endpoint protection:

  • Current antivirus and anti-malware software on all devices
  • Endpoint Detection and Response (EDR) tools for real-time threat monitoring
  • Automatic security updates and patch management

Data protection:

  • Encryption of taxpayer data at rest and in transit
  • Secure backup with off-site or cloud storage
  • Verified backup restoration procedures tested regularly

Network security:

  • Firewall protection on all network connections
  • Secure Wi-Fi with WPA3 encryption
  • Virtual Private Network (VPN) for remote access
  • Network segmentation to isolate sensitive systems

Email security:

  • Email encryption for messages containing taxpayer data
  • Spam and phishing filters
  • Domain-based authentication (DMARC, SPF, DKIM)

4. Physical Security

Your office environment must include safeguards for physical access to taxpayer data:

  • Locked storage for paper records containing taxpayer information
  • Secure disposal of documents (cross-cut shredding)
  • Restricted physical access to servers and network equipment
  • Visitor policies for areas where taxpayer data is accessible

5. Incident Response Plan

Your firm must have a documented plan for responding to data security incidents that includes:

  • Steps for containing and assessing a breach
  • Notification procedures for affected taxpayers
  • Reporting requirements to the IRS (Form 14039, Identity Theft Affidavit; reporting to the IRS Identity Protection Specialized Unit)
  • Reporting to state attorneys general as required by state breach notification laws
  • Documentation and post-incident review procedures

How a Managed IT Provider Helps CPA Firms Comply

Meeting Publication 4557’s requirements is not a one-time project. It requires ongoing monitoring, maintenance, and documentation that most CPA firms do not have the internal capacity to manage alone. Whether your firm is in San Jose, Campbell, Palo Alto, or Santa Clara, these requirements apply equally — and the consequences of non-compliance are the same. A managed IT provider with CPA firm experience handles compliance as part of day-to-day operations:

WISP creation and maintenance. One82 helps CPA firms develop their Written Information Security Plan and keeps it updated as the firm’s technology environment changes, new staff are added, or new threats emerge.

Continuous technical compliance. The technical safeguards required by Publication 4557 — EDR, MFA, encryption, patching, backup testing — are standard components of One82’s managed security stack. They are deployed, monitored, and maintained automatically rather than requiring your firm to manage them manually.

Employee training programs. One82 provides ongoing security awareness training for CPA firm staff, including simulated phishing exercises that test readiness and identify employees who need additional coaching.

Compliance documentation and reporting. When regulators, auditors, or cyber insurance carriers ask for evidence of your security controls, your MSP should be able to produce it immediately. One82 maintains compliance documentation that demonstrates your firm’s adherence to Publication 4557’s requirements.

Incident response support. If a security incident occurs, One82’s team manages containment, investigation, and recovery while helping your firm fulfill its notification and reporting obligations.

The Connection Between Publication 4557 and Cyber Insurance

Cyber insurance carriers have dramatically tightened their underwriting requirements over the past three years. Many of the controls they now require — MFA, EDR, encrypted backups, security awareness training, written security policies — mirror the requirements of Publication 4557.

CPA firms that implement Publication 4557’s safeguards are generally well-positioned for cyber insurance renewal, while firms without these controls may face policy denials, coverage exclusions, or significantly higher premiums.

Frequently Asked Questions

Is IRS Publication 4557 legally binding?

Publication 4557 itself is guidance, not a standalone regulation. However, the security requirements it describes are drawn from legally binding authorities including the Gramm-Leach-Bliley Act, the FTC Safeguards Rule, and FTC Act Section 5. Failure to implement the safeguards described in Publication 4557 can result in FTC enforcement actions, loss of e-filing privileges, and civil liability in the event of a data breach.

What is a Written Information Security Plan (WISP)?

A WISP is a documented plan that describes how your firm protects taxpayer data. It identifies the data you collect, the safeguards you have in place, the employee responsible for coordinating security, and your procedures for responding to a breach. Publication 4557 requires every tax professional to maintain a current WISP.

How often should my firm update its security plan?

At minimum, annually. However, your WISP and security controls should also be reviewed whenever there is a significant change to your firm’s IT environment — such as adding a new office location, adopting new software, onboarding new staff, or experiencing a security incident.

What happens if my firm has a data breach involving taxpayer information?

You must notify affected taxpayers, report the breach to the IRS, and comply with your state’s breach notification laws. You should also report the incident to your cyber insurance carrier and, in many cases, to local law enforcement. Having a documented incident response plan in place before a breach occurs significantly reduces response time and legal exposure.

Does Publication 4557 apply to firms that use cloud-based tax software?

Yes. Even if your tax preparation software runs in the cloud, your firm still handles taxpayer data on local devices, in email communications, and in document storage systems. Publication 4557’s requirements apply to all environments where taxpayer data is accessed, transmitted, or stored — not just on-premise servers.

Can a managed IT provider help my firm write a WISP?

Yes. A managed IT provider experienced with CPA firms can draft your Written Information Security Plan based on your firm’s specific technology environment, and then maintain it as your infrastructure evolves. One82 provides WISP creation and annual review as part of our compliance services for CPA firms.