A client calls your firm in a panic. Someone filed a fraudulent tax return in their name, and your office is the only place that had all the information needed to do it. The IRS is asking questions. Your professional liability carrier wants documentation of your data security practices. You open a folder on your desktop labeled “WISP” and realize the document inside hasn’t been updated since 2021.

This scenario plays out more often than the accounting profession likes to admit. And IRS Publication 4557 exists precisely to prevent it.

The Problem: Most Firms Treat IRS Publication 4557 as a Checkbox

When the IRS released Publication 4557 (Safeguarding Taxpayer Data), many firms treated it as a nudge toward creating a Written Information Security Plan (WISP) and left it at that. A WISP got drafted, filed in a folder, and promptly forgotten.

But the publication does far more than ask for a document. It spells out the specific data security behaviors the IRS expects of all federal tax return preparers, including CPA firms of every size. These obligations flow directly from the Gramm-Leach-Bliley Act (GLBA), which classifies tax preparers as financial institutions for the purpose of data security law. That classification carries real legal weight.

The common gaps in small CPA firm security aren’t exotic. They show up in everyday practice:

  • Staff emailing client tax documents from personal Gmail or Yahoo accounts
  • No formal offboarding checklist when an employee leaves, meaning ex-staff may still have access to cloud storage or email
  • Third-party software connected to client data that has never been formally vetted
  • No documented process for responding to a data breach or unauthorized access event
  • A WISP that names technologies or vendors the firm no longer uses

None of these gaps require a sophisticated attacker to exploit. A former bookkeeper who still has credentials, or a phishing email that lands in a staff member’s personal inbox, is enough.

Why This Matters for CPA Firms

The GLBA’s Safeguards Rule requires financial institutions, including tax preparers, to implement a written information security program, designate a qualified individual to oversee it, and take specific steps to protect customer information. IRS Publication 4557 translates those requirements into plain language for tax professionals and adds IRS-specific obligations on top.

Here is what the IRS specifically expects under 4557 and the Safeguards Rule:

  • A WISP that is reviewed and updated at least annually
  • Employee security awareness training, documented and repeated
  • Vendor and third-party oversight, including written agreements with service providers who handle client data
  • An incident response plan that covers detection, containment, client notification, and IRS reporting
  • Multi-factor authentication (MFA) on all systems that access taxpayer data
  • Encryption of client data in transit and at rest

The IRS has also formalized the obligation to report data theft. If your firm experiences a data breach involving taxpayer information, you are required to report it to the IRS using Form 14242 and to contact the Federation of Tax Administrators (FTA) at [email protected]. Failing to report is not a gray area.

For CPA firms in California, there is additional exposure. The California Consumer Privacy Act (CCPA) applies to firms that meet certain thresholds, and the California Privacy Rights Act (CPRA) extended and strengthened those rules. A breach that triggers IRS reporting obligations may simultaneously trigger state-level notification requirements under California Civil Code Section 1798.29.

The professional risk is equally real. Your state board of accountancy, your professional liability carrier, and your clients all expect that you are handling sensitive financial data responsibly. Documented non-compliance with IRS guidance is difficult to defend when something goes wrong.

How to Align Your Firm With IRS Publication 4557 Requirements

You do not need a full-time security team to meet these requirements. What you need is a structured approach and consistent follow-through. Here is a practical framework for a 5-20 person CPA firm.

Start with an honest inventory. List every place client data lives: your tax software, your document management system, your email platform, your cloud file storage, and any portals your clients use to upload documents. Include mobile devices if staff access client data from them. You cannot protect what you have not mapped.

Update or build your WISP. The IRS and the American Institute of Certified Public Accountants (AICPA) both provide WISP templates for small firms. Use one as a starting point, but customize it to reflect your actual systems and practices. Name the person responsible for data security oversight, even if that person is you. Set a calendar reminder to review it every year.

Implement MFA everywhere. This single control stops the majority of credential-based attacks. Enable MFA on your tax software, your Microsoft 365 or Google Workspace account, your remote access tools, and your document portals. Most of these platforms offer MFA at no additional cost.

Lock down offboarding. Create a checklist that your firm runs every time an employee leaves. It should cover revoking access to all systems, reclaiming company devices, changing shared credentials, and removing the person from client-facing portals. Run the same checklist for contractors when engagements end.

Vet your vendors. Make a list of every software or service provider that can access, store, or transmit client data. Review their security documentation or SOC 2 report if available. Confirm that your agreements with them include language addressing data protection and breach notification. This is a specific GLBA requirement, and it applies to your cloud backup provider, your document management vendor, and your e-signature tool.

Write down your incident response plan. It does not need to be long. It needs to answer: Who gets called first? How do we contain the issue? Who notifies affected clients? Who reports to the IRS and when? Practice walking through it once a year.

Train your staff. Security awareness training does not require expensive software. Even a quarterly team meeting that covers phishing examples, password hygiene, and safe document handling satisfies the spirit of the requirement if you document it.

What to Look for in an IT Partner

If your firm works with a managed IT services provider, or is considering one, here are the questions worth asking:

  • Do you have experience working with CPA firms or other tax preparers specifically?
  • Can you help us draft and maintain a WISP that reflects our actual environment?
  • Do you provide documentation we can show to the IRS, our state board, or a liability carrier?
  • How do you handle vendor risk management for third-party software we use?
  • What is your process when a client experiences a suspected breach?
  • Can you confirm that our backup systems encrypt client data at rest and in transit?

A provider who cannot answer these questions clearly is not equipped to support a firm with IRS data security obligations. Look for someone who treats compliance documentation as part of the service, not an afterthought.

The Bottom Line

IRS Publication 4557 is not optional, and it covers more ground than a single document. CPA firms that limit their response to drafting a WISP and moving on are exposed on multiple fronts: employee practices, vendor oversight, incident response, and mandatory breach reporting. The good news is that a small firm can meet these requirements with practical, well-documented controls. You do not need a large budget. You need a clear plan and someone accountable for following it.

Frequently Asked Questions

Publication 4557 itself is IRS guidance, but the underlying legal requirements it describes come from the Gramm-Leach-Bliley Act and the Federal Trade Commission’s (FTC) Safeguards Rule. Tax preparers are classified as financial institutions under GLBA, which makes the Safeguards Rule’s requirements legally binding. The IRS uses 4557 to explain what compliance looks like in the context of tax practice.

Does a small CPA firm with fewer than 10 employees need a WISP?

Yes. The FTC Safeguards Rule and IRS Publication 4557 apply regardless of firm size. The IRS has explicitly stated that all firms preparing federal tax returns are subject to these obligations. The AICPA and IRS jointly provide a WISP template designed for small and solo practices to lower the barrier to compliance.

What happens if a CPA firm has a data breach and doesn’t report it to the IRS?

Failing to report a data breach involving taxpayer information violates the IRS’s mandatory reporting requirements. The IRS expects firms to report incidents using Form 14242 and to notify the FTA’s Security Summit partners. Beyond IRS consequences, failure to report may also violate state breach notification laws, such as California’s data breach notification statute, and could complicate professional liability claims.

What is the difference between a WISP and an incident response plan?

A WISP (Written Information Security Plan) is the overarching document that describes your firm’s entire data security program, including policies, controls, and assigned responsibilities. An incident response plan is a specific component of the WISP that outlines the steps your firm takes when a security incident occurs. IRS Publication 4557 requires both, and many small firms have a WISP without a clearly written incident response procedure.

One82 provides managed IT, cybersecurity, compliance, and AI integration services exclusively for professional services firms in the San Francisco Bay Area. Schedule a 15-Minute Discovery Call to discuss your firm’s IRS Publication 4557 compliance posture.