Most tax preparers are surprised to learn they're legally required to have a written data security plan — and that the requirement has real teeth. A WISP isn't optional paperwork; it's a federal obligation tied to the sensitive information you handle. Here's what a WISP is, why you need one, and what it has to cover.
What a WISP Is
WISP stands for Written Information Security Plan. It's a documented plan describing how your practice protects taxpayer data — the administrative, technical, and physical safeguards you have in place, who's responsible for them, and what you do if something goes wrong. The key word is written: a vague intention to "be careful with data" doesn't satisfy the requirement; a documented, maintained plan does.
Why Tax Preparers Are Required to Have One
Under the Gramm-Leach-Bliley Act and the FTC's Safeguards Rule, businesses that handle consumers' financial information are treated as "financial institutions" — and professional tax preparers fall squarely within that definition. The Safeguards Rule requires those businesses to develop, implement, and maintain a written information security program.
The IRS reinforces this. Its guidance on safeguarding taxpayer data (Publication 4557) makes clear that protecting client data is a legal requirement, and in recent years the IRS has asked preparers to confirm, as part of PTIN renewal, that they have a data security plan in place. In short: the FTC requires it, and the IRS expects it.
What a WISP Must Include
While the exact contents scale with the size and complexity of your practice, a compliant WISP generally addresses each of these areas:
- A designated responsible person. Name a qualified individual responsible for overseeing and enforcing the plan.
- A risk assessment. Identify reasonably foreseeable risks to the security and confidentiality of client data — and how you'll address them.
- Safeguards to control those risks. Access controls, multi-factor authentication, encryption of sensitive data (in transit and at rest), secure disposal, and limiting data access to those who need it.
- Employee and contractor training. Everyone with access to client data should understand the policies and how to recognize threats like phishing.
- Service provider oversight. Vet and contractually require your vendors (software, storage, etc.) to protect the data they touch.
- An incident response plan. A documented procedure for what to do if data is compromised, including notification steps.
- Ongoing monitoring and periodic review. The plan is living — review and update it as your practice and risks change.
How to Create Your WISP
You don't have to start from a blank page. The IRS and its Security Summit partners published a sample WISP template designed specifically for smaller tax firms — Publication 5708 — which walks through the sections and provides fill-in-the-blank structure. The practical steps:
- Start from the IRS sample template (Pub 5708).
- Inventory where client data lives — your software, devices, cloud storage, email, paper files.
- Document the safeguards you actually have (and close gaps you find, like enabling MFA or encryption).
- Assign the responsible person and write the incident-response steps.
- Train your team on it, then review it at least annually.
How Your Software Choices Help
A WISP is a plan, but it has to reflect reality — so the tools you use matter. Using systems that encrypt sensitive data, support strong access controls, collect documents through a secure portal instead of email, and keep an audit trail makes your safeguards easier to document and genuinely stronger. Choosing software with those protections built in does some of the WISP's work for you.
The Bottom Line
A WISP is a federal requirement for tax preparers, not a nice-to-have. Build one from the IRS Pub 5708 template, make sure your actual safeguards (MFA, encryption, secure document handling, vendor oversight, incident response) back it up, and review it every year. It protects your clients, your practice, and your standing with the IRS.