PROFESSIONAL RESPONSIBILITY AND DATA SECURITY: PRACTITIONERS’ OBLIGATION TO HAVE A WRITTEN INFORMATION SECURITY PLAN

Note: NSTP will be providing a workshop on developing a WISP during the Grand Event in Las Vegas, January 3 – 5, 2024.

To fulfill their professional obligations, practitioners—attorneys, certified public accountants, enrolled agents, and tax return preparers who participate in the Internal Revenue Service’s Annual Filing Season Program—must comply with Circular 230, Regulations Governing Practice before the Internal Revenue Service (31 CFR Subtitle A, Part 10), which is administered and enforced by the IRS’s Office of Professional Responsibility (OPR).

Several provisions of Circular 230 implicate a practitioner’s obligations when dealing with data security and confidential client information. These provisions complement not only the privacy and penalty provisions of the Internal Revenue Code—including the penalties in IRC 6713 (civil) and IRC 7216 (criminal) for unauthorized disclosure of taxpayer information—but also nontax legislation enacted in 1999 that gave the Federal Trade Commission (FTC) authority to prescribe regulations establishing requirements of data safeguarding for various businesses including professional tax return preparers. This article discusses how the FTC’s implementing regulations and complementary guidance issued by the IRS affect the duties and restrictions imposed on tax practitioners by Circular 230.

Gramm-Leach-Bliley Act and the FTC’s Safeguards Rule

Under the Financial Services Modernization Act of 1999, more commonly called the Gramm-Leach-Bliley Act, financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—must comply with the FTC’s Standards for Safeguarding Customer Information (the so-called Safeguards Rule). Accountants and other firms in the business of completing income tax returns are defined as covered financial institutions in section 314.2(h)(2)(viii) of the Safeguards Rule.[2] Accordingly, they must implement safeguards, including a “written information security plan” (WISP), to protect the security, confidentiality, and integrity of information. See 16 C.F.R. Part 314 (2002). The Safeguards Rule also elaborates that companies covered by the rule are responsible for taking steps to ensure that their affiliates and service providers also safeguard customer information in their care.

WISP: Practical Guidance for Safeguarding Confidential Taxpayer Information

To protect the tax system from tax-related identity theft and fraud, in 2015, the IRS created a public-private partnership that works to safeguard confidential taxpayer information. The IRS Security Summit consists of the IRS, state tax agencies, and the commercial tax community, including tax preparation firms, software developers, payroll and tax financial product processors, tax professional organizations, and financial institutions. (Total membership is the IRS, 42 state agencies, and 20 industry organizations.). In furthering the FTC’s Safeguards Rule, the Security Summit continually reminds tax professionals to establish and maintain an up-to-date Written Information Security Plan or WISP. To assist tax professionals, the Security Summit prepared a document providing guidance on creating a WISP along with a sample template, which the IRS published as Publication 5708. The 28-page, easy-to-understand document was developed by and for tax and industry professionals to keep customer and business information safe and secure. The sample template is designed to help tax professionals, especially smaller practices, make data security planning easier.

A related IRS document, Publication 4557, Safeguarding Taxpayer Data: A Guide for Your Business, seeks to help tax professionals understand basic security steps and how to take them, recognize the signs of data theft and how to report data theft, respond and recover from a data loss, and understand and comply with the FTC Safeguards Rule.

Data Security Protocols

A good WISP should identify the risks of data loss for the types of information handled by a firm or company and focus on employee management and training, information systems, and detecting and managing system failures. There is no static, “one-size-fits-all” solution to tax practitioners’ data security challenges. Rather, a security plan should be scaled to the business’s size, scope of activities, complexity, and the sensitivity of the customer data it handles and should be updated as business or technology changes dictate.

Federal law, enforced by the FTC, requires tax preparers to create and maintain a written data security plan. Having a WISP protects businesses and their clients while providing a blueprint for action in the event of a security incident. In addition, a WISP can help if other events seriously disrupt a tax professional’s ability to conduct normal business, including fire, flood, tornado, earthquake, and theft.

Failure to maintain a WISP to protect private financial information may not only put clients at risk for identity theft and fraud, it may also expose a practitioner to liability for violating the Safeguards Rule and the terms of their malpractice insurance coverage. In addition, it could subject a practitioner, in circumstances of willfulness, to discipline under Circular 230. Given section 10.35’s competence requirement and the obligation imposed by section 10.36 to have procedures in place to ensure compliance with Circular 230 by everyone involved in a tax practice, we encourage practitioners to pay heed to the requirement to adopt a WISP and implement appropriate data security programs.