Warning: BOI Hazard
2023 Proposed Regulations under IRC Section 987

Don’t Forget to Check Your WISP!

By Kathy Ploch, CPA-Houston


Before we get too buried in the 2023 tax returns, this is a reminder about data security and our responsibilities as practitioners to have a written information security plan (WISP) in place. I am sure many of you may have noticed when you renewed your PTIN that it asked for you to attest you had this written plan in place.


There are several provisions in Circular 230 that state what a practitioner’s obligation is when dealing with data security and confidential client information. It lists the penalties, both civil (IRC Section 6713) and criminal (IRC Section 7216), for unauthorized disclosure of taxpayer information. Also, legislation enacted in 1999 in the Gramm-Leach-Bliley Act gave the Federal Trade Commission (FTC) authority to prescribe regulations establishing requirements of data protection for professional tax return preparers.


In Section 314.2(h)(2)(viii) of the Safeguards Rule in the Act, accountants and other firms in the business of completing income tax returns must implement safeguards, including a WISP, to protect the security, confidentiality and integrity of the information. In 2015, the IRS created a public-private partnership called the Security Summit that works to protect confidential taxpayer information. The Security Summit prepares resources and awareness campaigns to make planning easier.


Failure to maintain a WISP to fortify financial data may not only put clients at risk for identity theft and fraud, but it also exposes a practitioner to liability for violating the Safeguards Rule. The FTC can obtain penalties against a company that acted unfairly or deceptively through their Penalty Offense Authority (Section 5(m)(1)(B) of the FTC Act 15, U.S.C. Section 45(m)(1)(B)). If a company receives this notice and still engages in prohibited practices, it can face civil penalties of up to $50,120 per violation. This maximum penalty is adjusted for inflation every January.


Listed below are various resources to assist you in complying with the WISP rules. Remember this plan should be reviewed annually for any updates needed. The IRS also recommends that you contact your IRS Stakeholder Liaison and the FTC if you incur a data breach.


AICPA members, there are several resources and a template (Tax Section): Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule

IRS Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice

IRS Publication 5709, How to Create a Written Information Security Plan for Data Safety

IRS Publication 4557, Safeguarding Taxpayer Data: A Guide for Your Business

Federal Trade Commission

Penalties Under IRS Sections 7216 and 6713


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)