Sign in Subscribe
Latest issue

IRS Publication 4557: What Every Tax Preparer Needs to Know

If you prepare tax returns for clients, IRS Publication 4557 applies to you. It doesn't matter if you're a solo practitioner filing a few dozen returns or a 20-person CPA firm handling hundreds. The IRS requires every tax preparer to have a documented plan for protecting taxpayer data — and the consequences for not having one are no longer theoretical.

This guide breaks down what Publication 4557 actually requires, who it applies to, and what you need to do about it. No jargon, no scare tactics — just the information you need to get compliant and stay that way.

What Is IRS Publication 4557?

IRS Publication 4557, titled "Safeguarding Taxpayer Data," is the IRS's official guidance document for tax professionals on protecting client information. It translates the requirements of the FTC's Gramm-Leach-Bliley Act (GLBA) Safeguards Rule into practical steps that tax preparers can follow.

The publication covers three critical domains: employee management and training, information systems security, and detecting and responding to system failures. It's not a suggestion. It's the baseline standard the IRS and FTC use to evaluate whether your firm is meeting its legal obligations to protect client data.

Publication 4557 also cross-references two important frameworks: NIST SP 800-171 for protecting controlled unclassified information and the NIST Cybersecurity Framework 2.0 as the recommended risk management structure for tax practices of all sizes. You don't need to implement every NIST control on day one, but understanding that these frameworks inform the IRS's expectations helps you see where the bar is set.

Who Does It Apply To?

Every paid tax return preparer. Full stop.

There is no exemption based on firm size, revenue, or number of returns filed. If you file 11 or more federal returns annually, the FTC Safeguards Rule mandates that you maintain a written information security program. Even if you file fewer than 11, the IRS still expects you to follow the guidance in Publication 4557.

This applies to CPA firms, enrolled agents, tax attorneys, seasonal preparers, and anyone else who handles taxpayer information for compensation. The IRS has been clear: the obligation is universal.

The Written Information Security Plan (WISP)

At the center of Publication 4557 is the requirement to create and maintain a Written Information Security Plan — commonly referred to as a WISP. This is the document that outlines exactly how your firm protects client data, who is responsible for security, and what you do when something goes wrong.

The IRS required all tax preparers to have an updated WISP in place by the start of the 2026 filing season on January 27, 2026. If you don't have one yet, you're already behind — and you're exposed.

What a Compliant WISP Must Include

A WISP isn't a one-page policy statement you print and file away. It's a living document that must address several specific components:

Designated Security Coordinator. Your firm must name a specific individual responsible for overseeing the information security program. In a small firm, this is usually the owner. The point is accountability — someone's name is on it.

Risk Assessment. You need a documented evaluation of the threats your firm faces, both internal and external. This includes risks from employees, contractors, systems, and workflows. The risk assessment should identify where client data lives, how it moves through your practice, and where it's vulnerable.

Employee Training. Your staff must receive regular security awareness training. According to the Verizon Data Breach Investigations Report, 68% of breaches involve a human element. Phishing emails, weak passwords, and careless data handling are the most common attack vectors in small firms. Your WISP must document a real training program — not just a policy saying employees should be careful.

Access Controls. Only authorized personnel should have access to taxpayer data, and that access should be limited to what they need to do their job. This includes both physical access (who can get into the server room or filing cabinets) and digital access (who has login credentials to your tax software and document storage).

Incident Response Plan. When a breach or security event occurs, your firm needs a documented procedure for responding. This includes how you'll contain the incident, who you'll notify, how you'll investigate, and how you'll prevent recurrence. Maryland's Personal Information Protection Act (MD PIPA) also has its own breach notification requirements that layer on top of federal obligations.

Vendor Management. If you use third-party services — cloud storage, tax software, IT support, payroll processing — your WISP must document how you evaluate and monitor those vendors' security practices. You're responsible for ensuring that your service providers maintain safeguards equivalent to your own.

The IRS also published Publication 5708 as a sample WISP template specifically for tax professionals. It's a fill-in-the-blank starting point, but you must customize it to reflect your firm's actual environment, tools, vendors, and risk findings. An uncustomized template would not hold up during a regulatory review.

What Happens If You Don't Comply

The enforcement landscape has changed. The IRS and FTC are no longer treating WISP requirements as aspirational guidance. Firms without a compliant plan face real consequences:

PTIN Suspension. The IRS can suspend your Preparer Tax Identification Number, which effectively prevents you from filing returns for clients. No PTIN, no practice.

FTC Enforcement Actions. The FTC can pursue civil penalties under the Safeguards Rule. Fines can reach up to $100,000 per violation. For a small firm, a single enforcement action can be financially devastating.

Increased Liability After a Breach. If your firm suffers a data breach and you don't have a documented security program, your legal exposure increases dramatically. Affected clients can argue that you failed to meet your regulatory obligations, and the absence of a WISP makes that argument very easy to win.

State-Level Consequences. Maryland's PIPA requires breach notification to affected individuals and the state Attorney General. If your firm can't demonstrate that reasonable security measures were in place, the regulatory response will be significantly more severe.

The bottom line: the cost of compliance is a fraction of the cost of non-compliance.

The Threats Your Firm Actually Faces

Understanding Publication 4557's requirements is easier when you know what you're protecting against. CPA firms are high-value targets because of the data they hold — Social Security numbers, income records, bank account details, employer information, and prior-year return data. A single client file contains everything an identity thief needs.

Tax Season Phishing. During filing season, CPA firms see a spike in phishing emails impersonating the IRS, state revenue departments, tax software vendors, and even clients. These emails attempt to harvest credentials or deliver malware. The IRS has documented these schemes extensively and warns preparers annually.

W-2 and Refund Fraud. Criminals target CPA firms specifically to steal W-2 data and file fraudulent refund claims using client SSNs. A compromised email account at your firm can expose hundreds of clients before anyone notices.

Ransomware. Tax firms are attractive ransomware targets because they operate under strict deadlines. An attacker who encrypts your systems in March knows you'll pay almost anything to get back online before April 15.

Unencrypted Client Communications. Many firms still exchange tax documents — W-2s, 1099s, bank statements — via unencrypted email. One compromised inbox and every document in that thread is exposed. Secure client portals with encrypted file exchange eliminate this risk entirely.

Unprotected Devices. Staff accountants working from home or traveling to client sites carry laptops with years of client data. Without full-disk encryption, endpoint protection, and remote wipe capability, a lost or stolen laptop triggers breach notification for every client whose data was on that device.

How to Get Started

If you don't have a WISP yet, or if your current plan is a template you downloaded and never customized, here's the practical path forward:

Start with the risk assessment. Walk through your practice and identify where client data lives — on desktops, laptops, in email, in cloud storage, in your tax software, on paper. Document who has access to each location and what safeguards are currently in place. Be honest about the gaps.

Name your security coordinator. In most small firms, this is the managing partner or owner. Put their name in the document with a clear description of their responsibilities.

Document your current safeguards. What do you already have in place? Antivirus? Firewall? Password policies? Multi-factor authentication on your email and tax software? Write down what exists today — even if it's incomplete, it's your baseline.

Identify the gaps and prioritize. Compare what you have against what Publication 4557 requires. The gaps become your action items. Prioritize them by risk: encrypted email and endpoint protection before things like advanced threat monitoring.

Build the incident response plan. Document what you'll do if a breach occurs. Who do you call? How do you contain it? Who notifies affected clients? What's the timeline for notification under Maryland PIPA? Write it down before you need it.

Implement employee training. Set up regular security awareness training for all staff. Monthly phishing simulations and quarterly training sessions are the standard. Document every session — dates, topics, attendees.

Review your vendors. Make a list of every third-party service that touches client data. Verify that each vendor maintains appropriate security safeguards. Document your review process.

Review and update annually. A WISP isn't a one-time project. The IRS expects you to evaluate and adjust your security program based on ongoing monitoring, testing, and changes to your business environment. Put an annual review on your calendar.

You Don't Have to Do This Alone

Building a compliant WISP and implementing the security controls behind it is real work — but it doesn't have to fall entirely on your shoulders. Lewis IT works with CPA and accounting firms across Southern Maryland to build and maintain compliance-ready security programs that satisfy IRS Publication 4557, the FTC Safeguards Rule, and GLBA requirements.

We handle the technical implementation — encrypted email, secure client portals, endpoint protection, access controls, backup and recovery — and we build the documentation to prove it. Your WISP stays current, your staff gets trained, and when an examiner asks for your security plan, you hand them a living document instead of an excuse.

Ready to get compliant? Schedule a free consultation and we'll walk through where your firm stands today and what it takes to close the gaps — before anyone asks.

Subscribe to Lewis IT Bin

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe
DigitalOcean Referral Badge