New cybersecurity threats come up every day, so every day accountants and financial advisors must be vigilant to keep their clients’ personal information secure. The IRS’s recent Written Information Security Plan (WISP) publication aims to make tax data security more accessible for financial planners and tax professionals at all levels. In this article, we will look at the contents of the WISP and how you can implement it in your business.
Why is a tax data security plan important?
First and foremost, a tax data security plan gives you and your clients peace of mind. It gives you an actionable plan to keep your clients’ sensitive information and identifying data secure, and it gives your clients the knowledge that their data is well protected. Having a security plan also gives you a basic level of legal protection in the event that you do suffer a data breach.
On top of this, the Graham-Leach-Bliley Act (GLBA, 1999) made it mandatory for financial institutions, tax professionals, and accountants to have some form of tax data security plan to protect their clients’ and taxpayers’ financial and personal information from hackers. The exact form of the security plan is based on the size and complexity of the tax preparation service. Sole proprietor accounting professionals or tax preparers may only need a single page, while large firms may need a much longer document. The act states that a copy of this plan must be kept on file and made available for employees to read as part of training.
What does IRS tax data security plan contain?
According to the IRS, a tax data security plan must contain the following:
● The individual(s) responsible for creating and maintaining the data security plan
● A risk analysis report for the level of risk to client data
● An inventory of all locations where personally identifiable information (PII) is stored. This could include files, hard drives, cloud storage, and more.
● A list of all data-related policies in place, including:
Data collection, retention, and disclosure
Authorized users and their access levels
Wi-fi and remote access capabilities to company servers
Definition of a reportable incident
● Draft of the Employee Code of Conduct
This list is the bare bones of what the IRS requires; they leave the level of detail up to the individual company’s needs. This is where the WISP comes in. The IRS WISP template makes it easy for financial institutions to create the data security plan that is right for them.
What is in the WISP?
The WISP is designed to help financial institutions and financial service providers to create a complete, legally compliant data security plan as easily as possible. It contains:
● A list of other considerations or attachments companies may want to include when compiling their own plan, with sample text for each:
Record Retention Policy
Rules of Behavior around Client PII
Security Breach Procedures and Notifications
Employee/Contractor acknowledgement of understanding
List of employees with access to PII
● A list of references and other resources from the IRS, FTC, FCC, and National Institute of Standards
Don't stress, let us help you get it right the first time! Download our professionally generated WISP template with additional guidance at Stratous.io.
Comments