Does Your CPA Firm Have an Adequate Information Security Plan?

Recently, the IRS initiated the Protect Your Clients; Protect Yourself campaign to educate and inform tax professionals about their responsibilities for compliance.
Scroll Down

Does Your CPA Firm Have an Adequate Information Security Plan?

In order to combat the seemingly never-ending threat of data security breaches, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, was created to require CPA firms to protect the information they collect from clients by implementing written information security plans that detail how their CPA firm is equipped to protect their clients’ personal information.

Recently, the IRS initiated the Protect Your Clients; Protect Yourself campaign to educate and inform tax professionals about their responsibilities for compliance. While the IRS has issued publications that include details and security recommendations as well as requirements, navigating this information can be difficult.

Creating a Detailed Information Security Plan is Vital for Your Firm

Without a detailed written information security plan, your firm runs the risk of being non-compliant with IRS rules and regulations with regard to the protection of clients’ information from theft. Security of client data is a focal point for CPA firms because as tax professionals you have access to sensitive clients’ information. According to Statista, there were 1,473 data breaches in 2019 that accounted for 164.68 million records being exposed to cyber thieves. As a result of the client data you are privy to, you may be targeted by sophisticated cybercriminals.

Protecting Your Clients and Protecting Your Firm

The government’s Protect Your Clients; Protect Yourself campaign was initiated to raise your awareness of CPA firms’ requirements and responsibilities with regard to client data and to inform you of the steps to be taken to protect your clients and yourselves.

Suggested mitigation techniques include:

  • Protecting email accounts with strong passwords
  • Implementing two-factor authentication
  • Utilizing anti-phishing security tools
  • Implementing a written information security plan

A review of the information contained in the IRS campaign will also remind you that as a CPA firm you have a responsibility under the Gramm-Leach-Bliley Act (GLBA) to implement a written security plan to protect sensitive client data. Noncompliance with the GLBA can result in a Federal Trade Commission investigation. According to an article in CPA Practice Advisor, IRS Commissioner Chuck Rettig explained, “Protecting taxpayer data is not only a good business practice, it’s the law for professional tax preparers.” Rettig continued, “Creating and putting into action a written data security plan is critical to protecting your clients and protecting your business.”

Changes to Tax Preparation Guidelines

In addition to the recent IRS campaign, the IRS added a section to the renewal of preparer tax identification numbers requiring you, as a tax professional, to check a box to confirm your awareness of the responsibility to have a written information security plan and to proactively implement procedures to protect data for all taxpayer information. In other words, you are now required to certify your awareness of this regulation when applying for the renewal of your preparer tax identification numbers.  A summary of the campaign and links to accompanying IRS Publication 4557 are available on the IRS website.

Defining a Written Security Plan

A written security plan template can be found on the AICPA Tax website, but there are additional data security responsibilities to consider when you are crafting a written information security plan. For example, the written plan must relate adequately to the size of your CPA firm, the nature and scope of your business and the type of sensitive information handled.

As part of each written plan, your CPA firm must designate an employee(s) to perform a variety of functions, including:

  • Program coordination
  • Continuous identification and assessment of risks
  • Evaluate the efficacy of your current prophylactic measures
  • Design and implement safeguards
  • Monitor and test your internal safeguards
  • Select a service provider to maintain the safeguards set forth in the plan
  • Adjust the plan as time passes and situations evolve

As a tax professional you must also comply with other rules and regulations like Sec. 7216 prohibiting you from knowingly or recklessly disclosing or using tax return information, exercise due diligence in preparing returns as required by Treasury Circular No. 230, publish your privacy statement on your website and adhere to any other privacy requirements such as those required for health-related information.

Let the Infiniwiz Team Reduce Risk for Your CPA Firm

Cybercriminals continue to hone their techniques, creating new and unique ways in which to gain access to sensitive client data stored by CPA firms. As an experienced managed IT and cybersecurity firm based in Chicago, Illinois the team at Infiniwiz understands that a proactive approach is necessary to establish compliance with IRS regulations for written security information plans and implement mitigation tactics to protect your clients’ sensitive information. If your CPA firm needs to prepare a written information security plan or is struggling to navigate the recommended standards, we will take on the work so you can get down to business.

Our team will assist you by taking proactive steps to protect sensitive client information by implementing certain strategies designed to thwart cyber theft. Contact the Infiniwiz team at (847) 350-7652 or visit us at to learn more about our recommended written information security plans and accompanying data security processes.