ExamsPracticeResourcesBlogGlossaryUpdates

Key Takeaways

  • Retention: 3 Years for signing docs (8879) from due/file date.
  • Data Security: All preparers must have a Written Information Security Plan (WISP).
  • Mandated by the FTC "Safeguards Rule" under the Gramm-Leach-Bliley Act.
  • Must protect taxpayer data with firewalls, encryption, and physical locks.
  • Data Breach: Report to IRS Stakeholder Liaison ASAP to secure EFIN/PTIN.
Last updated: January 2026

Data Security: The WISP Requirement

Why This Matters for the Exam

Data security is a growing emphasis on the EA exam because identity theft and data breaches are significant risks for tax preparers. The exam tests your knowledge of the WISP (Written Information Security Plan) requirement, retention periods, and what to do in case of a breach.

The IRS Publication 4557 ("Safeguarding Taxpayer Data") is the primary reference for this topic.

The WISP (Written Information Security Plan)

WISP - A written plan that documents how a tax preparer protects taxpayer information from unauthorized access, use, or disclosure.

Legal Foundation

The WISP requirement comes from the FTC Safeguards Rule, which implements the Gramm-Leach-Bliley Act (GLBA). The GLBA applies to all financial institutions, including tax preparers, because they handle sensitive financial information.

Who Must Have a WISP?

  • All professional tax return preparers (whether they e-file or paper file).
  • Solo practitioners, small firms, and large corporate preparers alike.

Exemptions: None. Even if you prepare only one return per year, you must have a WISP if you are paid to prepare returns.

WISP Requirements

A compliant WISP must include the following elements:

1. Designate a Security Officer

One individual must be responsible for overseeing the WISP. For a solo practitioner, this is the practitioner themselves. For a firm, it's typically a partner or manager.

Responsibilities:

  • Implementing the security plan.
  • Training staff on security protocols.
  • Monitoring compliance.

2. Identify Risks

The plan must document potential risks to taxpayer data, such as:

  • Physical risks: Theft of paper files, unlocked file cabinets.
  • Electronic risks: Hacking, malware, unencrypted email.
  • Human risks: Employee error, social engineering attacks.

3. Implement Safeguards

The plan must detail specific safeguards to mitigate identified risks:

  • Physical Safeguards: Locked file cabinets, restricted office access, shredding of paper documents.
  • Electronic Safeguards:
    • Encryption of taxpayer data (both at rest and in transit).
    • Firewalls and antivirus software.
    • Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) for all systems.
    • Regular software updates and patches.
  • Administrative Safeguards:
    • Background checks for employees with access to taxpayer data.
    • Confidentiality agreements for all staff.
    • Secure disposal of data (shredding, wiping hard drives).

2024-2026 Emphasis: The IRS has increasingly emphasized MFA/2FA as a critical safeguard. Exam questions may focus on whether specific authentication methods meet IRS standards.

4. Monitor Effectiveness

The plan must include procedures for regularly testing and updating the security measures. This includes:

  • Annual security audits.
  • Monitoring for suspicious activity (e.g., unauthorized login attempts).
  • Updating the WISP when new risks emerge (e.g., new types of cyber attacks).

Record Retention

DocumentRetention PeriodNotes
Form 88793 YearsFrom due date or filing date, whichever is later
Tax Return Copy3 YearsMust be available to client on request
W-2 / 10993 YearsOr until statute of limitations expires
Employment Tax Records4 YearsPayroll records (if applicable)

Note: The 3-year retention period aligns with the IRS's statute of limitations for assessment (IRC §6501).

Data Breach Response

If a tax preparer suffers a data breach (e.g., hacking, stolen laptop), they must take immediate action:

Step 1: Contact the IRS Stakeholder Liaison

The preparer must contact the IRS Stakeholder Liaison in their state as soon as possible. The Liaison will:

  • Help secure the preparer's EFIN and PTIN.
  • Stop fraudulent returns from being filed using stolen data.
  • Provide guidance on next steps.

How to Find Your Liaison: Visit IRS.gov and search for "Stakeholder Liaison" + your state.

Step 2: Notify Affected Clients

The preparer must notify all clients whose data may have been compromised. This notification should include:

  • What happened (nature of the breach).
  • What data was affected (SSNs, bank account numbers, etc.).
  • What the preparer is doing to address it.
  • What clients should do (e.g., monitor credit reports, file IRS Form 14039 for identity theft protection).

Step 3: Report to Law Enforcement

The preparer should file a report with local law enforcement and the FBI's Internet Crime Complaint Center (IC3).

Step 4: Review and Update the WISP

After a breach, the preparer must review the WISP and update it to prevent future incidents.

On the Exam

Expect 2-3 questions on data security, typically:

  1. WISP Questions: "What federal rule requires tax preparers to have a Written Information Security Plan?"
  2. Breach Response: "If a tax preparer suffers a data breach, who should they contact first?"
  3. Retention: "How long must an ERO retain Form 8879?"

Key takeaway: All preparers need a WISP (FTC Safeguards Rule), retain Form 8879 for 3 years, and contact the IRS Stakeholder Liaison if there's a breach.

Test Your Knowledge

Which federal rule requires tax preparers to have a Written Information Security Plan (WISP)?

A
B
C
D
Test Your Knowledge

If a tax preparer suffers a data breach, who should they contact first?

A
B
C
D
Up Next

30.6 Preparer Penalties (Filing Specific)

Continue learning