Continuously Implement Robust WISPs to Protect Sensitive Tax Data, Ensure Compliance, and Safeguard Financial Integrity

We keep your IRS Written Information Security Plans (WISPs) consistently aligned with evolving regulations. Our approach treats your WISP as a “Living Document,” meaning it is:

• Continuously Evolving: Regularly updated to reflect the latest requirements, best practices, and annual changes.
• Evergreen: Always reviewed and revised, ensuring compliance for both sole practitioners and large national tax preparer firms.
• Always Current: You can trust you’re following the most recent guidelines for safeguarding taxpayer data.

“This Living Document is continually updated to incorporate the latest insights, annual modifications, and best practices, ensuring it remains an evergreen resource.”

Below is an overview of the key continuous update requirements for Authorized IRS e-file Providers:

1. Extended Validation SSL Certificate

Ensure your website uses a valid Extended Validation (EV) SSL certificate with TLS 1.2 or later and 2048-bit RSA/128-bit AES encryption. This encrypts taxpayer data and secures online transactions.

2. Weekly External Vulnerability Scans

Contract a PCI SSC-certified vendor for weekly scans of all system components (networks, servers, applications). Promptly address any vulnerabilities and maintain scan reports for at least a year. Remember:

• Hosting vendors must also meet PCI DSS standards.
• Scanning vendors and hosts must be U.S.-based.

3. Information Privacy and Safeguard Policies

Establish a written privacy and safeguard policy, including the statement:

“We maintain physical, electronic, and procedural safeguards that comply with applicable law and federal standards.”

Validation by an IRS-approved privacy seal vendor is required to ensure compliance.

4. Protection Against Fraudulent Bulk Filings

Implement technologies to prevent the bulk filing of fraudulent returns. Collect, process, or store taxpayer data only through secure, compliant systems.

5. Public Domain Name Registration

Register your domain name via a U.S.-based, ICANN-accredited registrar. Keep domains locked and avoid private registrations to maintain transparency and accountability.

6. Reporting of Security Incidents

Report security incidents (breaches or unauthorized data access) to the IRS immediately—no later than the next business day. Suspend collecting taxpayer data from affected websites until the incident is resolved, following the Data Theft Information for Tax Professionals guidelines.

Continuously Updating Your WISP with Authoritative Sources

We integrate guidance from the following IRS and FTC publications to ensure your WISP remains current:

• IRS Publication 1345 – Authorized IRS e-file Providers of Individual Income Tax Returns
• IRS Publication 4557 – Safeguarding Taxpayer Data
• IRS Publication 5078 – Assurance Testing System (ATS) Guidelines for Modernized e-File (MeF)
• IRS Publication 5293 – Protect Your Clients; Protect Yourself
• IRS Publication 5417 – Basic Security Plan Considerations for Tax Professionals
• IRS Publication 5709 – WISP Summary
• IRS Publication 5708 – WISP Sample Plan
• FTC Data Breach Response Guide (PDF)
• FTC on Privacy
• FTC GLBA (Gramm-Leach-Bliley Act)

Since you used our WISP services last year, we encourage you to continue with us to maintain an evergreen, continuously evolving, and always current plan. Protecting taxpayer data and staying compliant has never been easier—contact your Company today to keep your WISP aligned with the latest IRS and FTC standards.