Written Information Security Plan
The Gramm-Leach-Bliley Act (GLBA) and the FTC’s Safeguards Rule require financial institutions, including tax professionals, to implement a WISP to protect client information.
An effective WISP must address physical, technical, and administrative safeguards to protect confidential information.
Recent updates include mandatory multi-factor authentication and the requirement to report security incidents affecting 500 or more individuals to the FTC within 30 days of discovery.
Failure to maintain a WISP can result in fines up to $100,000, loss of professional licenses, and potential imprisonment, along with reputational damage and loss of client trust.
In today’s digital landscape, safeguarding clients’ confidential information is paramount for tax and accounting professionals. The growing threats of identity theft and tax fraud have prompted the Internal Revenue Service (IRS) and the Federal Trade Commission (FTC) to strengthen regulations mandating the implementation of a Written Information Security Plan (WISP). This blog explores the importance of WISP, the legal requirements associated with it, and how professionals can comply with these obligations to protect client data and maintain trust in their services.
The Gramm-Leach-Bliley Act (GLBA) mandates financial institutions to safeguard client information. The FTC’s Safeguards Rule outlines specific measures, including the creation and maintenance of a WISP. Tax and accounting professionals, regardless of business size, are classified as financial institutions under this law and must comply with these requirements
According to the IRS, in 2022 alone, over $5.7 billion in tax fraud losses were reported due to data breaches and identity theft incidents. Firms without a proper WISP were found to be 60% more vulnerable to cyberattacks.
In 2021, a mid-sized tax firm suffered a data breach that exposed the personal information of over 8,000 clients. Due to non-compliance with WISP requirements, the firm faced regulatory fines exceeding $150,000 and irreparable damage to its reputation. Implementing a robust WISP post-breach helped the firm regain compliance and client trust.
Personally Identifiable Information (PII): Any data that can be used to identify an individual, such as Social Security numbers, addresses, and financial records.
Safeguards Rule: A regulation under the GLBA that mandates security measures for protecting customer information.
Data Encryption: The process of converting sensitive information into a secure format to prevent unauthorized access.
A comprehensive WISP should include:
Protection against physical threats, such as unauthorized access to office spaces and devices.
Implementation of security measures like firewalls, data encryption, and multi-factor authentication to protect networks and systems.
Development of policies and procedures, employee training, and risk management strategies to ensure information security.
Recent regulatory updates include:
Required for all individuals accessing information systems unless an authorized individual approves alternative security controls in writing.
Organizations must report security incidents affecting 500 or more individuals to the FTC within 30 days of discovery.
Traditional antivirus programs often slow down devices due to constant background scanning. SentinelOne, optimized for modern systems, ensures protection without compromising performance.
Fines up to $100,000, loss of professional licenses, and potential imprisonment.
Increased vulnerability to cyberattacks and data breaches.
Loss of client trust and harm to professional reputation.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo
A Written Information Security Plan (WISP) is a document outlining an organization’s policies and procedures for protecting confidential client information against threats and unauthorized access.
Under the Gramm-Leach-Bliley Act and the FTC’s Safeguards Rule, all financial institutions, including tax and accounting professionals, must implement and maintain a WISP.
A WISP should include physical, technical, and administrative safeguards, such as facility access control, cybersecurity measures (firewalls, encryption), and employee training programs.
Failure to implement a WISP can result in legal penalties, fines, loss of professional licenses, increased risk of data breaches, and loss of client trust.
It is recommended to use IRS resources such as Publication 5708 to structure a compliant WISP and seek professional guidance from cybersecurity and legal experts
While both WISP and ISO 27001 focus on information security, WISP is a U.S.-specific compliance requirement under the GLBA and FTC Safeguards Rule, primarily targeting financial institutions. ISO 27001, on the other hand, is an internationally recognized standard for information security management systems (ISMS), applicable across industries. ISO 27001 provides a broader framework for risk management and continuous improvement, whereas WISP is more prescriptive and compliance-driven.
As regulatory requirements tighten and cyber threats increase, tax professionals must prioritize data security by implementing a robust Written Information Security Plan (WISP). Compliance with IRS and FTC regulations not only ensures legal adherence but also protects client information and upholds professional integrity. The time to act is now—secure your business, safeguard your clients, and stay ahead of evolving cybersecurity risks.
Are you prepared to meet IRS and FTC compliance requirements? Don’t wait until it’s too late—implement your WISP today! Contact Conexpro to learn how we can help you develop a tailored security plan for your business.
Stay updated with the latest trends in technology and cybersecurity! Subscribe to our blog and receive exclusive content directly in your inbox.
