Applying the Updated WISP Requirements

The requirement for tax preparation firms to have a written information security plan, or WISP, is not new. The requirement arose from the Graham-Leach-Bliley Act (GLBA), enacted 25 years ago. The GLBA assigned enforcement responsibility to the Federal Trade Commission (FTC). In the intervening years, we’ve seen big improvements in computer security, but sadly, also more attempts by criminals to steal taxpayers’ personally identifiable information (PII).

The GLBA designated tax professionals as financial institutions. It gave the same responsibilities to small tax practices as to large banks, although banks realistically have much more complex security needs.

The New Version of IRS Pub. 5708

In August, the IRS released an update to Publication 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice. In News Release IR-24-208, the IRS notified tax professionals of two significant changes.

1. A requirement to implement multi-factor authentication
2. The need to report any “security event” that affects 500 or more people

Multi-Factor Authentication (MFA)

With the new 2024 WISP, MFA is required for access as defined by 15 USC § 6805 and 16 CFR §314.4(c.5). This regulation requires MFA for anyone accessing any information system. An exception is allowed only if a tax practice’s data security coordinator signs a written exception. This exception must be based on the firm providing an equivalent security access control.

In contrast, the 2022 WISP required 2-factor authentication (2FA) only for remote access.

What is MFA?

An MFA is a security system that requires at least one additional factor to authenticate a user’s identity and grant them access to a security system. In addition to their password, the user may be required to enter one of the following.

• A possession factor that indicates the user has possession of an object that verifies their identity, such as a six-digit code
• A knowledge factor, for instance, a password
• An inheritance factor, is a personal characteristic with which one is born, such as a fingerprint. Facial recognition scans, voice recognition scans, or retina scans are also examples of inheritance factors.

A 2FA system is a type of MFA. More than two factors can provide additional security, which entails additional costs. And the costs extend beyond the authentication itself, as each authentication system brings its own costs for its management and maintenance. For example, if a user leaves their authentication device at home, a system administrator may need to arrange temporary access.

Different MFA implementations

Tax practices have several alternatives for satisfying the MFA requirement. If they use Microsoft Windows, tax practitioners can implement smartphone authenticator applications to provide security codes that permit computer access. Alternatively, they can implement an MFA security key to regulate access to a computer. These security keys interact with a tax practitioner’s computer through one of the computer’s USB ports. Security keys can also use this standard if the computer has near-field communication (NFC) capability, as many smartphones do.

Although these practices may require some planning to implement, they make it much harder for hackers to infiltrate a small tax practice’s systems.

Although the previous version of Pub. 5708 mentioned 2FA as a requirement for remote communication, tax practitioners should take it seriously now if they haven’t yet. It can significantly lessen the worry of a tax practice’s systems being hacked, and it is worth the sleep it saves. The new WISP cites a federal regulation as the authority that requires tax professionals to implement MFA.

Security Events Trigger More Notifications

Security events are what MFA is intended to prevent: a hacker compromising a tax practice’s client information. The new WISP includes security events as a minor change in terms. More importantly, though, a security event now must be reported to the FTC if 500 or more people are affected because their information was acquired. Just being able to access an encryption key is enough to presume that customer data has been unencrypted. The FTC need not prove that the hostile actor has acquired the data. Instead, a security event is presumed unless a tax practitioner can prove that the customer data could not reasonably have been acquired.

If anyone associated with the tax practice learns that a security event occurred, the tax practice’s DSC must notify the FTC within 30 days. This requirement includes outside agents or employees who may discover an unauthorized person has acquired unencrypted customer information. Thus, all employees and vendors should be required to notify the tax practice’s principals immediately if they discover the theft of data or the compromise of an encryption key.

The 2024 WISP continues to require tax practitioners to notify the following agencies and groups.

• Their IRS Stakeholder Liaison
• State tax agencies
• The IRS Internet Crime Compliance Center
• Local law enforcement agencies
• Tax software providers
• Liability insurance carriers
• Legal counsel
• Victims of data theft

The previous version of Publication 5708, issued in 2022, required “reportable events” to be reported to the IRS stakeholder liaison and the FTC if 500 or more people were affected. The 2024 WISP incorporated more specific language in the FTC Safeguards Rule. The language introduced the presumption of unauthorized customer data access even if only an encryption key has been compromised.

Frequency of Password Change 

A cursory look at the new document provided one additional surprise. The previous version of the WISP required password changes every 90 days. The latest version requires changes every at least 365 days. However, it makes sense to change passwords more often than that.

Conclusion

These requirements aren’t just about interacting with federal agencies but also about interacting with insurance companies, which may require a copy of a tax practice’s WISP as a condition of offering insurance. Unsurprisingly, complying with these requirements drives up the cost of preparing tax returns. The cost to maintain the system may not directly affect the costs a tax practice incurs to prepare a tax return. Nevertheless, tax practices must incur these indirect costs as they are dramatically less than the indirect costs of a data breach, which could threaten a firm’s survival.

By John W. Richmann, EA, MBA
Tax Materials Specialist, U of I Tax School

Sources

• IRS Pub. 5708, Creating a Written Information Security Plan for your Tax & Accounting Practice.
• IRS New Rel. IR-24-208 (Aug. 13, 2024).
• 16 CFR §314.4(c)(5).
• FTC Safeguards Rule (16 CFR Part 314).
• The Best Authenticator Apps for 2024. Muchmore, Michael. Aug. 19, 2024. PC Magazine. [pcmag.com/picks/the-best-authenticator-apps].
• Data Breach Response. Feb. 2021. Federal Trade Commission. [www.ftc.gov/system/files/documents/plain-language/560a_data_breach_response_guide_for_business.pdf]