Tax Season is No Time to Be Sweating the IRS Requirements for a Written Data Security Plan—Here’s How to Get Yours Done, Pronto!


Remember a few weeks ago when I encouraged you take advantage of the opportunity before tax season to get your Written Data Security Plan done? Here is a reminder.

Well, if you didn’t act then now that tax season is in full swing there’s no more time to put it on hold. As tax professionals, we have to have a written security plan in place to protect our clients’ data. As you’ve heard me say before, this isn’t a “nice to have”—it’s an IRS regulation that requires us to have a Written Data Security Plan in place.

If you didn’t know that it was law as a tax preparer to have a data security plan in place, you aren’t alone, many of us don’t have one. You can find the requirements here—and if you don’t have one in place, don’t wait until after tax season to do it. You never know when the IRS and the Federal trade Commission might ask you to produce it!

There are six key steps you need to follow to create a Written Data Security Plan to keep you in compliance with the IRS rule. To keep the process manageable, I found starting with the first three steps which I have outlined below as part of an “Assessment Phase” is helpful, then you can move on to how you will put any necessary safeguards in place.

Step 1: Include the name of all of your the information security program managers. Undoubtedly, your firm has many systems, programs, and applications where you are storing and handling client data. You likely also have employees and perhaps third party users who have access to your applications and interact with this data. Your Written Data Security Plan must address all of the above factors. Therefore, the first step in the process is to determine who will be the point person in your firm to learn about and coordinate your information security program. The initial task will be to make a list of everyone who has access to client data and other sensitive information so you can track and manage access.

Step 2: Identify and assess the risks to customer information. Once you know who has access to what information and where there are vulnerabilities in the systems you are using, you need to identify any weak points in your cybersecurity protocols and safeguards which may expose your clients and your firm to unnecessary risks. Consider each area of your firm’s operations where there is the potential for client data exposure and cybersecurity risks. Then make sure that all employees with access to your client data are adequately trained to safeguard it. See the FTC guidelines related to this requirement here.

Step 3: Evaluate risks and current safety measures. Next, evaluate the effectiveness of your current data safeguards in relation to the risks and threats which apply to your firm. Once you know where the risks are, it’s time to prioritize which information has the most data security risk potential and what kind of security protocols you need to shore up safety for your firm and your clients. From here, you are able to more easily create a data security plan that best fits your clients’ needs, limits your firm’s liability and risks, and keeps you in compliance with the IRS requirements for a Written Data Security Plan.

After you go through these steps you will have enough information about potential gaps in your current data security program (You have one, right?) to create a plan that addresses and protects your data and to then implement and adjust the plan on an ongoing basis. You may need to engage a cybersecurity professional to help you put the technology and safeguards in place—but that’s part of our next three steps, which I will cover in a future article. For now, just focus on identifying where you have shortfalls so that you can then address them with—you guessed it—a Written Data Security Plan for your accounting and tax practice.

Get your Written Data Security Plan done pronto with help from Securex.

With tax season well underway, it’s time to get your Written Data Security Plan done, pronto! Make sure your clients’ information is secure by having a written security plan in place. Already have a plan? It’s important to have it reviewed and make needed adjustments to ensure you are adequately protecting your firm from an IRS issue and your clients from cybersecurity threats. There’s no need to sweat it out—we all have enough to do at this time of year. There are companies that can create a Written Data Security Plan for you.

I did the research for my own firm and found Securex. The security experts at Securex specialize in providing CPAs and tax preparers with comprehensive plans and vital supporting documentation so your firm can fulfill the IRS guidelines for written security plans so you can avoid costly fines for not following IRS guidelines. Remember, compliance isn’t only about what you do. It’s about what you can prove as well. Taking these steps above will also help you to avoid a potentially devastating data breach while enhancing the trust your clients have in you and your firm. It truly is a win-win-win!

Check out Securex and follow their simple process to get your complete plan done in less time than it takes to process many of your clients’ tax returns—they’ll get your firm into IRS compliance for this requirement, pronto!

Like what you’re reading?

Subscribe to our FREE newsletter and we’ll deliver content like this directly to your inbox.