IRS Data Security Requirements for Tax Preparers

Tax preparers handle some of the most sensitive financial data that exists: Social Security numbers, bank account details, employer records, and years of income history. Federal law recognizes that, which is why every preparer, from solo practitioners to multi-office CPA firms, must meet specific security requirements to protect that data.

The IRS and FTC have laid out clear expectations, and the consequences for falling short have grown substantially. Whether you operate out of a home office in Washington, MO or a firm in downtown St. Louis, the same core requirements apply. This guide explains exactly what those requirements are and how to meet them.

The Legal Framework: Where These Requirements Come From

Tax preparers operate under two overlapping regulatory frameworks that create distinct but related obligations.

The FTC Safeguards Rule, part of the Gramm-Leach-Bliley Act, applies to anyone who handles consumer financial information for compensation. That includes seasonal solo practitioners. The rule requires you to develop, implement, and maintain a comprehensive information security program.

Simultaneously, the IRS enforces its own requirements through IRC Sections 6713 and 7216. Section 7216 carries criminal penalties up to $1,000 and one year imprisonment for knowing or reckless disclosure of taxpayer information. Section 6713 provides civil penalties of $250 per disclosure, capped at $25,000 per calendar year—jumping to $1,000 per violation with a $50,000 annual maximum when identity theft is involved.

The IRS publishes practical guidance through Publication 4557 (Safeguarding Taxpayer Data). If you haven't read it recently, it's available on IRS.gov and was updated for 2026 with a detailed compliance checklist.

The Security Six: Mandatory Technical Controls

The IRS has distilled its technical requirements into six fundamental security measures. These are minimum standards expected of every practitioner.

Antivirus and anti-malware software must be installed on every device that accesses client data—workstations, laptops, and any mobile devices used for work. Business-class endpoint protection with centralized management is required; consumer-grade antivirus doesn't meet the bar for practices handling sensitive financial data.

Firewall protection must be properly configured for business use, monitoring both incoming and outgoing traffic with logging capabilities. A basic consumer router is not sufficient.

Multi-factor authentication (MFA) is now mandatory for all accounts that access taxpayer information—your tax software, email, cloud storage, and remote access systems. Password-only authentication no longer meets the standard.

Data backup systems must follow the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored offsite. Backups must be encrypted and regularly tested with actual restores.

Drive encryption should be active on every laptop and workstation that processes or stores client information. BitLocker for Windows and FileVault for Mac are built-in, but must be actively configured and managed.

VPN is required for any remote access to your office network or cloud systems. If you or your staff work from home or access systems while traveling, an encrypted VPN connection is mandatory.

The Written Information Security Plan (WISP): Required Documentation

Having the Security Six in place isn't enough on its own. You must document your security program in a Written Information Security Plan (WISP). The FTC Safeguards Rule specifically requires this documentation, and the IRS reinforces it through Publication 4557. Publication 5708 provides a WISP template to help smaller practices get started.

A compliant WISP must cover: the types of customer information you collect and where it's stored; a designated "qualified individual" responsible for your security program; a risk assessment that identifies foreseeable threats; employee management and training requirements; and an incident response plan that details exactly what happens if a breach occurs.

The WISP is an evergreen document; it must be reviewed and updated at least annually, or whenever significant changes occur in your practice.

EFIN Security: Protecting Your Filing Credentials

Your Electronic Filing Identification Number (EFIN) is your authorization to submit returns electronically. If a criminal gains access to your EFIN, they can file fraudulent returns under your credentials, affecting hundreds of taxpayers and your professional standing.

EFIN credentials must never be shared or stored in plain text. Access to your IRS e-Services account must be protected by MFA, and you should monitor your EFIN regularly for unauthorized filing activity. If you use third-party service providers who submit returns on your behalf, you're still responsible for ensuring they meet security requirements.

Cloud Software and Remote Access

Many tax preparers have moved to cloud-based platforms like Intuit, Drake, or similar services. Using cloud software doesn't automatically make you compliant—you still need to implement the Security Six on every device that accesses those cloud services.

For Missouri CPAs who serve clients across the St. Louis region, mobile access while visiting client sites is common. That means laptops with full-disk encryption, VPN connections back to your secure network, and never accessing client data over unsecured public Wi-Fi.

The Cost of Non-Compliance

Penalties have grown substantially in recent years. The FTC can assess up to $46,517 per violation per day for ongoing Safeguards Rule non-compliance. IRS penalties can suspend your PTIN, effectively ending your ability to prepare returns until you demonstrate compliance. The PTIN renewal process now includes attestation regarding WISP compliance.

A data breach carries its own cascade of costs: forensic investigation, legal fees, client notification, credit monitoring services, regulatory fines, and long-term damage to client retention. Industry analyses estimate a typical preparer breach costs between $150,000 and $750,000 for a small practice.

Practical Steps to Get to Compliance

Start by downloading IRS Publication 4557 and Publication 5708 from IRS.gov. These are your roadmaps. Then audit your current state against the Security Six: business-class antivirus on every device, MFA on all accounts, full-disk encryption active on laptops, backups following the 3-2-1 rule.

Draft or update your WISP using the IRS template as a starting point, customizing it to reflect your actual practice, systems, and procedures.

Many Greater St. Louis area tax practices partner with managed IT providers who specialize in compliance for professional services firms. Managing these requirements while running a practice during tax season is a significant burden, and it's one that makes sense to delegate to specialists.

Compliance Is Ongoing, Not a One-Time Project

Annual reviews are the minimum. Employee training needs to happen regularly; phishing techniques evolve constantly, and your team needs to stay current. Risk assessments must be updated annually at minimum. Test your backups by actually restoring data. Verify your controls are functioning as expected, not just documented.

Next Steps for Missouri Tax Preparers

NOC Technology works with CPAs and tax preparers across the Greater St. Louis region to implement compliant IT systems. Learn more about our  IT support for accounting firms and our approach to cybersecurity.

We publish our transparent pricing so you know what professional IT support costs before you call.