Every Tax Firm needs a WISP - It's the law

WISP is an acronym your firm should know: It stands for Written Information Security Plan. If you run a tax or accounting firm, here’s an important fact: federal law says you must protect your clients’ private data and you need proof that you’re doing it. That proof is called WISP.

Take this acronym and think of it as Why I Stay Positive. Creating this may seem daunting but it is very doable as there are only a few items that you need to be aware of when implementing this.

First of all you cannot get out of this. Even small firms fall under these rules because the government considers all tax and accounting professionals “financial institutions” under the Gramm-Leach-Bliley Act (GLBA). The Federal Trade Commission (FTC) enforces rules to make sure your business keeps customer information safe.

What Your WISP Must Do

Your WISP is a security game plan. It should be written down, easy to find, and fit your business. It does not matter whether you’re a one-person operation or a busy multi-office firm. This document outlines how you protect client data from hackers, leaks, and everyday mistakes.

The FTC’s 4 Must-Do Rules

The FTC Safeguards Rule lays out what every firm must include in its WISP. Here’s what that means in everyday terms:

1. Pick a Security Leader
   Choose someone in your firm (or an outside expert like Sonareon) to manage your security plan and make sure everyone follows it.

2. Find Your Weak Spots
   Look at where your client information is stored and shared—on computers, networks, or paper files. Think about what could go wrong and how to stop it.

3. Build and Test Your Defenses
   Create safety rules for your employees, your technology, and your response if something fails. Keep checking that your protections actually work.

4. Use Multi-Factor Authentication (MFA)
   Anyone accessing customer information should verify their identity in more than one way—like entering a password and a phone code. This step stops most data breaches before they start.

Why It Matters

Building a WISP isn’t just about checking a legal box. It’s about protecting your clients’ trust and your business. When people hand you their Social Security numbers, tax data, and bank details, they expect you to keep them safe. A strong security plan shows you take that responsibility seriously.

Next Steps

The IRS has provided a 28 page document and template that you could reference this to create your own. Another option is to utilize an outside expert (like Sonareon) to create this document and associated assets. Final word on this matter is WISP one more time however, it stands for Wake, Inspire, Start, Persist. You got this. Create your plan.