If your CPA or accounting practice prepares tax returns or handles taxpayer data, your technology carries legal and business risk. The IRS Security Summit guidance says tax and accounting professionals are covered under the Gramm-Leach-Bliley Act and the FTC Safeguards Rule, regardless of size. That includes the requirement to implement and maintain a written information security plan, often called a WISP.
The plan matters because client data does not live in one neat folder. It sits in tax software, email, document portals, scanners, local downloads, cloud storage, backups, old laptops, and sometimes a printer with memory. A WISP gives your practice one written map for protecting that data.
What a WISP should do
A useful WISP names the information your firm handles, where it lives, who can reach it, what could go wrong, and which safeguards reduce that risk. It also names the person responsible for coordinating the security program.
The FTC guidance calls for risk assessment, access controls, encryption where required or appropriate, multi-factor authentication, secure disposal, staff training, monitoring, and service provider oversight. That sounds formal. In a small office, it starts with clear ownership and a written list of systems.
The WISP has to match reality. A copied template that says backups are tested does not help if nobody has restored a file. The document should describe what your office actually does, then point to the gaps you still need to close.
The technology pieces most small practices miss
- Multi-factor authentication. Every email, tax software, cloud storage, remote access, and admin account should require more than a password.
- Individual user accounts. Shared logins make access hard to track and harder to revoke when seasonal staff leave.
- Device inventory. Your plan needs to know which desktops, laptops, phones, tablets, printers, and drives can store or reach client information.
- Backups with test restores. Backups protect the practice only when someone has watched data come back cleanly.
- Patch and update habits. Workstations, routers, tax software, browsers, and security tools need regular attention, especially before filing season.
- Vendor oversight. Your tax software, cloud storage, phone system, email provider, and IT provider all touch the way client information moves.
Why this matters before tax season
Filing season is a bad time to discover weak passwords, stale antivirus, a dead backup drive, or a retired employee who still has access to email. Tax practices work under deadline pressure. Attackers know that rushed staff click faster and verify less.
A WISP gives the office a calmer way to handle security. New staff get trained. Old access gets removed. Backups get tested before a crash. Software gets updated before the week everything is due. If something goes wrong, the firm has a response plan instead of a scramble.
Where Jackson Tech Rescue fits
I help with the technical side: multi-factor authentication, account cleanup, backup design, device inventory, workstation security, updates, network review, documentation, and vendor coordination. Your firm owns the WISP itself. I am not a lawyer, auditor, or compliance officer, and this is not legal advice.
The goal is simple: your written plan should line up with the real safeguards in your office. If the plan says client files are protected, your computers, accounts, backups, and staff habits should back that up.