While the FTC Safeguards rule designed to protect financial and PII (personally identifiable information) has been around for decades, as of June 9, 2023, compliance of various components including a Written Information Security Plan, or WISP, became mandatory! While primarily targeted at companies maintaining more than 5,000 client records (think tax returns), certain safeguard components are required for firms with less than 5,000 records, such as the use of multi-factor authentication, encryption of data, and secure disposal of Information.
Also, with financial and criminal penalties imposed for “knowingly or inadvertently” disclosing taxpayer data, the IRS has issued additional guidance on key strategies for protecting taxpayer data which would apply to all firms regardless of the number of clients they have. The need for a WISP was highlighted for practitioners when they renewed their PTIN and expanded requirements including security and phishing training. Accordingly, it is recommended that all firms have a WISP with the caveat that it is “appropriate” to their firm’s size and situation. Below we identify key components that should be documented…
