How to Safeguard Taxpayer Data and Comply with IRS Publication 4557

Take simple, common sense steps to keep your business and client information safe.

As an accounting or CPA firm, you’re a serious target for fraud and targeted phishing. Criminals use the information and access at your firm for tax fraud, bank account information, W-2 fraud, and the resale of banking credentials.

The IRS has specific rules about handling and protecting taxpayer data, outlined in IRS Publication 4557, "Safeguarding Taxpayer Data." You need to take certain technical, procedural, and administrative precautions. The following is not exhaustive but should be considered fundamental.

men's brown crew-neck shirt
Photo by jaikishan patel on Unsplash
Train Your People
  • Training for technology safety: scams, impersonations, and targeted phishing emails are highly likely for accounting and bookkeeping firms. All employees should be aware of these and know how to identify and respond when confronted.
  • If you have managed IT or technology providers, ask them if and how they’re helping you comply with the items in the technology section below. There are many elements of cybersecurity, and a misconfiguration or overlooked needle in the haystack is often the cause of a data breach.
woman in white long sleeve shirt using black laptop computer
Photo by ThisisEngineering on Unsplash
Configure Your Technology
  • Generally speaking, businesses should use Windows Defender for Business (or Endpoint) or a business-grade product like Sentinel One. Small offices may use the built-in Windows Defender or Avast antivirus software.
  • Computers and phones keep themselves up to date automatically, but software like Quickbooks needs to be installed and restarted every time an update is released.
  • All accounts must use unique passwords that are not used anywhere else. They should be random (stored in a password manager like 1Password or Bitwarden) or long phrases.
  • All online web accounts storing or processing sensitive information must use multi-factor authentication or two-step verification.
  • Online document sharing platforms like ShareFile or Box should also be configured securely. We’ve written about how these can be misused here and here.
  • All devices must use disk encryption, such as Windows Bitlocker or macOS FileVault. By default, common email providers use TLS encryption in transit.
  • All data should be backed up regularly and archived securely. Consider cloud storage plus solutions such as Microsoft 365 Backup or Dropsuite.
  • Secure your wireless networks with long and unique passwords as well.
person working on blue and white paper on board
Photo by Alvaro Reyes on Unsplash
Create Sensible Processes
  • Processes for two-person verification of filing or direct deposit information and changes should be in place.
  • The hard drive should be wiped or safely destroyed when devices are shelved or recycled.
  • Access to client information should be limited to those needing to know and view and edit permissions configured appropriately.
  • Regularly review and audit your e-file and e-services applications and Preparer Tax Identification Number (PTIN) accounts to match expected returns. If they don’t match, contact the IRS.
  • Review, audit, and remove power of attorney or authorizations for old or inactive clients regularly. Deactivate unused Electronic Filing Identification Numbers (EFINs).
  • Regularly review audit logs of sensitive activities in critical platforms to identify fraud or malicious activity.
  • Know how and to whom to report data breaches. Depending on the impact, you may need to contact
Are You a Victim Now?

The IRS shares numerous scenarios that should give you or your clients pause.

  • Clients can’t file returns because they already have
  • Clients receive unexpected authentication letters from the IRS
  • Clients receive unexpected notices about their online account
  • You or clients receive unexpected email responses to messages you didn’t send
open book lot
Photo by Patrick Tomasso on Unsplash
Write Down a Plan

Write this down in a written Information Security Plan (WISP), aka Information Security Policy. This is a requirement and gives the firm an official stance on safeguarding client information.

Free Resources

Download a Word document version of the IRS’s Written Information Security Plan template.

Download our easy to follow Safeguarding Taxpayer Data Checklist for complying with the IRS Publication and FTC Safeguards Rule.

For guidance on how to lose money and data in business, check out our other tongue-in-cheek guide.

Have a project in mind? Let’s talk

Get in touch

Read more

Pragmatic Steps to Get CMMC Level 1 Compliant

Get started securing your business as a federal subcontractor with meme driven guidance.

Don’t Let This Simple Mistake Drain Your Bank Account

Are You Making It Easy for Cybercriminals to Steal Your Cash App Balance and Account Access?

New Healthcare Cybersecurity Performance Goals: Essential vs. Enhanced

The U.S. Department of Health and Human Services (HHS) recently released a concept paper that details the ongoing efforts to enhance cybersecurity in the healthcare and public health sectors.
Cybersecurity Risk Advisory and Professional Services (i.e. hackers)
Montana Office
563 Ash Rd, Suite B
Kalispell, MT 59901
Pages
HomeAboutBlogServicesContactPrivacy Policy
Resources
CyberPricesSaas HardeningBad PasswordsPrinciplesStartup Security Workbook
Stay in the know
Practical content, no fluff.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.