Data security requirements for tax preparation businesses

by | Sep 12, 2025 | Technology & Process Questions

Here’s what HIVE AI had to say about “Data security requirements for tax preparation businesses”:

Data security requirements for tax preparation businesses

Core legal obligations you must meet

IRS confidentiality and consent rules (IRC §7216 and regulations)

  • You cannot use or disclose a client’s tax return information without the taxpayer’s prior written consent, except where a specific regulation permits it for preparation/filing or certain internal uses. Timing matters: you may not request consent for unrelated solicitations after you’ve delivered the completed return for signature, and you may not seek a substantially similar consent after a taxpayer has declined one. For 1040-series filers, if you disclose information offshore under a valid consent, you must redact the SSN; you cannot obtain consent to disclose SSNs offshore. 1
  • You may maintain a limited “taxpayer list” for solicitation of additional tax return preparation services containing only contact basics and return form number; you cannot use the list to solicit non-tax services, and transfer of the list is restricted to a sale of the tax prep business with confidentiality safeguards. 2
  • Violations of §7216 can be criminal. Treat disclosures strictly and align your vendor contracts and any offshore workflows to these limits. 3

FTC Safeguards Rule under GLBA

  • All professional tax preparers are “financial institutions” under GLBA and must implement a written information security program (WISP). At a minimum, designate a security program coordinator; assess risks across operations; implement, monitor, and test safeguards; oversee service providers by contract; and adjust the program as risks and operations change. 4
  • The IRS reinforces that online providers must follow the six security and privacy standards in Publication 1345 and that failure to safeguard customer data can lead to FTC investigation. Use Publication 4557 to create your WISP and implement controls (MFA, encryption, backups, anti-malware, etc.). 5

IRS and Treasury security standards referenced for tax pros

  • IRS encourages tax pros to follow Publication 4557 and the “Taxes-Security-Together” checklist: deploy anti-virus, firewalls, MFA, backups, drive encryption, and secure VPNs; maintain a data security plan as required by law. 6
  • For online e-file providers, adhere to Publication 1345’s security/privacy standards; GLBA/FTC rules do not supersede §7216’s stricter limits on disclosures. 7

Concrete controls you should implement

Written Information Security Plan (WISP)

  • Build a WISP that documents governance, risk assessment, access controls, encryption, secure configurations, change management, incident response, vendor oversight, and ongoing monitoring/testing. The FTC Safeguards Rule requires you to designate coordinators, assess risks in relevant areas, implement safeguards, oversee providers, and periodically adjust. 4
  • Use IRS Publication 4557 as your primary checklist and training guide to implement strong passwords, MFA for anyone accessing customer info, full-disk and file/email encryption for PII, and anti-malware on all devices. 5

Access control and authentication

  • Enforce least privilege and unique accounts; implement MFA on all systems containing client data and for any remote access or cloud portals. Publication 4557’s “Security Six” highlights MFA and encryption as baseline controls. 6

Encryption and network security

  • Encrypt sensitive files/emails and devices; use secure VPN for remote work; use WPA2/AES on Wi‑Fi and avoid public Wi‑Fi for client data. 5
  • IRS volunteer/privacy guidance reinforces using WPA2/AES, VPNs, secured LANs, and prohibiting unprotected public wireless when transmitting taxpayer information. While aimed at VITA/TCE, these are solid benchmarks for any firm. 8

Vendor and cloud oversight

  • Contractually require service providers to implement appropriate safeguards, monitor them, and ensure they do not use/disclose taxpayer data contrary to §7216. Publication 4557 and GLBA require oversight of service providers. 4
  • Remember: GLBA does not override §7216; do not rely on “opt-out” notices to justify disclosures that §7216 prohibits. 7

Physical security and media handling

  • Lock up paper records; keep screens and documents out of public view; securely destroy paper and electronic media when no longer needed; ensure data on decommissioned devices is unrecoverable. 9
  • Store retained documents in locked cabinets; prohibit unprotected public wireless; delete client data from equipment after filing-season activities per your retention policy. 8

Incident response and reporting

  • Build an incident response plan in your WISP. If you receive IRS return information under an IRS agreement, you must have safeguards and notify TIGTA upon any unauthorized access/breach as required by §6103(k). Even if not directly under such an agreement, adopt breach reporting/containment procedures consistent with GLBA/FTC expectations. 10

Consent, marketing, and offshore considerations

Consent mechanics and limitations

  • Obtain written, timely consents for any use/disclosure beyond preparation/filing; do not request solicitation consents after delivering the completed return for signature; if a taxpayer declines, do not ask again for a substantially similar purpose. 1
  • If you use offshore preparers or support, you must redact SSNs for 1040-series clients even with consent. Ensure contracts and processes enforce this. 1

Limited marketing use of client lists

  • You may compile a list with names/addresses/emails/phones/entity type/form number of your clients solely to provide tax information or solicit additional tax return preparation services; you may not solicit non-tax services and cannot transfer the list except with a sale of the business under strict confidentiality. 2

Due diligence and operational practices that intersect with security

Paid preparer due diligence and records

  • Maintain proper records and compute credits based on information obtained or known, documenting your worksheets or computations; complete and provide or e-file Form 8867 as required for EIC/CTC/AOTC/HOH. Sound records management complements your WISP and retention/destruction policies. 11

PTIN and acknowledgment of security obligations

  • The PTIN application instructions expressly have you acknowledge awareness that paid preparers are required by law to create and maintain a written information security plan. Ensure your WISP is in place before filing season. 12

Practical checklist for small and mid-sized firms

Immediate steps

  • Designate a security lead and draft/approve your WISP; train all staff annually. 4
  • Implement the “Security Six”: anti-virus, firewall, MFA, backups, drive encryption, secure VPN; update and patch systems routinely. 6
  • Encrypt devices and email with PII; require MFA for all apps handling client data; use strong, unique passwords and consider a password manager. 5

Vendor governance

  • Amend contracts to require GLBA-compliant safeguards, breach notice obligations, and strict adherence to §7216 limits; assess and monitor vendors annually. 7

Secure operations

  • Prohibit public Wi‑Fi for client data; require WPA2/AES and VPN for remote access; lock paper files and shred when no longer needed; securely wipe or destroy drives/media. 8
  • Train staff to spot phishing, avoid unknown downloads, keep browsers patched, and disable password auto-fill on shared systems. 8

Consent and marketing compliance

  • Use IRS-approved consent forms and workflows; do not send solicitation consents post-delivery; maintain only permitted “taxpayer lists” for tax service outreach. 1

Advanced considerations

Framework alignment and best practices

  • IRS has historically recognized multiple acceptable frameworks as “adequate data protection safeguards,” including the AICPA/CICA Privacy Framework and IRS Pub. 1075; choose and document a framework that meets or exceeds these expectations as part of your WISP. 13

Ethical and Circular 230 developments

  • Proposed updates to Circular 230 identify creating a data security policy and breach response plan as a best practice for practitioners, reinforcing your obligation to maintain safeguards. 14

If you want, I can provide a WISP template outline aligned to Publication 4557 and the FTC Safeguards Rule, plus a vendor due‑diligence checklist tailored to your firm’s technology stack.

Sources

1 – Treasury Regulation 301.7216-3 📄 Summarize
2 – Treasury Regulation 301.7216-2 📄 Summarize
3 – IRC § 7216(a) 📄 Summarize
4 – IRS Newsroom – IR-2023-129 📄 Summarize
5 – IRS – Publication 4557 Safeguarding Taxpayer Data A Guide for Your Business 📄 Summarize
6 – IRS.gov – Tax Security 2.0 The Taxes-Security-Together Checklist 📄 Summarize
7 – IRS – Publication 4163 Modernized e-File (MeF) Information for Authorized IRS e-file Providers for Business Returns 📄 Summarize
8 – IRS – Publication 4299 Privacy, Confidentiality, and Civil Rights – A Public Trust 📄 Summarize
9 – IRS IRM 25.27.1 Third-Party Contact Program 📄 Summarize
10 – IRC § 6103(k) 📄 Summarize
11 – Treasury Regulation 1.6695-2 📄 Summarize
12 – IRS – Instruction W-12 Instructions for Form W-12, IRS Paid Preparer Tax Identification Number (PTIN) Application and Renewal 📄 Summarize
13 – T.D. 9409 📄 Summarize
14 – REG-116610-20 📄 Summarize

Try Your AI Tax Assistant for Free!

Ready to transform your practice with agentic AI in tax? See firsthand how our cutting-edge AI tax tools can revolutionize your approach to tax research and planning.

Create Your Free Account