Who it applies to
Everyone who prepares returns professionally — from national firms to a solo preparer with a PTIN. The legal force behind Publication 4557 comes from the FTC Safeguards Rule (part of the Gramm-Leach-Bliley Act), which treats tax preparers as financial institutions. The IRS publication translates that rule into tax-practice terms.
What it actually requires
- A written information security plan (WISP). Not intentions, not tools — a document describing how your firm protects client data, who is responsible, and what happens in an incident. The IRS even publishes a starter template (Publication 5708), though a template that doesn’t match how your firm actually works won’t survive scrutiny.
- A designated security coordinator — a named person responsible for the program.
- A risk assessment identifying where client data lives and what threatens it.
- The “Security Six” baseline controls: anti-malware protection, firewalls, multi-factor authentication, backup, drive encryption, and secure remote access (VPN).
- Employee training and oversight of any service providers who touch client data.
The PTIN connection
Your annual PTIN renewal asks you to confirm awareness of your data-security responsibilities, including the WISP requirement. Checking that box without a plan on file is an attestation you’d rather not have to explain later.
What happens if you ignore it
A breach at a tax firm triggers IRS notification (via your stakeholder liaison), state attorney-general notification, and letters to every affected client — and can put your PTIN and e-file privileges at risk. The FTC can also enforce the Safeguards Rule directly. Most firms that go through it say the client-trust damage was the expensive part.
Where to start
- Name a security coordinator.
- Inventory where client data lives — including email, portals, and old laptops.
- Verify the Security Six are actually in place, not assumed.
- Write the WISP to match reality, then fix the gaps it exposes.
- Repeat annually and whenever staff or software changes.
How Z1 helps
We build and maintain WISPs for Tri-Valley CPA and tax firms — the document plus the controls behind it (MFA, encryption, monitoring, training), managed year-round so tax season needs nothing extra from you.
If you’d rather start with a reality check, our free gap analysis compares your firm against the Pub 4557 checklist and your cyber-insurance application in one pass.