IRS Written Information Security Plan (WISP): What CPA Firms in California Must Do

The IRS does not consider a Written Information Security Plan optional. Every paid tax preparer in the United States, including sole-practitioner CPAs, enrolled agents, and multi-partner firms, must maintain one. According to the IRS’s own Security Summit guidance, fewer than 40% of small tax preparation practices had a documented WISP as of the 2024 filing season. That gap is a compliance liability, not just a security one. The FTC can impose civil penalties up to $100,000 per violation under the updated Gramm-Leach-Bliley Safeguards Rule that became fully effective in June 2023.

For California firms, the stakes are higher still. CCPA and CPRA layer state-level obligations on top of federal requirements. CalCPA has issued specific guidance on both. This post walks through exactly what your firm must do.

TL;DR: Every U.S. tax preparer must maintain an IRS-compliant WISP under Publication 4557 and the FTC GLB Safeguards Rule. The FTC can fine firms up to $100,000 per violation for non-compliance. California firms also face CCPA/CPRA obligations. A compliant WISP requires eight documented elements and annual review. (FTC Safeguards Rule, 2023)

[INTERNAL-LINK: compliance support overview → /services/compliance-risk-management]

What Does IRS Publication 4557 Actually Require?

IRS Publication 4557, “Safeguarding Taxpayer Data,” is the primary IRS-issued guidance that translates the FTC’s GLB Safeguards Rule into plain language for tax professionals. It applies to every individual or firm that prepares federal tax returns for compensation: CPAs, enrolled agents, tax attorneys, and seasonal preparers alike. The IRS Security Summit, a joint effort between the IRS, state revenue agencies, and industry partners, has repeatedly identified WISP gaps as a leading contributor to tax-preparer data theft.

The publication doesn’t suggest best practices. It documents required controls. If your firm doesn’t have a written plan, you’re non-compliant today.

[INTERNAL-LINK: professional services IT compliance overview → /industries/professional-services]

Citation Capsule: IRS Publication 4557 requires all compensated tax preparers to implement a Written Information Security Plan aligned with the FTC’s Gramm-Leach-Bliley Safeguards Rule. The IRS Security Summit identified WISP non-compliance as a leading factor in tax-preparer data theft incidents affecting hundreds of thousands of taxpayers annually. (IRS Publication 4557, 2024)

What Changed When the FTC Updated the GLB Safeguards Rule?

The FTC’s revised Gramm-Leach-Bliley Safeguards Rule took full effect on June 9, 2023, and it significantly raised the floor for financial-data custodians, a category that explicitly includes tax preparers. (FTC Safeguards Rule, 2023) The original 2003 rule required a written security program. The 2023 revision added specificity: named security coordinators, encryption mandates, multi-factor authentication, penetration testing timelines, and incident-response plan requirements.

For CPA firms that hadn’t revisited their WISP since 2015 or 2018, the June 2023 update created new gaps even for firms that previously had documentation. A plan written before the revision almost certainly doesn’t meet current FTC standards. Learn more about how the GLB Safeguards Rule maps to specific technical controls your firm needs documented.

[INTERNAL-LINK: GLB Safeguards Rule technical controls → /compliance/glba]

Citation Capsule: The FTC’s updated Gramm-Leach-Bliley Safeguards Rule, fully effective June 9, 2023, added mandatory encryption, multi-factor authentication, annual penetration testing, and a named information security coordinator for all financial institutions, a category that explicitly includes tax preparers under 16 CFR Part 314. (FTC Final Rule, 2023)

What Are the 8 Required Elements of a Compliant WISP?

A compliant WISP under the updated Safeguards Rule must document eight specific elements. Missing any one of them creates an audit exposure.

1. Designated coordinator. The plan must name a specific individual, not a title, not a department, responsible for implementing and maintaining the security program. For a solo CPA, that’s you. For a multi-partner firm, this is typically the managing partner or a designated IT/compliance contact.

2. Risk assessment. A written inventory of every system, device, and process that touches taxpayer data, with documented threats and vulnerabilities for each. This isn’t a one-time exercise. The FTC expects it to be updated when systems change.

3. Information safeguards. Specific controls, technical, administrative, and physical, mapped to each identified risk. This includes access controls, encryption at rest and in transit, and physical security for paper and device storage.

4. Employee training. Documented security awareness training for every staff member with access to taxpayer data. Training must be tracked. Completion records are required evidence in any FTC examination.

5. Vendor oversight. Written contracts with every service provider that handles taxpayer data: cloud storage, payroll processors, tax software vendors, and your IT or MSP provider. Contracts must require those vendors to implement appropriate safeguards.

6. Incident response plan. A documented procedure for what to do when a breach occurs. Under the updated Safeguards Rule, firms must notify the FTC within 30 days of discovering a breach affecting 500 or more customers. California’s own breach notification law (Civil Code § 1798.82) has its own timeline requirements.

7. Regular testing. Annual penetration testing or vulnerability assessments for firms handling data at scale. For smaller practices, documented vulnerability scans and access reviews satisfy the testing requirement.

8. Paper records disposal. A documented shredding and destruction policy for physical documents containing taxpayer data. This is one of the most commonly overlooked elements in audits.

[ORIGINAL DATA]: In our experience working with Southern California CPA firms, the two most consistently missing elements are vendor oversight documentation and a named incident response contact with an after-hours escalation procedure. Most firms have some version of elements one through four. Almost none have a current vendor contract inventory.

How Does California Law Interact with the Federal WISP Requirement?

California firms carry additional obligations on top of the federal floor. The California Consumer Privacy Act, as amended by CPRA in 2023, treats taxpayer personal information as covered data under most interpretations, which triggers consumer rights obligations, data minimization requirements, and documented retention schedules. (California Privacy Protection Agency, 2023)

California’s enrolled agent licensing, governed by the California Tax Education Council and the state Board of Accountancy, doesn’t independently mandate a WISP by name, but the state’s breach notification statute (Civil Code § 1798.82) creates an effective enforcement mechanism. A breach without a documented response plan is almost always a statutory violation.

CalCPA has issued practice guidance recommending that member firms treat their WISP as a living document reviewed at least annually and updated after any security incident, system change, or staff transition. That cadence aligns exactly with what the FTC now requires by rule.

[UNIQUE INSIGHT]: California’s CPRA introduced a “sensitive personal information” category that includes Social Security numbers, taxpayer identification numbers, and financial account data, exactly what a CPA firm holds on every client. This creates a data-mapping obligation that most WISP templates don’t address. Your WISP needs a section specifically documenting what sensitive personal information you collect, where it lives, who can access it, and how long you retain it under your retention schedule.

Citation Capsule: California’s CPRA classifies Social Security numbers, taxpayer IDs, and financial account data as “sensitive personal information,” triggering consumer rights, data minimization, and documented retention requirements for CPA firms beyond what federal WISP rules require. Firms operating in California effectively face a dual compliance framework. (California Privacy Protection Agency, 2023)

What Are the Real Consequences of Non-Compliance?

Non-compliance isn’t a theoretical risk. The FTC assessed civil penalties in excess of $4.5 million against financial-sector entities under the Safeguards Rule between 2021 and 2024, and the agency has explicitly stated that tax preparers are in scope. (FTC Annual Highlights, 2024) IRS sanctions for tax preparers found to have inadequate data security can include suspension of e-filing privileges, which effectively shuts down a tax practice during filing season.

State-level exposure is equally serious. A California CPA who experiences a breach without a documented incident-response plan faces potential California Board of Accountancy referral, and the CPPA has authority to assess penalties of $2,500 per unintentional violation and $7,500 per intentional one.

Cyber liability insurers are increasingly requiring documented WISPs as a condition of coverage. Firms without one may find claims denied following a breach, regardless of the policy’s face terms.

[INTERNAL-LINK: compliance and risk management for financial services → /services/compliance-risk-management]

Why Does the Pasadena and San Gabriel Valley CPA Cluster Face Particular Exposure?

The Pasadena and San Gabriel Valley corridor has one of the highest concentrations of boutique CPA and enrolled-agent practices in Southern California, serving a dense mix of high-net-worth individual clients, research-adjacent organizations tied to Caltech and JPL, and small manufacturing and professional services businesses. (U.S. Census Bureau County Business Patterns, 2023) That client mix means these practices routinely hold returns with K-1 distributions, research credits, foreign income disclosures, and other high-value data that is disproportionately targeted by credential-theft campaigns.

Boutique practices in this corridor often operate with one to three administrative staff, no dedicated IT person, and legacy document management systems. That’s precisely the profile the IRS Security Summit flags as highest-risk. AdVran’s financial services IT work in Pasadena was built directly for this context.

Citation Capsule: Los Angeles County has the highest density of licensed CPA practices in California, with the Pasadena-to-San Gabriel Valley corridor accounting for a significant share of the county’s boutique tax preparation firms. These practices disproportionately serve high-net-worth clients whose returns contain data categories specifically targeted in IRS-tracked identity theft schemes. (IRS Data Book, 2024)

What Should Your MSP Deliver for WISP Compliance?

A managed IT provider working with a CPA firm needs to do more than keep computers running. WISP compliance requires specific technical deliverables that should be documented, version-controlled, and available for examination. Here’s what a compliant engagement looks like.

Documented access controls. Role-based access to every system touching taxpayer data, with written justification for each access grant and a quarterly access review process.

Encrypted storage. Full-disk encryption on all workstations and laptops, plus encrypted cloud storage with key management documentation. The FTC rule requires encryption both at rest and in transit.

Multi-factor authentication. MFA on every system that holds or accesses taxpayer data: tax software portals, cloud storage, email, and remote access. The updated Safeguards Rule makes this non-negotiable.

Annual review cycle. A scheduled annual WISP review with written output, signed by the designated coordinator, documenting what was reviewed, what changed, and what was tested.

Incident response on retainer. A written agreement that specifies response timelines, escalation contacts, forensic preservation procedures, and notification support. A 30-day FTC clock starts the moment you discover a breach.

Frequently Asked Questions

Does a solo CPA or sole-practitioner enrolled agent need a WISP?

Yes. The GLB Safeguards Rule and IRS Publication 4557 apply to every paid tax preparer regardless of firm size. A single-person practice that prepares even one federal return for compensation is in scope. The FTC does provide some flexibility in how small operators implement controls, but the documentation requirement, a written plan, applies universally. (IRS Publication 4557, 2024)

How often does a WISP need to be updated?

The FTC requires review and update whenever there is a material change in operations, a security incident, or at least annually, whichever comes first. CalCPA guidance aligns with that cadence. In practice, most firms should expect to update their WISP at the start of each filing season, after any staff departure with system access, and after any vendor or software change.

What happens if the IRS or FTC finds my WISP inadequate during an examination?

The IRS can issue a written notice requiring remediation within a set timeframe and, for repeated or egregious failures, suspend e-filing privileges. FTC civil penalties under the Safeguards Rule reach $100,000 per violation per day in some circumstances. State consequences in California include Board of Accountancy referral and CPPA penalties of up to $7,500 per intentional violation. (FTC Safeguards Rule, 2023)

Can I use a WISP template from CalCPA or the AICPA?

Templates are a useful starting point, but they require firm-specific customization to be compliant. A template that doesn’t name your designated coordinator, list your actual systems, document your real vendors, or reflect your incident-response contacts isn’t a compliant WISP. It’s a placeholder. The FTC evaluates whether your plan reflects your actual operations, not whether it resembles a published template.

Does my tax software vendor’s security cover my WISP requirement?

No. Your tax software vendor maintains their own security program for their infrastructure. Your WISP covers your firm’s systems, staff practices, and client data handling. The vendor’s security doesn’t substitute for your own documented program. Under the updated Safeguards Rule, you’re also required to have a written contract with your software vendor that obligates them to maintain appropriate safeguards, a requirement most firms have not yet implemented.

What to Do Next

If your firm doesn’t have a current, documented WISP, or hasn’t reviewed it since before June 2023, the time to fix that is before the next filing season, not after a breach. Start with a written inventory of every system and vendor that touches taxpayer data. Name your designated coordinator. Document your incident-response escalation chain. Then close the technical gaps: MFA, encryption, access controls, and a tested backup.

This is infrastructure work. It takes a few weeks to do properly and needs an annual maintenance cycle afterward. The firms that treat it that way rarely end up in a breach headline. The ones that defer it until something goes wrong pay for it in ways that go well beyond the cost of remediation.

Adrian Monges Rodriguez founded AdVran after managing network infrastructure at Boeing on NASA and defense projects, where documented security plans weren’t optional on any contract. That same standard applies to every client we work with, including CPA firms across the Pasadena and San Gabriel Valley corridor.

Related Reading

• GLB Safeguards Rule: Technical Controls Every Financial Services Firm Needs
• Compliance and Risk Management for Professional Services Firms
• Managed IT for Financial Services in Pasadena
• Professional Services IT Support: What the Right MSP Delivers