IRS Publication 5709: Your Complete Guide to Data Breach Management for Tax Professionals

 

Federal law, enforced by the Federal Trade Commission, requires professional tax preparers to create and maintain a written data security plan. The Security Summit developed a plain language sample plan that tax pros can use for guidance in making their own WISP. The sample plan is available on IRS.gov.

The IRS has mandated six security, privacy, and business standards to supplement the Gramm-Leach-Bliley Act to better serve taxpayers and protect their information collected, processed and stored by Online Providers of individual income tax returns. The first five standards continue to apply to Online Providers, while Standard number six, “Reporting of Security Incidents,” is now mandated for all Providers.

These standards also address certain business and customer service objectives, such as instant payment options, access to website owner/operator’s contact information, and Online Provider’s written commitment to maintaining physical, electronic, and procedural safeguards of taxpayer information that comply with applicable law and federal standards.

• Extended Validation SSL Certificate

Online Providers of individual income tax returns must have a valid and current Extended Validation Secure Socket Layer (SSL) certificate using TLS 1.2 or later and minimum 2048-bit RSA/128-bit AES.

• External Vulnerability Scan

Online Providers of individual income tax returns must contract with an independent third-party vendor to run weekly external network vulnerability scans of all their “system components” in accordance with the applicable requirements of the Payment Card Industry Data Security Standards (PCIDSS). All scans must be performed by a scanning vendor certified by the Payment Card Industry Security Standards Council and listed on their current list of Approved Scanning Vendors (ASV). In addition, Online Providers of individual income tax returns whose systems are hosted must ensure that their host complies with all applicable requirements of the PCIDSS.

For the purposes of this standard, “system components” is defined as any network component, server, or application that is included in or connected to the taxpayer data environment. The taxpayer data environment is that part of the network that has taxpayer data or sensitive authentication data.

If scan reports reveal vulnerabilities, action must be taken to address the vulnerabilities in line with the scan report’s recommendations. Retain weekly scan reports for at least one year. The ASV and the host (if present) must be in the United States.

• Information Privacy and Safeguard Policies

This standard applies to Authorized IRS e-file Providers participating in Online Filing of individual income tax returns that own or operate a website through which taxpayer information is collected, transmitted, processed or stored. These Providers must have a written information privacy and safeguard policy consistent with the applicable government and industry guidelines and including the following statement: “we maintain physical, electronic and procedural safeguards that comply with applicable law and federal standards.” In addition, Providers’ compliance with these policies must be certified by a privacy seal vendor acceptable to the IRS. 

• Protection Against Bulk Filing of Fraudulent Income Tax Returns

This standard applies to Online Providers of individual income tax returns that own or operate a website through which taxpayer information is collected, transmitted, processed or stored. These Online Providers must implement effective technologies to protect their website against bulk filing of fraudulent income tax returns. Taxpayer information must not be collected, transmitted, processed or stored otherwise.

• Public Domain Name Registration

This standard applies to Online Providers of individual income tax returns that own or operate a website through which taxpayer information is collected, transmitted, processed or stored. These Online Providers must have their website’s domain name registered with a domain name registrar that is in the United States and accredited by the Internet Corporation for Assigned Names and Numbers (ICANN). The domain name must be locked and not be private.

• Reporting of Security Incidents

Authorized IRS e-file Providers of individual income tax returns must report security incidents to the IRS as soon as possible but not later than the next business day after confirmation of the incident. For the purposes of this standard, an event that can result in an unauthorized disclosure, misuse, modification, or destruction of taxpayer information (e.g., breach) must be considered a reportable security incident. Providers with multiple roles must follow instructions for submitting incident reports at “Instructions for Reporting Security Incidents.” Those that are EROs only must contact their local stakeholder liaison by following the instructions at “Data Theft Information for Tax Professionals.” In addition, if the Provider’s website is the cause of the incident, the Provider must cease collecting taxpayer information via their website immediately upon detection of the incident and until the underlying causes of the incident are successfully resolved.

The six IRS-mandated security, privacy, and business standards with the requested columns:

IRS Mandated "6" Standards - will you:	Yes	No	N/A	Firm	Data Security Coordinator	Date
1. Extended Validation SSL Certificate
2. External Vulnerability Scan (PCIDSS Compliance)
3. Information Privacy and Safeguard Policies
4. Protection Against Bulk Filing of Fraudulent Income Tax Returns
5. Public Domain Name Registration
6. Reporting of Security Incidents
IRS Mandated "6" Standards - will you	Ongoing	Done	N/A	Firm	Data Security Coordinator	Date
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

Each row corresponds to one of the six standards, allowing for a Yes, No, or N/A response. Fill in the Firm, Data Security Coordinator, and Date columns as needed for tracking and compliance verification.

Pub 1345, page 21

Regarding the IRS Written Information Security Plan (WISP) on both EFIN and PTIN holder -Submitting the Electronic Return to the IRS -Electronic Signature Methods - There are two methods of signing individual income tax returns with an electronic signature available for use by taxpayers. Both the Self-Select PIN and Practitioner PIN methods allow taxpayers to use a Personal Identification Number (PIN) to sign the return and the Declaration of Taxpayer. The ERO must always identify the paid tax return preparer (if any) in the proper field of the electronic record of returns. The ERO must enter the paid preparer’s identifying information (name, address, Employer Identification Number (EIN), when applicable, and Preparer Tax Identification Number (PTIN)) EROs may either transmit returns directly to the IRS or arrange with another Provider to transmit the electronic return to the IRS. A Provider, including an ERO, may disclose tax return information to other Providers relating to e-filing a tax return under Treas. Reg. §301.7216-2(d)(1) without obtaining the taxpayer’s consent. For example, an ERO may pass on return information to an Intermediate Service Provider or a Transmitter for the purpose of having an electronic return formatted or transmitted to the IRS. The ERO must enter the return preparer’s identifying information (name, address, EIN, and PTIN) in the electronic return.

In the context of the IRS Written Information Security Plan (WISP), both EFIN and PTIN holders have specific responsibilities to ensure that taxpayer data is protected, secure, and managed in accordance with regulatory standards. The WISP outlines the minimum data protection standards for entities that handle taxpayer information, including Electronic Return Originators (EROs), tax preparers, and other Providers involved in the e-filing process.

WISP Requirements for EFIN Holders

For EFIN holders, who are often EROs, the WISP mandates comprehensive data security practices to secure the submission and processing of electronic tax returns. Key responsibilities include:

1. Secure Data Handling: EFIN holders must ensure the secure transmission, processing, and storage of taxpayer information, whether they transmit returns directly to the IRS or through an Intermediate Service Provider or Transmitter. The WISP mandates strict measures to protect taxpayer data from unauthorized access, ensuring that EROs implement technical, administrative, and physical safeguards.
2. Authentication and Access Control: Since EFIN holders have the authority to file electronic returns, the WISP requires that only authorized personnel access sensitive taxpayer data. This includes implementing access control measures, multi-factor authentication (MFA), and ensuring that systems and networks are configured to secure data from unauthorized access.
3. Data Sharing Compliance: Under Treasury Regulation §301.7216-2(d)(1), EFIN holders may disclose tax return information to other Providers, such as Intermediate Service Providers or Transmitters, for e-filing purposes without obtaining taxpayer consent. The WISP, however, requires that any such data sharing strictly adhere to regulatory standards and that only necessary information is shared. Providers must document and track any disclosures to other Providers to ensure accountability and traceability.
4. Incident Response and Reporting: The WISP also outlines incident response protocols that EFIN holders must follow in the event of a data breach. This includes immediate action to contain the breach, assessment of the impact, notification of affected parties, and documentation of the response measures.

WISP Requirements for PTIN Holders

PTIN holders, generally individual tax preparers, have additional WISP responsibilities to safeguard taxpayer information while preparing returns and passing them to the ERO. These responsibilities include:

1. Confidentiality of Client Data: PTIN holders must adhere to confidentiality protocols when handling sensitive taxpayer information. The WISP emphasizes that taxpayer data should not be accessed or disclosed without authorization. PTIN holders should ensure that only authorized personnel can view or handle the data, protecting it from internal and external threats.
2. Data Entry Accuracy: PTIN holders are responsible for ensuring that the ERO receives accurate and complete information for electronic submission, including their own identifying information (PTIN, name, address, EIN, if applicable). This is essential to maintain data integrity within the e-filing system and facilitate accurate record-keeping and compliance.
3. Training and Awareness: The WISP requires that PTIN holders remain informed of IRS data security requirements, including training on identifying phishing attempts, secure handling of taxpayer information, and recognizing potential security threats. This ensures that PTIN holders understand and comply with all IRS security protocols.
4. Reporting Security Concerns: PTIN holders are obligated to report any suspicious activity or potential security concerns to their ERO or the IRS, following WISP guidelines. This aligns with the broader incident response requirements and helps prevent potential security breaches that could compromise taxpayer data.

Shared Responsibilities for EFIN and PTIN Holders under the WISP

The WISP creates a unified approach to securing taxpayer information, with both EFIN and PTIN holders playing critical roles in maintaining this security. Shared responsibilities include:

• Compliance with Multi-Factor Authentication (MFA): Both EFIN and PTIN holders are required to use MFA to access systems containing taxpayer information, enhancing protection against unauthorized access.
• Ongoing Security Assessments: Both EFIN and PTIN holders must regularly assess and improve their security practices. The WISP mandates periodic reviews of internal controls, vulnerability assessments, and compliance audits to identify and mitigate potential risks.
• Accurate Record-Keeping: Both EFIN and PTIN holders must ensure that all identifying information entered into the electronic return is accurate. This includes entering the PTIN, name, and address of the preparer, as well as the EFIN, to create a clear record of accountability for each filed return.
• Adherence to IRS Regulations: Finally, both EFIN and PTIN holders must fully comply with IRS regulations, including Treasury Regulation §301.7216-2(d)(1), which permits certain data disclosures among Providers for the purpose of e-filing without taxpayer consent. They must ensure that any disclosures are strictly for e-filing purposes and maintain records of such disclosures for accountability.

The IRS’s WISP provides a structured framework for EFIN and PTIN holders, defining comprehensive data protection measures and protocols. By adhering to the WISP guidelines, EFIN and PTIN holders can ensure the confidentiality, security, and integrity of taxpayer information, contributing to a secure and compliant e-filing process. This collective effort between EFIN and PTIN holders upholds taxpayer trust and reinforces the security standards necessary for the IRS's electronic filing ecosystem.

 

Here’s an updated template that incorporates your specified columns for assessing IRS Pulication 1345 WISP security procedures Authorized IRS e-file Providers of Individual Income Tax Returns.

Transmission - Requirements

Will you Comply with:	Yes	No	N/A	Firm	Data Security Coordinator	Date
1. Transmit all electronic portions of returns to the appropriate IRS center within three calendar days of receipt;
2. Retrieve the acknowledgment file within two workdays of transmission;
3. Match the acknowledgment file to the original transmission file and send the acknowledgment file containing all conditions on accepted returns, including non-receipt of Personal Identification Number (PIN), etc., to the Electronic Return Originator (ERO) or Intermediate Service Provider within two workdays of retrieving the acknowledgment file;
4. Retain an acknowledgment file received from the IRS until the end of the calendar year in which the electronic return was filed;
5. Contact the IRS at its e-help number, 866-255-0654, for further instructions if an acknowledgment of acceptance for processing has not been received within two workdays of transmission or if an acknowledgment for a return that was not transmitted on the designated transmission is received;
6. Promptly correct any transmission error that causes an electronic transmission to be rejected;
7. Contact the IRS at its e-help number, 866-255-0654, for assistance if the electronic portion of the return has been rejected after three transmission attempts;
8. Ensure the security of all transmitted data;
9. Ensure against the unauthorized use of its Electronic Filing Identification Number (EFIN) or Electronic Transmitter Identification Number (ETIN). A Transmitter must not transfer its EFIN or ETIN by sale, merger, loan, gift or otherwise to another entity;
10. Use only software that does not have an IRS assigned production password built into the software;
11.Provide the Device ID from the equipment used to prepare the return;
12. Perform analysis to identify potential identity theft fraud patterns and schemes for providers who collectively transmit more than 2,000 individual income tax returns per year. They must provide the results relative to any indicators of such fraud to the IRS on a weekly basis, following requirements that will be distributed to Providers;
Additional Requirements for Transmitters Participating in Online Filing	Yes	No	N/A	Firm	Data Security Coordinator	Date
1. Ensure that it includes their assigned Online Filing EFIN, which begins with 10, 21, 32, 44 or 53, in the proper field in the electronic return data;
2. Ensure that the Intermediate Service Provider’s EFIN is included in the electronic return data, when applicable;
3. Include the assigned Submission ID in the transmission of the electronic return data to the IRS;
4. Notify the taxpayer of the status of a return by sending an electronic transmission to the taxpayer or the Intermediate Service Provider, when applicable, within two workdays of retrieving the acknowledgment file from the IRS or by mailing a written notification to the taxpayer within one work day of retrieving the acknowledgment file;
5. Ensure that it doesn’t accept transmission for more than five electronic returns originating from one software package or from one e-mail address;
6. Provide the Internet Protocol (IP) information (public/routable IP Address, IP Date, IP Time and IP Time Zone of the computer the taxpayer uses to submit the return);
7. Enter into agreements with companies to allow access to Online Filing only if companies correctly capture the IP Address of the computer submitting the return and the date, time and time zone of the computer receiving it;
8. Include “Online Filer” in the “Originator Type” field of the Trans Record “A.”
The Transmitter must notify the taxpayer of the following if the IRS accepts the electronic part of a taxpayer’s return:	Yes	No	N/A	Firm	Data Security Coordinator	Date
The date the transmission was accepted;
The Submission ID (SID);
The requirement to properly complete and timely submit a Form 8453, if required, with accompanying paper documents;
The appropriate submission processing center’s address to which Form 8453 with accompanying paper documents, if required, must be sent;
The IRS must receive a Form 8453, if required, before an Online filed return is complete
The Transmitter must tell the taxpayer of the following if the IRS rejects the electronic part of a taxpayer’s return:	Yes	No	N/A	Firm	Data Security Coordinator	Date
The IRS rejected the electronic part of the taxpayer’s return;
The date of the rejection;
The definition(s) of the applicable business rule(s);
The steps the taxpayer needs to take to correct the errors that caused the rejection;
The taxpayer must file a paper return if the taxpayer chooses not to have the electronic part of the return corrected and transmitted to the IRS, or, if the IRS can’t accept the electronic portion of the return for processing by the IRS. To timely file a paper return, the taxpayer must file it by the later of the due date of the return or 10 calendar days after the date the IRS gives notification that it has rejected the electronic portion of the return or that it can’t accept the return for processing. Taxpayers should include an explanation as to why they are filing the paper return after the due date.
The IRS authorizes a Transmitter to provide an electronic postmark if the Transmitter:	Yes	No	N/A	Firm	Data Security Coordinator	Date
Creates an electronic postmark bearing the date and time (in the Transmitter’s time zone) the return was received by the Transmitter’s host system;
Provides the electronic postmark to the taxpayer or the ERO no later than when the acknowledgment is made available to the taxpayer in a format that precludes alteration and manipulation of the electronic postmark information;
Provides the same electronic postmark data to the IRS in the electronic record of the return;
Provides taxpayers with an explanation of the electronic postmark and when the IRS treats the electronic postmark as the filing date;
Refrains from using terms that currently have specific meaning in the postal industry such as “certified” or “registered” and similar terms, and from using “Internal Revenue Service”, “IRS” or “Federal” as a definer of the electronic postmark when discussing the electronic postmark, including in all advertising, product packaging, articles, press releases and other presentations;
Retains a record of each electronic postmark until the end of the calendar year and provides the record to the IRS upon request;
Transmits all tax returns and extensions of time to file that received an electronic postmark to the IRS within two days of receipt from the ERO or from the taxpayer in the case of Online Filing;
Retains the original electronic postmark of the rejected return for a corrected return that the Transmitter received through the last date for retransmitting rejected returns and creates a new postmark for all returns, including corrected returns received after the last date for retransmitting returns. All corrected returns retaining an electronic postmark of a date through the prescribed last day of filing must be transmitted to the IRS within two days of the date the return was received by the Transmitter or the twenty second day of the respective month of the prescribed due date, whichever is earlier.
Transmitting for Federal/State e-file	Yes	No	N/A	Firm	Data Security Coordinator	Date
Before electronic return data can be transmitted (both federal and state electronic return data is transmitted to the IRS), all requirements for transmitting electronic data in IRS e-file must be met. Contact the proper state coordinator for additional requirements specific to that state
Transmission - Requirements	Yes	No	N/A	Firm	Data Security Coordinator	Date
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

An Intermediate Service Provider receives tax information from an Electronic Return Originator (ERO) (or from a taxpayer who files electronically using a personal computer and commercial tax preparation software), processes the tax return information and either forwards the information to a Transmitter or sends the information back to the ERO or taxpayer (for Online Filing).

Other Authorized IRS e-file Provider Activities - Intermediate Service Providers

Will you Comply with:	Yes	No	N/A	Firm	Data Security Coordinator	Date
1. Deliver all electronic returns to a Transmitter or the ERO who gave the electronic returns to the Intermediate Service Provider within three calendar days of receipt;
2. Retrieve the acknowledgment file from the Transmitter within one calendar day of receipt by the Transmitter and send the acknowledgment file to the ERO (whether related or not) within one workday of retrieving it;
3. Retain each acknowledgment file received from a Transmitter until the end of the calendar year in which the electronic return was filed;
4. Input the TINs and addresses on a Form W-2, W-2G, 1099-R or Schedule C as applicable in the electronic return record when they differ from the taxpayer’s TIN or address in the electronic individual income tax return as described in “Verifying Taxpayer Identify and Taxpayer Identification Numbers (TINs)” and “Be Careful with Addresses” if inputting the electronic data;
5. Send any return needing changes as described in “Electronic Return Originator” back to the ERO for correction
Additional Requirements for Intermediate Service Providers Participating in Online Filing When the taxpayer files a return using Online Filing, the Intermediate Service Provider processes information for a taxpayer so that a Transmitter can send the electronic return(s) to the IRS. In so doing, the Intermediate Service Provider must:	Yes	No	N/A	Firm	Data Security Coordinator	Date
1. Ensure that it uses an Online Filing EFIN which begins with 10, 21, 32, 44 or 53;
2. Ensure that its Online Filing EFIN is included in the appropriate field in the electronic return data;
3. Send the transmission to the Transmitter within 24 hours of the receipt of the return from the taxpayer;
4. Ensure that no more than five tax returns are filed electronically by one software package or from one e-mail address;
5. Ensure that software used by the taxpayer does not have an IRS-assigned production password built into the software;
6. . Immediately forward to the taxpayer information received from the Transmitter as required for Online Filing. For example, this requirement applies when a Transmitter receives information from the IRS about the status of the electronic portion of a taxpayer’s return. See “Additional Requirements for Participants in Online Filing.”
Specific Requirements for Intermediate Service Providers Participating as Resellers Providers that resell software (e.g., rebranding, white label, etc.) are also considered by the IRS as Intermediate Service Providers as they provide package deals that usually include additional services to EROs such as education and support. “Reseller” is defined as a firm that purchases software with the intent of selling it to a Tax Preparer or ERO instead of using it. An Intermediate Service Provider that only meets this role because it resells software must meet the following responsibilities to take part in IRS e-file:	Yes	No	N/A	Firm	Data Security Coordinator	Date
1. Select the role of Intermediate Service Provider on its e-file application;
2. Must not provide an EFIN with the software package sold (EROs are required to get their own EFINs);
3. Ensure that its EFIN is included in the appropriate field in the electronic return data.
Intermediate Service Providers	Yes	No	N/A	Firm	Data Security Coordinator	Date
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

All Providers must follow IRS e-file rules and requirements to continue participation in IRS e-file. Requirements are included in Revenue Procedure 2007-40, throughout this publication and in other publications and notices that govern IRS e-file (See Publication 3112, IRS e-file Application and Participation).

IRS e-file Rules and Requirements

Will you Comply with:	Yes	No	N/A	Firm	Data Security Coordinator	Date
1. Maintain an acceptable cumulative error or reject rate.
2. Follow the requirements for ensuring that tax returns are properly signed.
3. Use the standard/non-standard Form W-2 indicator.
4. Use the Tax Refund-Related Product or Financial Product indicator.
5. Include the Electronic Return Originator’s (ERO’s) Electronic Filing Identification Number (EFIN) as the return EFIN for returns the ERO submits to an Intermediate Service Provider or Transmitter.
6. Include the Intermediate Service Provider’s EFIN in the designated Intermediate Service Provider field in the electronic return record.
7. Submit an electronic return to the IRS with information that is identical to the information provided to the taxpayer on the copy of the return.
Additional Requirements for Participants in Online Filing	Yes	No	N/A	Firm	Data Security Coordinator	Date
1. Ensure that no more than five electronic returns are filed from one software package or one e-mail address.
2. Supply a taxpayer with a correct Submission ID.
Tax Refund-Related Products Providers that assist taxpayers in applying for a tax refund-related financial product should:	Yes	No	N/A	Firm	Data Security Coordinator	Date
Ensure taxpayers understand that by agreeing to a refund-related financial product they won’t receive their refund from the IRS as the IRS will send their refund to the financial institution.
Inform taxpayers that RALs are interest bearing loans and not a quicker way of receiving their refunds from the IRS.
Inform taxpayers that if the financial institution does not receive a direct deposit within the expected time frame for whatever reason, the taxpayers may be liable to the lender for additional interest and other fees, as applicable for the RAL or other tax refund-related product.
Inform taxpayers of all fees and other known deductions to be paid from their refund and the remaining amount the taxpayers will receive.
Secure the taxpayer’s written consent as specified in Treas. Reg. § 301.7216-3(a) to disclose tax information to the lending financial institution in connection with an application for a refund-related financial product.
Ensure that the tax return preparer isn’t a related taxpayer (within the meaning of Internal Revenue Code §267 or §707A) to the financial institution or other lender that makes a RAL agreement.
ERO/Transmitters should note that the IRS has changed the designations and definitions of financial products to include:	Yes	No	N/A	Firm	Data Security Coordinator	Date
1. “No Financial Product”
2. “Pre-Refund Advance Product – Taxpayer Charged an Advance Fee (RAL)”
3. “Post-Refund Financial Product (Refund Transfer – RAC)”
4. “Pre-Refund Advance Product – Taxpayer Not Charged an Advance Fee”
5. “Other/New Product”
6. “Text Field to Explain Other/New Product”
IRS e-file Rules and Requirements	Yes	No	N/A	Firm	Data Security Coordinator	Date
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

This template enables a straightforward assessment of each criterion, allowing for clear documentation of compliance with WISP requirements for remote work.