Why Employee Training is Required
Human error is the leading cause of data breaches. Phishing emails, weak passwords, accidental sharing of sensitive files — most security incidents trace back to an employee action rather than a technical failure. The FTC recognized this when it made training a specific requirement of the Safeguards Rule.
Your WISP must document that you train employees on security at onboarding and at least annually thereafter.
💡 The requirement is to train AND document. Having the training without documentation is the same as not having it as far as regulators are concerned.
What Does Training Need to Cover?
The FTC doesn't prescribe a specific curriculum. Your training should cover the risks relevant to your business. For tax preparers, that typically includes:
- Phishing awareness — how to recognize and report suspicious emails
- Password security — creating strong passwords, not sharing credentials
- Device security — locking screens, encrypting devices, not using public WiFi for client data
- Data handling — how to transmit client files securely, proper disposal of paper documents
- Incident reporting — what to do if they suspect a breach or make a mistake
- Social engineering — recognizing attempts to trick employees into revealing information
How to Conduct Training Without Spending a Lot
Option 1 — Internal Meeting (Free)
Hold a 30–45 minute team meeting covering the topics above. Walk through real examples of phishing emails. Review your password policy. Discuss what to do in a breach. Have everyone sign an attendance sheet.
Option 2 — Email Training (Free)
Send a written training document to all employees via email. Cover each topic in plain language. Ask employees to reply confirming they read and understood it. Save those replies as documentation.
Option 3 — Free Online Resources
The IRS offers free security awareness training resources specifically for tax professionals at IRS.gov. The FTC also provides free resources at consumer.ftc.gov. Have employees complete a module and print or save the completion certificate.
How to Document Training
This is the most important part. Documentation is what proves to regulators that training occurred. Keep records of:
- Date training was conducted
- What topics were covered
- Who attended (names and signatures if in person)
- Who conducted or assigned the training
A simple sign-in sheet, an email thread, or a scanned attendance record all work. Store these records for at least 3 years.
⚠️ The most common training documentation failure is informal training with no records. "We talked about it in a staff meeting" is not documentation. A dated sign-in sheet with names is documentation.
What About Solo Practitioners?
If you have no employees, you still need to document your own security awareness practices. This can be as simple as a dated note in your WISP that says: "Annual self-review of security practices conducted on [DATE] by [NAME], covering phishing awareness, password security, device encryption, and incident response procedures."
How Does This Relate to Your WISP?
Your WISP should include a section on employee training that describes your training program, your documentation method, and the name of the person responsible for conducting training. When you conduct your annual training, update your WISP to reflect the date completed.
Need Help Organizing Your WISP Documentation?
- Guided questionnaire included
- Customized WISP document
- Word & PDF versions
- Loom video walkthrough
- Delivered in 48 hours
SafeguardsReady is not a law firm and does not provide legal advice. Documents are prepared based on publicly available FTC and IRS guidance. Consult a licensed attorney for advice specific to your compliance obligations.