What is IRS Publication 4557?
Publication 4557, titled "Safeguarding Taxpayer Data — A Guide for Your Business," is the IRS's official data security guide for tax professionals. It outlines the security measures the IRS expects every tax preparer to have in place to protect taxpayer information.
First published in 2004 and updated multiple times since, Publication 4557 reflects decades of IRS experience with data breaches targeting tax preparers — which remain one of the most common cybercrime targets in the financial industry.
Who Does It Apply To?
Publication 4557 applies to all tax professionals who handle taxpayer data, including:
- Enrolled Agents (EAs)
- Certified Public Accountants (CPAs)
- Tax attorneys
- Independent tax preparers
- Bookkeepers who prepare returns
- Any business that prepares taxes for compensation
💡 There is no minimum size threshold. A solo tax preparer working from home has the same Publication 4557 obligations as a large CPA firm.
What Does Publication 4557 Require?
The publication covers six core areas of data security:
1. Create a Written Information Security Plan (WISP)
This is the most important requirement. The IRS explicitly states that every tax professional must create and maintain a WISP — a formal document describing your security program.
2. Protect Against Cybersecurity Threats
Tax preparers must use antivirus software, enable firewalls, apply software updates promptly, and use encrypted connections when transmitting taxpayer data.
3. Control Access to Taxpayer Data
Only authorized individuals should access client data. This means unique logins, strong passwords, and multi-factor authentication (MFA) — which the IRS now strongly recommends for all tax software.
4. Train Employees
All staff with access to taxpayer data must receive security awareness training. This includes recognizing phishing attempts, handling data securely, and knowing what to do in a breach.
5. Manage Service Providers
Any third-party vendor with access to your client data must have appropriate security measures in place. Written agreements are required.
6. Respond to Security Incidents
Tax preparers must have a documented plan for responding to data breaches — containing the breach, notifying affected clients, and reporting to the IRS Stakeholder Liaison.
⚠️ If you experience a data breach, you are required to contact the IRS Stakeholder Liaison immediately — even before notifying clients in some cases.
How Does Publication 4557 Relate to the FTC Safeguards Rule?
They work together. The FTC Safeguards Rule is the federal law that legally requires the security program. IRS Publication 4557 is the IRS's guidance on how to implement it specifically for tax professionals. A properly written WISP satisfies both requirements simultaneously.
What's the Connection to PTIN Renewal?
Every tax preparer must renew their PTIN annually using Form W-12. Line 11 of that form asks you to certify — under penalty of perjury — that you have implemented the data security requirements including a WISP. Without a WISP, you cannot truthfully complete your renewal.
Need Help Organizing Your WISP Documentation?
- Guided questionnaire included
- Customized WISP document
- Word & PDF versions
- Loom video walkthrough
- Delivered in 48 hours
SafeguardsReady is not a law firm and does not provide legal advice. Documents are prepared based on publicly available FTC and IRS guidance. Consult a licensed attorney for advice specific to your compliance obligations.