Sooner or later it gets cited at you: by the instructions under Line 11 of the W-12, by an insurance application, by a colleague with “have you seen this.” IRS Publication 4557, Safeguarding Taxpayer Data. You download it, see twenty-one pages, and file it under someday.
We read the current one this week, cover to cover, so your someday can go to something better. Six of its sentences do the real work; the rest is commentary and checklists. Here are the six, quoted exactly from the revision posted at irs.gov today (Rev. 6-2024, if you want to check our homework).
One.
“Protecting taxpayer data is the law.”
Page 3, and the paragraph behind it shows its work: the Gramm-Leach-Bliley Act, the FTC’s Safeguards Rule, and a definition of “financial institutions” that includes professional tax preparers. Every checklist in the remaining pages hangs off it.
Two.
“The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information.”
The noun the whole document orbits: the written plan, the WISP. Everything else in it is either an input to that plan or a test of it. If Line 11 already made you write one honestly, most of 4557 reads like a mirror. (The plan itself, and the box you check about it, get the slow treatment in Line 11, in plain English.)
Three.
“Implement multi-factor authentication for anyone accessing customer information on your system.”
The one control the publication declines to soften. Page 13 circles back and adds: “This is required for all companies regardless of size.” Regardless of size means the two-partner shop. Anyone means the founding partner and whoever remotes in on Saturdays.
Four.
“Back up sensitive data to a safe and secure external source not connected fulltime to a network.”
The words earning their keep are “not connected fulltime.” A backup drive that lives in the USB port gets encrypted right alongside the originals on the day ransomware arrives. Separation is what makes a backup a backup.
Five.
“You or your firm may be a victim and not even know it.”
The quiet one, page 8, and under it sits the most practical list in the publication: client e-files rejecting because a return with that Social Security number already went in, clients receiving IRS authentication letters they never requested, the return count on your EFIN running higher than the number you actually filed. The last one is checkable: the IRS will show you weekly filing counts for your EFIN, and for your PTIN if you file fifty or more returns. Two minutes on a Monday, in season.
Six.
“Tax practitioners should report data losses or thefts immediately to the IRS so that appropriate precautions can be made to protect clients from fraudulent returns being filed in their names.”
The reason for the hurry is the second half of the sentence: reported early, the IRS can put protections on your clients’ accounts before fraudulent returns start arriving under their numbers. The call goes to your local IRS Stakeholder Liaison, and the same page lists the rest of the bad-day phone tree: FBI, local police, state agencies, your insurer. Names a rough Tuesday should not have to go looking for.
Where your WISP already answers them
Hold the six against a working WISP; the mapping runs nearly one to one.
| The line | Where it lives in the plan |
|---|---|
| “Protecting taxpayer data is the law” | The first page: why the plan exists, and whose name owns it |
| The written-plan requirement | The document itself; its existence is the answer |
| MFA for anyone | The protections section: the sentence naming where MFA is on, with no quiet exceptions |
| Backups “not connected fulltime” | The backup paragraph: where copies live, and the date of the last restore someone watched |
| “may be a victim and not even know it” | The monitoring lines: who checks the EFIN and PTIN counts, and on which weekday |
| Report immediately | The bad-day page: the Stakeholder Liaison and the insurer, written down in advance |
A row with nothing to point to is a gap, and a gap wants an owner and a date. The rest of the publication is the IRS’s suggestion list for filling it.
What the other twenty pages are doing
Checklists, sincerely meant. Password rules. Router settings, including the advice to lower your Wi-Fi transmit power so the office stops broadcasting into the parking lot, which is the IRS teaching your firm to whisper. A field guide to phishing. The FTC’s plan-building checklist, rendered with ONGOING, DONE and N/A checkboxes across three areas: employee management and training, information systems, detecting and managing system failures. And a glossary on page 18 that defines the word “Encrypt,” which tells you who the IRS knew would be reading. The right call, we think. Nobody is born knowing this material, and plenty of careful preparers run firms small enough that nobody ever taught them.
Skim those pages once, off-season, pen in hand. Then put the PDF away and keep the six lines.
If you’d like a second reader, bring your WISP and this page to a fifteen-minute call. We’ll tell you which rows already hold and which need a date. Book a call.
