PTIN renewal comes around every year, and you’ve done it enough times to move fast: name, address, the felony question, the tax-compliance question. Line after line you could answer half-asleep.
Then Line 11.
Data Security Responsibilities. “I am aware that paid tax return preparers are required by law to create and maintain a written information security plan that provides data and system security protections for all taxpayer information.”
You must check a box, Yes or No. The form adds one pointer: See IRS Publication 5708 and 4557 for more information about your responsibilities.
Elsewhere on the form you sign, under penalties of perjury, that the application is true, correct, and complete. Nothing asks you to attach the plan itself. The box deserves ten minutes of honest thought anyway; here is why.
What Line 11 asks
Read the item slowly. The question is whether you are aware that the law requires a written plan, not whether the plan exists yet. Written. Created and maintained: two verbs, meaning the document exists and gets kept current.
So Line 11 is an awareness attestation. A preparer with no plan written can still check Yes truthfully, because the honest answer to “are you aware of the requirement” may well be yes. The perjury declaration covers the form’s answers, and this answer is about your awareness, not the state of your filing cabinet. Checking the box establishes nothing about compliance in either direction; the Safeguards Rule is what requires the program itself.
What checking Yes does is close a door. From that point on, the one claim you can never make is that nobody told you. Ignore the obligation afterward and you ignore it on the record: your awareness of the duty, attested in a federal filing, once a year.
The item is not new. It has been on the W-12 for several years, and the wording has grown more direct with revision: earlier versions asked you to confirm awareness of a “legal obligation to have a data security plan,” while the current form (Rev. October 2025) spells out required by law to create and maintain a written information security plan.
Where the requirement comes from
The requirement starts with the Gramm-Leach-Bliley Act rather than with the IRS. GLBA is the federal law that requires financial institutions to protect customer data; the Federal Trade Commission turned that mandate into the Safeguards Rule, 16 CFR Part 314. The rule’s own definitions settle the question of whether it reaches you:
“An accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution because tax preparation services is a financial activity.”
The rule expressly treats a practice in the business of completing income-tax returns as a financial institution for its purposes, and it requires covered institutions to maintain an information security program in writing. That is the law Line 11 points at.
The IRS’s part is reinforcement. Publication 4557, Safeguarding Taxpayer Data, explains the responsibilities. Publication 5708 is a free, fillable WISP template written for tax and accounting practices. The Security Summit’s “Security Six” lists six basic protections: antivirus, firewall, two-factor authentication, backups, drive encryption, VPN. And Line 11 records your awareness, annually.
If you want the full rule unpacked, we’ve translated it separately: The FTC Safeguards Rule for accounting firms, translated. This guide stays on the document itself.
Inside a real WISP
Shorter and plainer than the name suggests. A good one for a ten-person firm holds six things.
A name on the first page. One person owns the plan, by name, not by title.
An inventory of where taxpayer data actually lives: the tax software, the document system, the portal, email, the laptops, the old server in the closet, the paper files in the basement. Most firms have never written this list, and it runs longer than expected.
What could go wrong. A short, honest risk list: a stolen laptop, a phished login, a preparer who leaves in April, ransomware on the file server. It should read like your firm, not like a textbook.
The protections, in plain sentences. Who can access what. Where multi-factor authentication is on. Which drives are encrypted. How client documents move in and out. How backups run and how you know they restore. How old records are destroyed.
The bad-day page. Who gets the first call when something looks wrong, who determines which notifications the law requires for that incident, and verified numbers for counsel, the insurance carrier, law enforcement, and the IRS.
Vendors, training, and a review date. Who else touches the data, how people learn the rules, and when the plan gets re-read.
The IRS frames the whole exercise as three areas: employee management and training, information systems, and detecting and managing system failures. Length is not the test. Cover those areas accurately, against your actual systems and risks, and the page count takes care of itself.
Write the floor, not the ceiling
Here’s the part most WISP advice gets backwards.
A WISP gets its closest reading on the worst day: after the laptop goes missing, during the insurance claim, in an FTC inquiry, at a deposition. On that day, every sentence in it functions as a claim that someone else gets to test against reality.
So the plan should describe your floor, the things your firm actually and consistently does, including the second week of March. Aspirations don’t belong in it, and neither does the template author’s imaginary firm.
Watch the difference. Ceiling language:
“All client data is encrypted at all times. All staff complete annual security training.”
The sentences are tidy and absolute. Now let them be read on the worst day, next to one unencrypted home laptop and a training session that got skipped during a brutal season. You’ve published two false statements about your own firm, in your own plan, and handed them to whoever is deciding your claim.
The floor version:
“Client files are stored in [document system], which encrypts them in transit and at rest. Client documents leave the firm through our portal, not email attachments. New staff read this plan before receiving logins, and everyone re-reads it each January before season.”
Each of those sentences can survive a hostile reading: named system, named practice, no “all,” no “always.” A sentence that names a specific control in a specific place can be defended. A universal promise fails the moment someone finds one exception.
The other half of the rule: run the practice above the paper. Write “each January,” then also do a refresher in the summer. Write the specific encryption claim, then also encrypt the drive on the partner’s home machine that technically never stores client files. What you should not do is cure an overstated plan by deleting a safeguard the rule requires you to have. If the plan claims a control that doesn’t exist, either build the control or rewrite the sentence to say what is true today, with a name and a date on closing the gap.
Borrowed templates hide the same trap in bulk: pasted language about “quarterly access reviews” nobody has ever run. Describe what the firm does now, accurately, and give every gap an owner and a deadline.
The scare-selling you can ignore
Renewal season brings the emails: IRS WISP DEADLINE. Compliant by tonight, $199, IRS-approved. The requirement is real; the panic is merchandise. Start with what’s free: Publication 5708 is the IRS’s own WISP template, built for tax and accounting practices, and it costs nothing. If a seller says its product is “IRS-approved” or “IRS-certified,” ask where the IRS says so, and check. And bought or homemade, the test is the same. Keep only language that matches how your firm runs, and confirm the document covers each requirement that applies to you. A template with your firm’s name pasted into the blanks hasn’t passed either part.
Search your plan for “always”
Here’s a task sized for a spare half hour, even in March. Open the WISP, or the template you bought, and search it for “all,” “always,” “every,” “continuously,” and each stated cadence: “quarterly,” “annually.” For every hit, do one of two things: attach the evidence that makes it true (the report, the log, the calendar entry), or rewrite the sentence until it describes what the firm actually does. Then put the next re-read on the calendar before you close the file.
Expect the first pass to be mostly deletion. What survives is shorter, and it’s true. The re-read date matters more than it looks, too: systems drift, and a plan that was accurate in 2023 quietly stops being accurate without anyone deciding anything.
If Line 11 is on your desk and the plan is thin, borrowed, or unwritten, book a fifteen-minute WISP triage. Bring the draft (or the blank page) and a list of your systems; you’ll leave knowing the three statements most in need of evidence or a rewrite. Book a call.
