Practitioners need a written information security plan

By Susan C. Allen, CPA/CITP, CGMA

Data security continues to be a hot topic for tax professionals and the IRS. That is because tax practitioners and their clients continue to be frequent targets of data breaches. Although the IRS has implemented many successful tactics to fight tax refund fraud, more work is needed, especially as cyberthieves continue to become more sophisticated. The IRS is partnering with the practitioner community to combat this epidemic.

The IRS's Protect Your Clients; Protect Yourself campaign (visit for more information) raises practitioners' awareness of their responsibilities and the common-sense steps they can take to protect their clients from identity theft and, in turn, their tax practice and livelihood. Steps such as protecting email accounts with strong passwords, implementing two-factor authentication, and having anti-phishing security tools are imperative. Review IRS Publication 4557, Safeguarding Taxpayer Data, available at, for additional best practices.

Under the Gramm-Leach-Bliley Act (GLBA) safeguards rule, tax preparers must implement security plans to protect client data. Failure to do so may result in a Federal Trade Commission investigation. Although the GLBA, also known as the Financial Services Modernization Act of 1999, P.L. 106-102, has been around for quite some time, many practitioners have been unaware they are required to develop a written information security plan that describes how their firm is prepared to protect clients' nonpublic personal information.

The IRS, aware of the confusion in the profession, boosted its efforts to remind practitioners of this responsibility, issuing several recent email alerts to the practitioner community. Additionally, in mid-October 2019, when practitioners were starting to renew their preparer tax identification numbers, they noticed a statement on data security responsibilities added to the renewal process. Practitioners were instructed to check a box to confirm their awareness of their responsibility to have a data security plan and to provide data and system security protections for all taxpayer information.

In response to many recent requests from members, the AICPA Tax Section developed a GLBA information security plan template (available at that Tax Section members can download and customize to comply with the safeguards rule contained in the GLBA.


In addition to the GLBA safeguards rule, tax practitioners should keep in mind other client data security responsibilities.

  • Sec. 7216 is a criminal provision that prohibits preparers from knowingly or recklessly disclosing or using tax return information. See the AICPA Tax Section's Sec. 7216 guidance and templates at to aid with compliance.
  • Treasury Circular No. 230, Regulations Governing Practice Before the IRS (31 C.F.R. Part 10), requires practitioners to exercise due diligence in preparing returns or other documents related to a federal tax matter. A violation could subject a practitioner to censure, suspension, or disbarment from practice before the IRS.
  • The AICPA Code of Professional Conduct addresses member responsibilities to keep client information confidential and secure.
  • In accordance with best business practices, including practices contained in the Privacy Management Framework (available at, a firm should publish its privacy statement on its website.
  • Depending on a practitioner's focus areas, he or she may need to adhere to other privacy requirements such as those for health-related information.

As the IRS has noted, combating today's cybercriminals requires everyone to work together. Practitioners play a significant role in data security and should continue to assess, improve, and document their processes to keep client data safe.

For a detailed discussion of the issues in this area, see "Tax Practice & Procedures: IRS Spotlights Practitioner Requirement to Have a Written Information Security Plan," in the January 2020 issue of The Tax Adviser.

— Susan C. Allen, CPA/CITP, CGMA, the Association's senior manager, Tax Practice & Ethics—Public Accounting

The Tax Adviser is the AICPA's monthly journal of tax planning, trends, and techniques.

Also in the January issue:

  • A look at the current state of the business meal expense deduction.
  • A discussion of information return penalties.
  • A celebration of The Tax Adviser's 50th anniversary.

AICPA members can subscribe to The Tax Adviser for a discounted price of $85 per year. Tax Section membership includes a one-year subscription to The Tax Adviser.

Where to find March’s flipbook issue

The Journal of Accountancy is now completely digital. 





Get Clients Ready for Tax Season

This comprehensive report looks at the changes to the child tax credit, earned income tax credit, and child and dependent care credit caused by the expiration of provisions in the American Rescue Plan Act; the ability e-file more returns in the Form 1040 series; automobile mileage deductions; the alternative minimum tax; gift tax exemptions; strategies for accelerating or postponing income and deductions; and retirement and estate planning.