Upholding Professional Responsibility and Data Security: The Necessity of a Written Information Security Plan

In the realm of professional obligations, practitioners, including attorneys, certified public accountants, enrolled agents, and tax return preparers engaged in the Internal Revenue Service’s Annual Filing Season Program, are mandated to adhere to Circular 230. This set of regulations, which governs the practice before the Internal Revenue Service (IRS), is overseen and enforced by the IRS’s Office of Professional Responsibility (OPR).

Understanding Circular 230 and Data Security Obligations

Circular 230 encompasses several provisions that directly relate to a practitioner’s responsibilities concerning data security and the protection of confidential client information. These provisions not only align with the privacy and penalty provisions of the Internal Revenue Code, including the penalties outlined in IRC 6713 (civil) and IRC 7216 (criminal) for unauthorized disclosure of taxpayer information, but they also correspond with nontax legislation enacted in 1999. This legislation granted the Federal Trade Commission (FTC) the power to formulate regulations that mandate data safeguarding requirements for various businesses, including professional tax return preparers.

This article aims to shed light on how the FTC’s implementing regulations, along with the IRS’s complementary guidance, influence the duties and restrictions imposed on tax practitioners by Circular 230.

The Importance of a Written Information Security Plan

According to federal law, which is enforced by the FTC, tax preparers are obligated to develop and maintain a written data security plan, also known as a WISP. The creation of a WISP is instrumental in protecting businesses and their clients, offering a clear course of action in the event of a security incident. Moreover, a WISP can prove invaluable in the face of events that significantly disrupt a tax professional’s ability to conduct regular business, such as natural disasters or theft.

Consequences of Neglecting a WISP

The absence of a WISP to safeguard private financial information can lead to severe consequences. Not only does it put clients at risk for identity theft and fraud, but it may also expose a practitioner to liability for violating the Safeguards Rule and the conditions of their malpractice insurance coverage. Furthermore, in cases of willful neglect, a practitioner may face discipline under Circular 230.

Given the competence requirement outlined in section 10.35 and the obligation imposed by section 10.36 to have procedures in place to ensure compliance with Circular 230 by all those involved in a tax practice, it is strongly advised that practitioners pay close attention to the requirement to adopt a WISP and implement suitable data security programs.