7 Client Data Protection Standards Every Tax Firm Must Meet

Tax firms handle some of the most sensitive financial information their clients possess. With cybersecurity threats evolving and regulatory requirements tightening, protecting this data isn’t just good business practice—it’s a legal obligation with serious consequences for non‑compliance.

Recent data shows that financial services firms experience 125 % more cyberattacks than other industries [6]. Tax professionals are particularly attractive targets because of the volume of personal and financial information they manage [11]. For tax firms, a data breach isn’t just a technical problem—it can destroy client trust, trigger regulatory penalties, and potentially end a practice.

This article outlines the seven essential data‑protection standards every tax firm must implement to safeguard client information and maintain compliance with IRS and FTC requirements.

1. Implement a Written Information Security Plan (WISP)

The FTC Safeguards Rule requires all tax‑return preparation firms, regardless of size, to develop and maintain a Written Information Security Plan (WISP) [1]. This isn’t optional—it’s mandatory.

What Your WISP Must Include

A comprehensive WISP should document how your firm:

Identifies and assesses security risks to client data
Designs and implements safeguards to control these risks
Regularly tests and monitors the effectiveness of these safeguards
Selects service providers capable of maintaining appropriate safeguards
Evaluates and adjusts the program based on testing results or operational changes

“The WISP requirement isn’t about creating paperwork—it’s about demonstrating that your firm has thoughtfully considered how to protect client data and implemented appropriate safeguards,” explains John Davis, Verito’s Chief Information Security Officer. “Many firms mistakenly believe this only applies to large practices, but the requirement applies to all tax‑preparation firms regardless of size.”

Your WISP should be tailored to your firm’s specific circumstances—including its size, complexity, and the sensitivity of the information it handles. A sole practitioner will naturally have a less‑complex plan than a 100‑member firm, but both must address the fundamental elements of data protection [1].

2. Secure Email Communications

Email remains one of the primary vectors for data breaches in tax firms. The IRS specifically recommends several email‑security measures that should be standard practice [3].

Email‑Security Fundamentals

To meet compliance standards, tax firms must:

Use separate personal and business email accounts
Protect email accounts with strong passwords and two‑factor authentication
Implement email encryption for messages containing sensitive client information [3]

“Email security is often overlooked because it’s so familiar, but it’s actually where many data breaches begin,” notes Sarah Thompson, Verito’s Director of Compliance. “Simple measures like separating business and personal accounts significantly reduce risk exposure.”

When implementing these measures, remember that 91 % of cyberattacks begin with a phishing email [5]. Training staff to recognize these threats is just as important as the technical safeguards you put in place.

3. Deploy the IRS “Security Six” Protections

The IRS has identified six fundamental security measures that tax professionals must implement to protect client data [2]. These form the foundation of any compliant security program.

The Essential Security‑Six Components

Antivirus Software: Deploy commercial‑grade antivirus software and keep it updated to protect against malware threats.
Firewalls: Implement hardware and software firewalls to create barriers between your network and potential threats.
Multi‑Factor Authentication (MFA): Require MFA for all accounts that access client data, tax software, or firm systems.
Backup Software/Services: Maintain regular, secure backups of all client data that can be quickly restored if needed.
Drive Encryption: Encrypt all devices and drives containing client information to protect data if hardware is lost or stolen.
Virtual Private Networks (VPNs): Use a VPN when accessing client information over public networks or when working remotely.

These six elements aren’t suggestions—they represent the minimum security standards the IRS expects tax professionals to implement [2]. Firms that fail to deploy these basic protections may face scrutiny during security incidents.

4. Establish Strong Data‑Encryption Protocols

Encryption transforms readable data into a coded format that can only be decoded with the proper encryption key. For tax firms, encryption is a critical component of data protection [8].

Critical Encryption Requirements

Tax firms must implement encryption for:

Data at rest (stored on servers, computers, or mobile devices)
Data in transit (being sent via email, file sharing, or other transmission methods)
Backup files containing client information

“Many tax professionals don’t realize that encryption isn’t just about preventing hackers from reading your data—it’s also about compliance,” explains Michael Roberts, Verito’s Head of Product Development. “If you experience a breach but can prove the data was properly encrypted, you may avoid the requirement to report the breach in certain jurisdictions.”

When selecting encryption solutions, look for those that use current standards like AES‑256 encryption and that integrate seamlessly with your tax software and workflows [8].

5. Implement Access Controls and Authentication

Not everyone in your firm needs access to all client data. Implementing proper access controls ensures that staff members can only access the information necessary for their specific roles [8].

Access‑Control Best Practices

To meet compliance standards, your firm should:

Assign unique user IDs to each employee
Implement role‑based access controls
Require strong passwords that are regularly changed
Use multi‑factor authentication for all systems containing client data
Promptly remove access when employees leave the firm

“The principle of least privilege should guide your access‑control strategy,” advises David Wilson, Verito’s Security Architect. “Each staff member should have access only to the client data they need to perform their job—nothing more.”

Regular access reviews should be conducted to ensure that permissions remain appropriate as staff roles change and as clients come and go from your practice.

6. Conduct Regular Security Training

The human element remains the weakest link in most security systems. Regular, comprehensive security training for all staff members is essential for maintaining a strong security posture [3].

Training Requirements for Compliance

Your security‑training program should cover:

Recognizing and avoiding phishing attempts
Proper handling of sensitive client information
Password‑management best practices
Secure use of mobile devices and remote access
Procedures for reporting suspected security incidents

Training shouldn’t be a one‑time event. Schedule regular refresher sessions—especially before tax season, when attacks against tax professionals typically increase [5]. Consider conducting simulated phishing tests to identify staff members who may need additional training.

7. Develop an Incident‑Response Plan

Despite your best efforts, security incidents can still occur. Having a well‑documented incident‑response plan ensures that your firm can react quickly and effectively to minimize damage [9].

Components of an Effective Incident‑Response Plan

Your plan should include:

Clear definitions of what constitutes a security incident
Step‑by‑step procedures for containing and mitigating the incident
Assigned roles and responsibilities during an incident
Communication protocols for notifying affected clients and authorities
Procedures for documenting the incident and response actions
Steps for reviewing and improving security measures after an incident

“Many firms focus exclusively on prevention but neglect to plan for response,” notes Anubhav Agrawal, Verito’s Compliance Manager. “A well‑executed response can be the difference between a minor incident and a practice‑ending disaster.”

Review and test your incident‑response plan regularly through tabletop exercises where team members walk through their responses to simulated incidents.

Meeting Compliance Standards with Cloud Solutions

For many tax firms, maintaining the technical expertise and infrastructure to meet these seven standards in‑house is challenging. Cloud solutions purpose‑built for tax professionals can help bridge this gap [10].

Compliance Requirement	Traditional In‑House Approach	Cloud‑Hosting Advantage
WISP Implementation	Requires significant IT expertise to develop and maintain	Provider supplies templates and manages many technical controls
Email Security	On‑premises email servers or separate cloud‑security stack	Integrated email security with encryption and authentication
IRS Security Six	Purchase & configure multiple security tools	Comprehensive security suite included and managed by provider
Data Encryption	Complex key management & implementation	Automatic encryption for data at rest and in transit
Access Controls	Manual user management across multiple systems	Centralized identity management with role‑based access
Security Training	Develop & deliver custom training programs	Access to professional training resources and materials
Incident Response	Build in‑house expertise for rare events	24/7 security monitoring and incident‑response support

“The compliance burden for tax firms has increased dramatically in recent years,” explains Jatin Narang, Verito’s CEO. “Cloud solutions designed specifically for tax professionals can significantly reduce this burden by building compliance into the infrastructure.”

Sponsored by Verito Verito hosts Drake, Lacerte, UltraTax, and QuickBooks on private dedicated servers — with 24/7 support from techs who actually know tax software. Used by 1,000+ accounting firms. See plans from $69/user →

When evaluating cloud providers, look for those with specific experience serving tax and accounting firms, SOC 2 Type II compliance, and a demonstrated understanding of IRS and FTC requirements [10].

Taking Action: Next Steps for Your Firm

Implementing these seven data‑protection standards may seem daunting, but the alternative—non‑compliance and increased risk of data breaches—is far worse. Here’s how to get started:

Assess your current security posture against these seven standards.
Prioritize addressing any gaps, starting with the WISP requirement.
Determine whether your current IT infrastructure can support these requirements.
Evaluate whether a purpose‑built cloud solution might simplify compliance.
Develop a timeline for implementing any missing controls.

Remember that compliance isn’t a one‑time project but an ongoing process. As regulations evolve and new threats emerge, your security measures must adapt accordingly.

Tax firms that make client‑data protection a priority not only avoid regulatory penalties but also build stronger client relationships based on trust and confidence. In today’s security‑conscious environment, this can become a significant competitive advantage.

By implementing these seven essential data‑protection standards, your tax firm can demonstrate its commitment to safeguarding client information while meeting regulatory requirements. Whether you choose to build these capabilities in‑house or leverage purpose‑built cloud solutions, the important thing is to start strengthening your security posture today.