FREQUENTLY ASKED
QUESTIONS
What is the Written Information Security Plan?
This Written Information Security Plan (WISP) is created to follow the rules of the Gramm-Leach-Bliley Act and Federal Trade Commission Financial Privacy and Safeguards Rules that apply to the business. It outlines the process for reviewing how personal information is handled, both electronically and physically, including its collection, storage, use, transmission, and protection.
A WISP is a crucial document for any organization dealing with personal information. It outlines specific security controls, processes, and policies, acting as a guide to ensure strong IT security measures, as required by several states. Additionally, it’s essential for businesses handling personal information about residents to have reasonable security procedures in line with data security laws. The number of states with such laws has doubled since 2016, showing the increasing concern about data breaches and cybercrime. Adopting a comprehensive WISP allows organizations to establish effective security procedures to reduce the risk of data breaches and manage liability in case of such incidents.
Does the IRS require a Written Information Security Plan?
Federal law mandates that you take measures to establish and prepare a data security plan to protect the taxpayer’s information.
During the application or renewal of a PTIN, the applicant acknowledges on form W-12 Line 11 their commitment to implementing a customized data security plan to safeguard taxpayer information effectively.
How do I know if my business needs a Written Information Security Plan (WISP)?
If your company works with any of the following information:
- Social Security number, Date of Birth, or Employment data.
- Driver’s license number or state-issued identification card number
- Income data, Tax Filing data, Retirement Plan data, Asset Ownership data, Investment data
- Financial account number, credit or debit card number, with or without security code, access code, personal identification number; or password(s) that permit access to a client’s financial accounts
- E-mail addresses, non-listed phone numbers, residential or mobile or contact information
If, YES then your business is required to implement a Written Information Security Plan (WISP).
How can I educate my team about data security best practices?
- Teach the difference between personal and business usage.
- Make it habit to have a work account that undergoes monitoring, has limitations on installations, and uses web filtering.
- Be cautious about old-style loss and theft scenarios.
- Ensure the implementation of security patches and updates for the operating system.
Contact us for an annual risk assessment and policies checkup today!
What are the key components of a Written Information Security Plan (WISP)?
Here are the key components covered in the WISP:
- It identifies reasonably foreseeable internal and external risks to records containing personal information.
- A threat assessment is conducted to consider the sensitivity of personal data at risk of damage.
- Existing safeguards are evaluated to see if they sufficiently control identified security risks.
- The WISP is designed and implemented to minimize risks, meeting regulatory requirements for financial privacy and data protection.
- Regular monitoring is performed to check effectiveness of safeguards over time.
What should I do if I suspect a data breach?
Notify the IRS: If you are a tax preparer and experience a client data theft, reach out to your local IRS Stakeholder Liaison. They will inform the relevant parties at the IRS, including Criminal Investigation, on your behalf. Acting swiftly will enable the IRS to take measures to prevent fraudulent returns.
Contact local authorities: As a taxpayer, contact the local police to file a report regarding the data breach.
File a complaint with the FBI’s Internet Crime Complaint Center.
Report to the nearest office of the Secret Service.
State-level reporting: The Federation of Tax Administrators provides a dedicated webpage with state-by-state listings to assist tax professionals in finding where to report data security incidents at the state level.
Additionally, it is crucial to review and enhance security measures for protecting client data. Data protection plays a pivotal role in preventing data breaches.
Contact us today for a free risk assessment!