IRS Safe Harbor IT Requirements for Tax Professionals: What Publication 4557 Actually Requires

What Publication 4557 Is and Why It Matters

IRS Publication 4557 ("Safeguarding Taxpayer Data: A Guide for Your Business") is the IRS's compilation of recommended data security practices for tax professionals. It's not a law — but it has significant practical importance:

• Implementing its recommendations creates a de facto safe harbor in IRS enforcement actions following data breaches
• It aligns with the FTC Safeguards Rule requirements (see our guide on CPA firm data security), so compliance with one advances compliance with the other
• It informs what the IRS considers "reasonable security" for purposes of determining whether a firm is liable for fraudulent returns filed with stolen client data
• State tax agencies reference Publication 4557 in their own data security guidance

The Written Information Security Plan (WISP)

Publication 4557 places the Written Information Security Plan (WISP) at the center of a tax professional's security program. The IRS has even published a free WISP template (available at irs.gov/tax-professionals). Your WISP must include:

• Name and contact information for the employee responsible for the security program
• How and where customer information is stored, accessed, and transmitted
• Specific security policies for each risk area
• Employee training requirements and schedule
• Procedures for reporting and responding to security incidents
• Annual review schedule

The WISP should be a living document — updated annually and whenever systems or processes change. A WISP that describes software you no longer use or processes that have changed is worse than a simple, current document.

Required Technical Controls

Multi-Factor Authentication

The IRS explicitly requires MFA for all IRS e-services accounts and recommends it for all systems containing taxpayer data:

• IRS e-file (eFile provider portal)
• IRS Transcript Delivery System (TDS)
• IRS e-services (IVES, TIN Matching)
• Tax software (all major platforms support MFA — enable it)
• Email containing client tax information
• Document management and client portals

Encryption

• Encrypt taxpayer data in transit — use secure email (TLS), secure file transfer, or a client portal for sending tax documents. Never email unencrypted tax documents as plain attachments.
• Encrypt data at rest — full disk encryption (BitLocker on Windows, FileVault on Mac) on all devices storing taxpayer data, including laptops and external drives

Strong Authentication and Access Controls

• Minimum password length: 12 characters (the IRS recommends "complex" passwords; modern guidance emphasizes length over complexity)
• Unique credentials per employee — no shared accounts
• Limit access to taxpayer data on a need-to-know basis
• Deactivate accounts immediately when employees leave

Secure Physical Access

• Lock screens when leaving workstations unattended
• Lock offices and cabinets containing physical tax documents
• Secure disposal: shred paper documents, use certified hard drive destruction for old computers
• Control visitor access to areas where taxpayer data is visible or accessible

The Identity Theft Affidavit Procedure

Publication 4557 includes specific guidance on what to do if a client's identity is stolen and fraudulent returns are filed. Tax professionals need a procedure for:

1. Notifying affected clients immediately
2. Filing Form 14039 (Identity Theft Affidavit) on behalf of clients
3. Contacting the IRS Identity Theft Specialized Unit
4. Notifying the FTC via IdentityTheft.gov
5. Contacting state tax agencies in all states where affected clients filed returns
6. Notifying your professional liability carrier

The IRS Security Summit's "Taxes-Security-Together" Checklist

The IRS Security Summit (a collaboration between the IRS, state tax agencies, and the tax software industry) publishes an annual security checklist for tax professionals. The current checklist includes specific recommendations beyond Publication 4557:

• Subscribe to e-News for Tax Professionals (IRS email updates on emerging threats)
• Use security software with automatic updates and real-time protection
• Create data backups and store them securely offsite
• Use a business VPN for any remote work
• Conduct annual phishing awareness training with all staff

Your accounting IT provider should be familiar with Publication 4557 and the Security Summit checklist — these are baseline requirements for any firm handling tax returns.

Frequently Asked Questions

Is Publication 4557 compliance legally required?

Publication 4557 itself is guidance, not law. However, the FTC Safeguards Rule (which is law) requires similar controls, and the IRS can revoke EFIN authorization from tax preparers who fail to implement reasonable security practices. Compliance with Publication 4557 is effectively required for any tax professional who wants to maintain their EFIN and e-file capability.

What should I do if I receive a suspicious IRS notice or email?

The IRS never initiates contact with tax professionals by email, text, or social media about taxpayer data issues. Suspicious emails claiming to be from the IRS about security threats or EFIN suspension are almost always phishing. Forward suspicious IRS-related phishing to [email protected]. Contact the IRS directly at the official IRS.gov phone numbers if you have concerns.

How do I know if my client portal meets Publication 4557 requirements?

Your client portal should: encrypt data in transit (HTTPS/TLS), support MFA for client logins, allow you to control and revoke client access, maintain audit logs of document access, and be covered by a data processing agreement with the vendor. Platforms like TaxDome, Canopy, SmartVault, and Sharefile are purpose-built to meet these requirements.