key IT security standards for CPAs and Tax Professionals in the US

a critical guide for tax professionals in the US

โœ… Key IT Security Standards for CPAs and Tax Professionals in the US

1. ๐Ÿ›๏ธ IRS Publication 4557 โ€“ Safeguarding Taxpayer Data

Issued by: Internal Revenue Service (IRS)
Applies to: All tax preparers and firms handling taxpayer information

๐Ÿ“Œ Key Requirements:

  • Create a Written Information Security Plan (WISP)
  • Use firewalls, anti-virus software, encryption, and secure backups
  • Implement access controls (limit employee access to client data)
  • Dispose of data securely
  • Conduct regular security risk assessments

๐Ÿ“˜ This is the IRSโ€™s baseline for data protection for tax professionals.
๐Ÿ”— IRS Publication 4557

2. ๐Ÿ›ก๏ธ FTC Safeguards Rule (under the GLBA)

Applies to: All โ€œfinancial institutionsโ€ โ€“ which includes tax preparers and accountants under FTC definitions.
Authority: Gramm-Leach-Bliley Act (GLBA)

๐Ÿ“Œ Key Points:

  • Must develop and maintain a comprehensive data security program
  • Must conduct a risk assessment
  • Must appoint a qualified individual to oversee security
  • Must train staff and monitor systems

๐Ÿ” The updated Safeguards Rule became enforceable in 2023 and now applies more strictly to small tax firms.

3. ๐Ÿงพ AICPA Standards & SOC Reports

Issued by: American Institute of Certified Public Accountants (AICPA)

๐Ÿ“Œ Relevant Frameworks:

  • SOC 1, SOC 2, SOC 3 reports (System and Organization Controls)
  • Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy
  • Generally Accepted Privacy Principles (GAPP)

โœ”๏ธ While not mandatory for every CPA firm, these are especially relevant for firms providing outsourced services, cloud solutions, or data processing.

4. ๐Ÿงฉ NIST Cybersecurity Framework (Voluntary)

Issued by: National Institute of Standards and Technology (NIST)
Applies to: All industries, often used as a best practice model

๐Ÿ“Œ Core functions:

  • Identify threats
  • Protect systems
  • Detect breaches
  • Respond to incidents
  • Recover from attacks

๐Ÿ” Many CPA firms use this as a reference for building comprehensive cybersecurity strategies.

5. ๐Ÿ’ผ State Laws and Regulations

Some U.S. states (e.g., New York, California, Massachusetts) have specific data privacy and cybersecurity regulations (like NYDFS, CCPA, or MA 201 CMR 17.00) that can also apply to accounting firms.

๐Ÿ” Common Best Practices for CPAs & Tax Professionals

  • Multi-factor authentication (MFA)
  • Email encryption and secure portals
  • Client data segmentation
  • Regular security awareness training
  • Cyber liability insurance
  • Remote work policies with security controls

๐Ÿ“Œ Summary Table

Standard / Guideline Applies To Key Focus
IRS Pub 4557 Tax preparers Data protection for taxpayer information
FTC Safeguards Rule CPAs, accountants, tax pros Comprehensive cybersecurity program
AICPA SOC Reports CPA firms with service clients Internal control and data security
NIST Framework Voluntary Broad cybersecurity best practices
State Regulations Varies by state Privacy and breach notification laws