As far as I can tell, this is additional requirements to the WISP that aren't required until now. If you look at the bulleted points on the link below, it summarizes what is now required.




As for the IRS enforcing things, I tend to agree with you, but I suspect they are required to make tax professionals AWARE of the rules.

So what I conclude is that the new requirements are slightly more specific than the ones from a few years ago. The original ones said to write a plan, one of the points being to then implement it. The new ones are actually more specific implementation steps that they are dictating you must perform.

As a sole prop, small practice, with no employees and almost no in person appointments in my private home office (I've always selected for remote clients), I believe my plan and implementation meets the requirements, It's less than a page. Between Microsoft BitLocker encryption, backups encryption, and my tax software vendor's requirements for MFA, I have been in good shape since before any of this starting applying to tax practices.

Some of the new requirements are pretty lame. "periodically assess the security practices of service providers" - how am I supposed to do that? Just read what they put on their web site and terms of use (TOU)? "implement multi-factor authentication or another method with equivalent protection" - what is an acceptable "other method"? "train security personnel," -- can I deduct training for our resident dog? :-)

The original WISP requirement had the following requirements listed as bullet points:

• Include the name of all information security program managers.
• Identify all risks to customer information.
• Evaluate risks and current safety measures.
• Design a program to protect data.
• Put the data protection program in place.
• Regularly monitor and test the program.

The new version has these requirements listed as bullet points:

• designate a qualified individual to oversee their information security program,
• develop a written risk assessment,
• limit and monitor who can access sensitive customer information,
• encrypt all sensitive information,
• train security personnel,
• develop an incident response plan,
• periodically assess the security practices of service providers, and
• implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

While skimming the CalCPA tax discussion forum, I saw several references to a 5,000 customer minimum threshold for the new requirements to apply. For example, if you prepare a 1040 for a married couple with two kids, that is four customers. Not sure how they count customers from the past.

There does not seem to be any guidance for how to treat customer PII for former customers, for example when should you affirmatively delete old records (since in theory the SOL on a tax return may never end, if fraud is suspected)? That would be helpful!