
It's 9 AM on a Tuesday. One of your staff members clicks a link in what appears to be a legitimate email. By noon, client SSNs, financial records, and IRS correspondence are sitting on someone else's server.
No alarm. No warning. No plan.
This is not a hypothetical. Tax resolution firms are among the most targeted by cybercriminals because of the sheer volume of sensitive data they hold. And yet, most firms either do not have a Written Information Security Plan (WISP) at all, or they have one that has not been touched since a consultant handed it to them three years ago.
Here is the thing: WISP compliance is not optional. It is federal law. And if your firm uses a client portal to share documents, collect financial information, or communicate case updates, your WISP needs to address that specific channel, or it is incomplete.
This checklist is built for tax resolution professionals Enrolled Agents, Tax Attorneys, CPAs, and case managers who need to get this right before enforcement catches up.
A Written Information Security Plan (WISP) is a federally mandated data security document required under the Gramm-Leach-Bliley Act (GLBA) and enforced by the FTC Safeguards Rule.
Tax professionals are classified as financial institutions under this law. That means the same data security obligations that apply to banks apply to your tax resolution firm, regardless of how many clients you have.

Under the updated 2024 IRS guidelines in Publication 5708, every tax practitioner must:
The 2024 update escalated the stakes significantly. MFA is now required for all system access, not just remote access. Password changes are required at least once every 365 days. And for firms that use client-facing portals, the requirements go even further.
If your client portal is how clients submit documents, sign forms, or view case updates, it is a primary data entry point. That makes it a primary risk point.
Most WISP guides cover the basics: encrypt your hard drives, train your staff, lock your office.
But client portals introduce a layer most WISPs do not adequately address.
When a client logs into a portal to upload their W-2, fill out a financial questionnaire, or sign a disclosure form, you are managing a two-sided security equation. It is not just about whether your systems are secure. It is about whether the access point itself is built for compliance from the ground up.
Here is what tends to fall through the cracks:
Vendor security. The FTC Safeguards Rule requires you to evaluate and document the security practices of every service provider with access to client data. That includes whoever runs your client portal. Most firms cannot produce that documentation on request.
Access controls. Who in your firm can see what inside the portal? Is access role-based and documented? Or can any staff member pull any client's financial data from any device?
Data transmission. Are documents uploaded through the portal encrypted in transit? Is the platform using TLS 1.2 or higher? Do you know?
Audit trails. If there is a breach, can you demonstrate exactly who accessed what, and when? Without logs, you have no evidence of compliance, and no defense.
Specifically for tax resolution cases, the data flowing through your client portal is extremely sensitive. Financial questionnaires. IRS transcripts. Installment agreement terms. Bank statements. If any of that is compromised, the consequences go far beyond a fine.
Work through every item here. If you cannot check it off, it needs to be addressed in your WISP or escalated to your qualified individual.
They treat the WISP as a document, not a system.

They hire someone to write it once, sign it, file it, and forget it. Then something changes: they adopt a new client portal, they hire three new staff members, they start handling more multi-office workflows, and nobody updates the WISP.
That document sitting in a folder is no longer an accurate reflection of how the firm actually operates. And under the FTC Safeguards Rule, your WISP has to reflect your actual practices, not your aspirational ones.
The University of Illinois Tax School notes that the 2024 WISP update introduced specific language around presumed unauthorized access, even when only an encryption key is compromised. That is a significant shift. It means the threshold for what counts as a reportable incident is lower than most firms realize.
Reviewing your WISP is not a once-a-year task. It should be triggered whenever your operations change: new software, new staff, new clients, or new workflows.
Tax resolution firms are not general accounting practices. The data you manage, the forms you file, the timelines you work against- all of it is specific to this industry. Your software should be too.
IRSLogics is built exclusively for tax resolution professionals and designed with the kind of operational security your WISP needs to document. The Client Portal gives clients one secure, dedicated space to upload documents, review case status, communicate with your team, set appointments, and manage billing, without your staff having to juggle email threads and unsecured file-sharing links.
For WISP compliance specifically, IRSLogics supports several of the control requirements directly:
The Document Collection workflow ensures client files enter the system through a structured, logged channel rather than via email or personal devices. The Financial Questionnaire sends a fillable intake form to clients, securely collects their financial data, and auto-populates it into IRS forms within Logics, eliminating re-entry risk and the security gaps that come with manual data handling. Role-based access, audit trails, and case activity logs give you the documentation backbone your WISP compliance depends on.
When you need to demonstrate that your firm knows who accessed what, and when, IRSLogics gives you that record. That is not a feature. That is compliance infrastructure.
See how IRSLogics handles client portal security and data workflows.
Yes. Under the Gramm-Leach-Bliley Act and the FTC Safeguards Rule, all tax professionals are classified as financial institutions and are required by law to maintain a Written Information Security Plan. This applies regardless of firm size.
FTC penalties can reach $46,517 per violation per day. Non-compliance can also result in PTIN revocation, voided professional liability insurance, and significant reputational damage if a breach occurs without a documented response plan.

Yes. Your WISP must address all channels through which client data flows, including client portals. It must document your portal provider's security practices, the access controls in place, how data is encrypted, and how activity is logged.
The IRS recommends reviewing and updating your WISP whenever there are material changes to your operations, such as adopting new software, onboarding new staff, or changing how you collect client information. A minimum annual review is expected, but operational changes should trigger immediate updates.
The 2024 update to IRS Publication 5708 made multi-factor authentication mandatory for all system access, not just remote access. It also introduced a presumption of unauthorized access if even an encryption key is compromised, lowering the threshold for what must be reported to the FTC.
Absolutely. A purpose-built client portal creates a documented, controlled channel for client data. It supports the access controls, encryption requirements, audit logging, and vendor documentation that form the backbone of WISP compliance. Unsecured email does none of that.
Your WISP is not a formality. It is the document that the IRS, the FTC, and your clients would review if something went wrong. And if your firm uses a client portal, which it should, because the alternative is scattered emails and unsecured attachments, your WISP needs to reflect that.
Go through the checklist. Find the gaps. Close them before enforcement finds them first.
All
Tax Software
Workflow & Automation
Industry News
Resolution Tips
Tax Resolution Marketing

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.