WISP Compliance Checklist for Tax Resolution Firms Using Client Portals

It's 9 AM on a Tuesday. One of your staff members clicks a link in what appears to be a legitimate email. By noon, client SSNs, financial records, and IRS correspondence are sitting on someone else's server.

No alarm. No warning. No plan.

This is not a hypothetical. Tax resolution firms are among the most targeted by cybercriminals because of the sheer volume of sensitive data they hold. And yet, most firms either do not have a Written Information Security Plan (WISP) at all, or they have one that has not been touched since a consultant handed it to them three years ago.

Here is the thing: WISP compliance is not optional. It is federal law. And if your firm uses a client portal to share documents, collect financial information, or communicate case updates, your WISP needs to address that specific channel, or it is incomplete.

This checklist is built for tax resolution professionals Enrolled Agents, Tax Attorneys, CPAs, and case managers who need to get this right before enforcement catches up.

What Is a WISP and Why Does It Matter for Tax Resolution Firms?

A Written Information Security Plan (WISP) is a federally mandated data security document required under the Gramm-Leach-Bliley Act (GLBA) and enforced by the FTC Safeguards Rule.

Tax professionals are classified as financial institutions under this law. That means the same data security obligations that apply to banks apply to your tax resolution firm, regardless of how many clients you have.

Under the updated 2024 IRS guidelines in Publication 5708, every tax practitioner must:

  • Designate a qualified individual to oversee the security program
  • Identify and assess risks to client data across all systems and channels
  • Implement multi-factor authentication (MFA) for every individual accessing any information system
  • Report security events affecting 500 or more people to the FTC within 30 days
  • Review and update the WISP regularly, not annually as a box-checking exercise

The 2024 update escalated the stakes significantly. MFA is now required for all system access, not just remote access. Password changes are required at least once every 365 days. And for firms that use client-facing portals, the requirements go even further.

If your client portal is how clients submit documents, sign forms, or view case updates, it is a primary data entry point. That makes it a primary risk point.

Why Client Portals Create Unique WISP Compliance Challenges

Most WISP guides cover the basics: encrypt your hard drives, train your staff, lock your office.

But client portals introduce a layer most WISPs do not adequately address.

When a client logs into a portal to upload their W-2, fill out a financial questionnaire, or sign a disclosure form, you are managing a two-sided security equation. It is not just about whether your systems are secure. It is about whether the access point itself is built for compliance from the ground up.

Here is what tends to fall through the cracks:

Vendor security. The FTC Safeguards Rule requires you to evaluate and document the security practices of every service provider with access to client data. That includes whoever runs your client portal. Most firms cannot produce that documentation on request.

Access controls. Who in your firm can see what inside the portal? Is access role-based and documented? Or can any staff member pull any client's financial data from any device?

Data transmission. Are documents uploaded through the portal encrypted in transit? Is the platform using TLS 1.2 or higher? Do you know?

Audit trails. If there is a breach, can you demonstrate exactly who accessed what, and when? Without logs, you have no evidence of compliance, and no defense.

Specifically for tax resolution cases, the data flowing through your client portal is extremely sensitive. Financial questionnaires. IRS transcripts. Installment agreement terms. Bank statements. If any of that is compromised, the consequences go far beyond a fine.

The WISP Compliance Checklist for Firms Using Client Portals

Work through every item here. If you cannot check it off, it needs to be addressed in your WISP or escalated to your qualified individual.

Administrative Safeguards

  • A qualified individual is named, and their responsibilities are documented in the WISP
  • All staff members have completed WISP training, with records to prove it
  • A data breach response plan exists, and staff know the steps
  • Service providers with data access (including your client portal provider) have been reviewed and contracts updated to include security requirements
  • The WISP has been reviewed in the last 12 months

Technical Safeguards

  • Multi-factor authentication is enabled for all system access, including the client portal
  • All client data in transit is encrypted via TLS 1.2 or higher
  • Role-based access controls are in place, limiting what each team member can see and do
  • Login history and activity are logged and accessible for audit
  • Passwords meet minimum complexity standards and are changed at least every 365 days
  • Devices accessing client data are covered by endpoint security (antivirus, device management)

Client Portal-Specific Items

  • Your portal provider's security certifications and practices are documented in the WISP
  • Client authentication to the portal requires MFA or an equivalent control
  • Document uploads and downloads through the portal are logged with timestamps
  • Clients cannot access each other's information (firm-wide access controls verified)
  • The portal's data retention practices align with your firm's retention policy (typically 7 years for tax records)
  • Clients are notified of the secure channel they should use to share sensitive information, and that notification is documented

Physical Safeguards

  • Offices and server rooms have restricted physical access
  • A clean desk policy is in place for staff handling client data
  • Remote work policies cover secure access to client portals and firm systems

IRS-Specific Requirements

  • A process exists to notify the IRS Stakeholder Liaison in the event of a security incident
  • FTC breach notification procedures are documented for events affecting 500 or more individuals
  • WISP certification was included in your most recent PTIN renewal (as required since 2024)

The One Mistake Most Tax Resolution Firms Make

They treat the WISP as a document, not a system.

They hire someone to write it once, sign it, file it, and forget it. Then something changes: they adopt a new client portal, they hire three new staff members, they start handling more multi-office workflows, and nobody updates the WISP.

That document sitting in a folder is no longer an accurate reflection of how the firm actually operates. And under the FTC Safeguards Rule, your WISP has to reflect your actual practices, not your aspirational ones.

The University of Illinois Tax School notes that the 2024 WISP update introduced specific language around presumed unauthorized access, even when only an encryption key is compromised. That is a significant shift. It means the threshold for what counts as a reportable incident is lower than most firms realize.

Reviewing your WISP is not a once-a-year task. It should be triggered whenever your operations change: new software, new staff, new clients, or new workflows.

IRSLogics: Built for the Way Tax Resolution Firms Actually Handle Client Data

Tax resolution firms are not general accounting practices. The data you manage, the forms you file, the timelines you work against- all of it is specific to this industry. Your software should be too.

IRSLogics is built exclusively for tax resolution professionals and designed with the kind of operational security your WISP needs to document. The Client Portal gives clients one secure, dedicated space to upload documents, review case status, communicate with your team, set appointments, and manage billing, without your staff having to juggle email threads and unsecured file-sharing links.

For WISP compliance specifically, IRSLogics supports several of the control requirements directly:

The Document Collection workflow ensures client files enter the system through a structured, logged channel rather than via email or personal devices. The Financial Questionnaire sends a fillable intake form to clients, securely collects their financial data, and auto-populates it into IRS forms within Logics, eliminating re-entry risk and the security gaps that come with manual data handling. Role-based access, audit trails, and case activity logs give you the documentation backbone your WISP compliance depends on.

When you need to demonstrate that your firm knows who accessed what, and when, IRSLogics gives you that record. That is not a feature. That is compliance infrastructure.

See how IRSLogics handles client portal security and data workflows.

FAQs

1. Is a WISP legally required for all tax resolution firms?

Yes. Under the Gramm-Leach-Bliley Act and the FTC Safeguards Rule, all tax professionals are classified as financial institutions and are required by law to maintain a Written Information Security Plan. This applies regardless of firm size.

2. What happens if a tax firm does not have a WISP?

FTC penalties can reach $46,517 per violation per day. Non-compliance can also result in PTIN revocation, voided professional liability insurance, and significant reputational damage if a breach occurs without a documented response plan.

3. Does my WISP need to specifically mention the client portal my firm uses?

Yes. Your WISP must address all channels through which client data flows, including client portals. It must document your portal provider's security practices, the access controls in place, how data is encrypted, and how activity is logged.

4. How often does a WISP need to be updated?

The IRS recommends reviewing and updating your WISP whenever there are material changes to your operations, such as adopting new software, onboarding new staff, or changing how you collect client information. A minimum annual review is expected, but operational changes should trigger immediate updates.

5. What is the 2024 change to WISP requirements that most tax firms missed?

The 2024 update to IRS Publication 5708 made multi-factor authentication mandatory for all system access, not just remote access. It also introduced a presumption of unauthorized access if even an encryption key is compromised, lowering the threshold for what must be reported to the FTC.

6. Can a secure client portal help with WISP compliance?

Absolutely. A purpose-built client portal creates a documented, controlled channel for client data. It supports the access controls, encryption requirements, audit logging, and vendor documentation that form the backbone of WISP compliance. Unsecured email does none of that.

Conclusion

Your WISP is not a formality. It is the document that the IRS, the FTC, and your clients would review if something went wrong. And if your firm uses a client portal, which it should, because the alternative is scattered emails and unsecured attachments, your WISP needs to reflect that.

Go through the checklist. Find the gaps. Close them before enforcement finds them first.

Key Takeaways

  • WISP compliance is mandatory for all tax resolution firms under the FTC Safeguards Rule and the Gramm-Leach-Bliley Act.
  • Client portals must be specifically addressed in your WISP, as they are a primary channel for collecting and storing sensitive taxpayer data.
  • Multi-factor authentication (MFA) is now required for all system access under the 2024 IRS security updates.
  • Vendor security assessments are essential, including documenting the security practices of your client portal provider.
  • Audit trails, role-based access controls, and encryption are critical components of WISP compliance.
  • A WISP is an ongoing security program, not a one-time document, and must be updated whenever business operations change.
  • Failure to comply can result in severe penalties, including FTC fines, PTIN issues, and reputational damage.
  • Purpose-built tax resolution software and secure client portals can help firms meet WISP requirements while improving operational security.
  • Regular staff training, incident response planning, and risk assessments are essential to maintaining compliance.
  • The best time to identify WISP gaps is before an audit, breach, or regulatory review occurs.

Popular Posts

See All

Table Of Content

  • Introduction
  • Auto-Fill Functional Forms
  • Tailored Contracts
  • Huge Time-Saver

Categories

Subscribe to Our Newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Recent Blogs

Best Tax Resolution Software For Lightning Fast Tax Resolution

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Email This Article

Share this article directly by email. Simply enter the recipient’s details below.

Please enter the required details

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Send Article

Submitted Successfully!

Article has been send to you.

Submitted Successfully!

Our team will get back to you