A ramp up of accountability is expected from 2022 onwards and non-compliant CPA firms will face potential investigation by the FTC with the promise of substantial penalties. However, penalties aside, the 4557 publication actually outlines what should be seen as welcome best practices to thwart the cybercriminal activity which is increasing across the accounting industry. These 4557 guidelines are designed to protect accounting firms from catastrophic breaches that can leave you unable to operate.

Accountants are at greater risk

There’s no doubt that accountants everywhere should look at these guidelines as a guide to avoid penalties. But the more important risk that’s worth mitigating is the possibility of a breach itself. Several studies estimate that almost 90% of cyber breaches were the result of human error.  When passwords are shared in unsafe ways, or email platforms are not double secured, it puts sensitive client data like banking logins and payroll system passwords at risk.

The industry data suggests that accountants specifically are becoming prime targets for international cyber criminals, intent on stealing identities and sensitive information. You are the custodian of your client banking logins, payroll passwords and taxation information – and as such, you hold an incredible weight of responsibility to protect that data and the way that it’s used.

W-12 information security plan requirement

Practice Protect ensures that you meet and exceed the IRS 4557 guidelines. With over 13,000 active accountants customers worldwide, it has become the industry’s most widely accepted digital security tool. Whether through single sign on functionality, one-click user off-boarding or locked access times and password cloaking for employee groups, Practice Protect puts in place many of the processes that a information security plan includes, simply by deploying it into your accounting firm.

However, an information security plan (or data security plan) is still required in order to satisfy the W-12 PTIN renewal form Question 11. It states:

11. Data Security Responsibilities
I am aware that paid tax return preparers must have a data security plan to provide data and system security protections for all taxpayer information.

In order to tick this box in good faith, an information security plan must exist and be circulated to your entire organization (preferably with training).

Structuring a data security plan

So what should a compliant data security plan include? At Practice Protect, we offer a data security plan template for all clients, as a part of our Practice Protect University(PPU). The PPU is free for all customers and contains a wealth of resources and templates that assist accounting firms in compliance, training, digital security and up-skilling.  We consulted with top-tier attorneys to create an industry-standard data security plan so that you wouldn’t have to. For those readers who are not Practice Protect customers, here’s a list of what should go into your data security planning.

  1. A risk assessment must be completed
  2. Identify the risks and impacts of unauthorized data use and access
  3. Determine systems vulnerability of your firm
  4. Highlight a list of actions to reduce vulnerability
  5. Software and hardware safeguards in place
  6. Responsible data security personnel
  7. Annual review protocol

Download our guide below to get see the full list.

It includes self-assessment protocols and cadence for employees, privacy notices and practice policy disclosures for clients, written security policies of all service providers, facilities security protection and procedures in event of disaster, and more.

The importance of a Data Security Plan.

All accounting firms in the United States who are tax preparers are required by the FTC Safeguards rule and IRS 4557 guidelines to have in place a data security plan which outlines the protocols and processes which protect customer information and guard against data breaches. This is reinforced by Q11 on the W-12 renewal form. Asking yourself “Do I satisfy the requirements to tick the Q11 box?” is an important question all firms need to ask well ahead of time. There’s other reasons this should become a priority for every accounting firm:

  • We know that CPA firms are enticing for cybercriminals because they house tens if not hundreds of financial data sets for companies throughout the USA.
  • Hackers often hold stolen information for ransom and this can result in very expensive and stressful recovery pathways for the effected firms.
  • Hackers will lock down files, threaten to delete servers of information and cause general havoc internally. Companies going through these situations often have to shut down and cease trading until the matter is resolved.

It’s a lot to take in – the data security report should be both an audit document (allowing you take stock of your situation) and active document (with the processes and protocols in place in the case of an adverse event).

Secure, compliant, and in control - data security and compliance for all

You need a data security platform built for the pace of a modern accounting firm. From application security to email-layer protection (G-Suite and Office 365 ready), boost cybersecurity standards and remain completely industry compliant, with Practice Protect.

4557 compliant

Built with cyber and data security requirements in mind
Enterprise Grade

Password cloaking

Passwords are used but never seen with the power of cloaking.
Enterprise Grade

Data security docs and compliance policies

Control where and when your team access your data, down to the laptop.
Enterprise Grade

Remote & offshore team policy controls

Offshore and remote specific settings, to give you control and safety.
Enterprise Grade

One-Click User Lockout

Revoke access instantly for offboarding or staff centered threat response.
Enterprise Grade

On call support

Chat, email and phone support on system security whenever you need
Enterprise Grade

Access to training (PPU)

The Practice Protect University (PPU) is available as an ongoing security training resource for all your team members
Enterprise Grade

GSuite & Microsoft friendly

Practice Protect integrates seamlessly with GSuite & M365 for maximum email security
Enterprise Grade
See All Features

View more of our reviews here

Capterra getapp



Human Powered, AI Supported Cutting edge technology paired with human-backed support and management
Secured convenience which works with you Security protocols flexible to fit your needs and strong enough to protect from threats
Compliance on autopilot Ensure government compliance without compromising your time or client's security
Sign up to our monthly data security update for accountants only.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
© 2024 Practice Protect US. All rights reserved.