Incident response planning for tax professionals
The IRS requires every tax preparer to have a documented incident response plan. Learn the six phases of incident response, what the IRS mandates, and how to build a plan that protects your practice when a breach occurs.
The Case for Readiness
Why every tax practice needs an incident response plan
A data breach at a tax practice is not a matter of if, but when. The IRS reported that identity theft-related tax fraud attempts exceeded $5.7 billion in recent years, and tax professionals remain one of the primary vectors for stolen taxpayer data.
When a breach occurs, the difference between a firm that survives and one that does not often comes down to whether they had a plan in place. Without documented response procedures, teams panic, critical evidence is destroyed, notification deadlines are missed, and the financial and reputational damage multiplies.
An incident response plan gives your team a clear, rehearsed set of actions to take under pressure. It reduces response time, limits data exposure, satisfies regulatory requirements, and demonstrates to clients and regulators that you take data protection seriously. The IRS views having a tested incident response plan as a core component of your WISP and a non-negotiable requirement for tax professionals.
Regulatory Framework
IRS and federal requirements
Multiple federal regulations require tax professionals to maintain an incident response plan. Here are the key mandates you must satisfy.
IRS Publication 4557 Mandate
IRS Publication 4557 explicitly requires all tax professionals to have an incident response plan as part of their Written Information Security Plan. The publication states that preparers must have documented procedures for responding to a security incident involving taxpayer data.
IRS Notification Requirements
If taxpayer data is compromised, you must report the breach to your local IRS Stakeholder Liaison. You can also file a report with the Treasury Inspector General for Tax Administration (TIGTA). The IRS Identity Protection Specialized Unit can help place identity protection PINs on affected clients' accounts.
FTC Safeguards Rule Compliance
The revised FTC Safeguards Rule (effective June 2023) requires financial institutions, including tax preparers, to establish and maintain an incident response plan. The plan must address the goals, internal processes, and defined roles for responding to security events.
State Breach Notification Laws
All 50 states, the District of Columbia, and U.S. territories have breach notification laws. These laws require you to notify affected individuals within a specified timeframe (typically 30 to 90 days) if their personal information is compromised. Some states also require notification to the state Attorney General.
The Framework
The 6 phases of incident response
Based on the NIST Computer Security Incident Handling Guide (SP 800-61), these six phases form the backbone of any effective incident response plan.
Preparation
This is everything you do before an incident occurs. Your preparation phase includes creating and maintaining this incident response plan, designating your response team (even if that team is just you), establishing communication channels, training staff on recognizing incidents, and ensuring you have the tools and vendor relationships in place to respond effectively. For tax practices, preparation also means having your IRS PTIN holder contact information readily accessible and knowing the IRS Identity Protection Specialized Unit phone number.
Identification
The identification phase is about detecting and confirming that a security incident has occurred. In a tax practice, signs of an incident include unexpected e-file rejections (which may indicate stolen EFINs), clients reporting they did not file returns, unusual system slowdowns, antivirus alerts, unexplained outbound network traffic, or employees receiving suspicious password reset emails. Not every alert is an incident, so this phase also involves triaging and determining the severity of what you are seeing.
Containment
Once you confirm an incident, your immediate goal is to stop the bleeding without destroying evidence. Short-term containment might mean disconnecting an infected computer from the network, disabling a compromised user account, or blocking a malicious IP address. Long-term containment involves bringing temporary systems online so your practice can continue operating while you work on eradication. For tax firms during filing season, containment must balance security with the urgent need to maintain operations.
Eradication
With the incident contained, you now remove the threat entirely. This means identifying the root cause of the breach, removing all malware from affected systems, closing the vulnerability that allowed the attack, and verifying that no backdoors or persistence mechanisms remain. In many cases, the safest approach for tax practices is to wipe and rebuild affected machines from clean images rather than attempting to clean them in place.
Recovery
Recovery is the careful process of returning your practice to normal operations. Restore systems from verified-clean backups, bring services back online in a controlled order, and monitor closely for any signs that the threat persists. For tax practices, this includes verifying the integrity of taxpayer data, confirming that e-filing systems are functioning correctly, and ensuring no fraudulent returns were submitted using stolen client data.
Lessons Learned
Within two weeks of resolving the incident, conduct a formal post-incident review. Document what happened, what worked well in your response, what did not, and what specific changes you will make to prevent a recurrence. This review must be documented and retained as part of your WISP. The IRS expects to see evidence that you learn from security events and continuously improve your security program.
Template
What our incident response plan template includes
Our WISP template includes a complete incident response plan section with everything you need to be IRS-compliant and operationally prepared.
Build your incident response plan today
Do not wait until a breach forces you to improvise. Get our WISP template with a built-in incident response plan, or let our team build a custom plan for your practice.