What Is a Written Information Security Plan (WISP)?
A Written Information Security Plan — commonly known as a WISP — is a formal document that outlines how your firm protects sensitive client data. It covers everything from how you store tax returns and Social Security numbers to what happens when an employee leaves or a laptop goes missing.
For CPA firms, a WISP isn’t just a best practice. It’s a legal requirement.
The IRS, through Publication 4557 (Safeguarding Taxpayer Data), explicitly requires all tax preparers to create and maintain a written security plan. This requirement stems from the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule, which classify tax preparers as “financial institutions” — regardless of firm size.
That means whether you’re a solo practitioner in Salisbury or a 30-person firm in Easton, you need a WISP.
Who Needs a WISP in 2026?
If your Maryland CPA firm handles any of the following, you are legally required to have a WISP:
- Individual or business tax returns
- Social Security numbers
- Financial account information
- Any personally identifiable information (PII) related to tax preparation
This applies to:
- Sole proprietors and independent CPAs
- Small and mid-size CPA firms
- Enrolled agents and tax preparers
- Bookkeeping firms that handle sensitive financial data
The FTC’s updated Safeguards Rule, which took full effect in June 2023, added new teeth to these requirements. Firms handling information for 5,000 or more consumers must now also report certain security events to the FTC. But even firms below that threshold must comply with the core WISP requirements.
What Does a WISP Need to Include?
A compliant WISP isn’t a one-page checklist. It’s a living document that addresses your firm’s specific risks and operations. According to IRS Publication 4557 and the FTC Safeguards Rule, your WISP should include:
1. Designated Security Coordinator
Someone in your firm must be named as the person responsible for implementing and maintaining the security plan. For small firms, this is often the owner — but it must be documented.
2. Risk Assessment
You need to identify where sensitive data lives in your organization — on servers, in cloud apps, on laptops, in email — and assess the risks to each. This isn’t a one-time exercise; it should be reviewed annually.
3. Safeguards for Identified Risks
For every risk you identify, you need a corresponding safeguard. Examples include:
- Multi-factor authentication (MFA) on all systems containing client data
- Encryption of data at rest and in transit
- Firewall and antivirus protection on all endpoints
- Secure disposal procedures for old hard drives and documents
4. Employee Training
Your staff must receive regular security awareness training. This includes phishing recognition, password best practices, and procedures for reporting suspicious activity.
5. Incident Response Plan
What happens when something goes wrong? Your WISP must include a documented plan for responding to data breaches, including who to notify, how to contain the breach, and how to communicate with affected clients.
6. Oversight of Service Providers
If you use third-party vendors — cloud hosting, IT support, payroll processors — your WISP must document how you ensure those vendors also protect client data.
7. Regular Testing and Monitoring
Annual penetration testing or vulnerability assessments, continuous monitoring of access logs, and periodic review of security policies are all expected components.
Penalties for Non-Compliance
This is where it gets serious for Eastern Shore firms that have been putting this off.
IRS Penalties
The IRS can revoke your Preparer Tax Identification Number (PTIN) for failure to maintain adequate data security. Without a PTIN, you cannot legally prepare federal tax returns. The IRS has increasingly signaled that WISP compliance will be part of their enforcement focus going forward.
FTC Enforcement
The FTC has the authority to fine firms that violate the Safeguards Rule. While enforcement actions have historically targeted larger institutions, the agency has made clear that firms of all sizes are within scope. Fines can reach $100,000 per violation, with additional penalties of up to $10,000 per individual officer or director.
State-Level Exposure
Maryland has its own data breach notification law (Maryland Personal Information Protection Act). If a breach occurs and you don’t have a WISP in place, you face potential state-level fines, mandatory breach notifications, and civil liability from affected clients.
Reputational Damage
Perhaps the biggest risk for Salisbury and Eastern Shore CPAs: a data breach without a security plan in place can destroy client trust. In a community-driven market, reputation is everything. Losing even a handful of clients due to a preventable breach can have lasting financial impact.
The Current State of WISP Compliance on the Eastern Shore
Based on our experience working with CPA firms across Delmarva, we estimate that the majority of small to mid-size firms still don’t have a compliant WISP — or have one that hasn’t been updated in years.
Common gaps we see include:
- No designated security coordinator
- Risk assessments that haven’t been updated since the firm started using cloud-based tax software
- No documented incident response plan
- Employee training that consists of a single email sent years ago
- No oversight documentation for third-party vendors
If any of this sounds familiar, you’re not alone — but the window for getting compliant without consequences is closing.
How to Get Started With Your WISP
Building a WISP doesn’t have to be overwhelming, but it does require a systematic approach:
Step 1: Inventory your data. Map out every place client data is stored, processed, or transmitted. Include cloud apps, local servers, email, portable devices, and paper files.
Step 2: Conduct a risk assessment. For each data location, identify threats (hackers, employee error, hardware failure) and vulnerabilities (lack of encryption, weak passwords, no backup).
Step 3: Implement safeguards. Address each identified risk with a specific control — technical (firewalls, MFA), administrative (policies, training), or physical (locked offices, secure disposal).
Step 4: Document everything. Write it all down in a formal plan. Include names, dates, and specific procedures.
Step 5: Train your team. Make sure every employee understands the plan and their role in it.
Step 6: Test and update annually. Your WISP should evolve as your firm grows and threats change.
How OmniTechPro Helps Salisbury CPA Firms With WISP Compliance
At OmniTechPro, we work with CPA firms across the Eastern Shore to build and maintain WISP-compliant IT environments. Our approach includes:
- WISP Development Assistance: We help you create a comprehensive Written Information Security Plan tailored to your firm’s size, structure, and technology stack.
- Risk Assessments: We conduct thorough technical assessments of your network, cloud services, and endpoints to identify gaps.
- Security Implementation: From MFA deployment to endpoint protection to encrypted backup solutions, we implement the technical safeguards your WISP requires.
- Employee Security Training: We provide ongoing security awareness training for your staff, including phishing simulations.
- Ongoing Monitoring: Our managed IT services include 24/7 monitoring, patch management, and incident response — keeping your firm compliant year-round.
- Annual Reviews: We help you review and update your WISP annually to stay current with evolving regulations and threats.
Your clients trust you with their most sensitive financial information. A WISP isn’t just a regulatory checkbox — it’s your commitment to protecting that trust.
Learn more about our IT support for CPA firms → or call us at (410) 749-2340 to schedule a free WISP readiness assessment.
