A Plain-English Guide to IRS Publication 4557

The IRS guidance that quietly became enforceable. What Pub 4557 requires, the 2024 update most firms missed, and how to prove you are compliant.

What Pub 4557 actually is

IRS Publication 4557, titled "Safeguarding Taxpayer Data: A Guide for Your Business," is the IRS's official guidance for tax professionals on protecting client information. It started life as a recommendation. It has become a baseline expectation, and the IRS now treats it as the enforceable standard for what a tax pro should be doing.

Every paid preparer is required to have a Written Information Security Plan. Pub 4557 tells you what should be in it. The FTC Safeguards Rule provides the legal teeth. Together, they define the floor of what a competent firm produces.

Pub 4557 is not a 200-page document. It is short, plain, and specific. The problem is not that it is hard to read. The problem is that most firms have never been walked through what it requires in operational terms.

The 6 IRS-recommended security measures

Pub 4557 specifies six categories of safeguards. Every category has practical implications for how your firm runs day-to-day.

1. Recognize phishing and social engineering

The IRS singles out phishing because it is the entry point in roughly 90 percent of attacks against tax firms. Pub 4557 expects you to train staff to recognize phishing, run periodic simulations, and have a clear process for reporting suspicious messages.

In practice, this means quarterly simulated phishing campaigns, written training records, and a documented response procedure. Without those three artifacts, you cannot prove this measure is in place.

2. Create a security plan

A WISP is required, not optional. The plan must name a security lead, inventory the systems and data your firm handles, document your access controls, and describe your incident response process. We have an entire post on what goes into a real WISP.

3. Use strong security software

The IRS specifically calls out endpoint protection, firewall, anti-malware, and secure email gateways. The unstated implication is that consumer-grade antivirus does not satisfy this measure. Pub 4557 expects business-grade endpoint detection and response on every device that touches client data.

4. Use strong authentication

Multi-factor authentication on every system that holds client data. Tax software, email, practice management, document portals, cloud storage, every one of them. MFA on email alone is not enough. The IRS treats single-factor login on a tax-software account as a finding.

5. Encrypt data and secure backups

Encryption at rest on every device that holds client data, including laptops and phones. Encryption in transit on every system that moves client data, including email containing PII. Backups encrypted, tested at least quarterly, and stored separately from the production system.

6. Sign a Statement of Confidentiality

Every employee, contractor, and intern with access to client data signs a written confidentiality agreement before they touch a return. The signed agreements are kept for the duration of employment plus a reasonable retention window.

The 2024 update most firms missed

In 2024, the IRS updated the breach reporting requirements that interlock with Pub 4557. Tax professionals are now expected to report data theft incidents to the IRS through the Stakeholder Liaison process within a defined window, alongside any state-level notifications.

The update also tightened the expectation that firms maintain a documented incident response plan with the IRS contact built into it, not added at the last minute when a breach happens.

Most firms did not pick this up because the change was published in a procedural update rather than a high-profile rule change. If your incident response plan was written before 2024 and you have not refreshed it, this is the gap to close first.

How to prove you are compliant

The IRS does not certify Pub 4557 compliance the way they certify EFINs. Compliance is proven by the artifacts you can produce in an audit, an enforcement action, or a breach investigation.

A firm that takes Pub 4557 seriously can hand a reviewer the following inside an hour:

• A current WISP, dated within the last 12 months, with a named security lead.
• Phishing training records and recent simulation results for every employee.
• A list of every device touching client data, with proof of endpoint protection installed.
• MFA configuration screenshots from every business system.
• Encryption confirmation for laptops, phones, email, and backups.
• Signed confidentiality agreements for every staff member.
• An incident response plan including the IRS Stakeholder Liaison contact.

A firm that cannot produce those is not compliant, even if every recommendation in Pub 4557 is technically followed. The artifact is the proof.

What to do this week

If you have never run through Pub 4557 systematically, start with the three items that produce the most evidence in the least time.

1. Pull or write a current WISP. Date it. Name your security lead.
2. Confirm MFA is on every system that touches client data, and screenshot the configurations for your evidence folder.
3. Refresh your incident response plan with the 2024 IRS Stakeholder Liaison contact and the breach reporting timeline.

Pub 4557 is not the hardest standard in cybersecurity. It is the one that gets enforced against tax professionals specifically, and it is the one that the IRS uses as a starting point when something goes wrong. Treat it as the floor, prove compliance with artifacts, and you will not be surprised when somebody asks.

Book a 15-minute WISP and security review