Tax Firm Data Breach — The IRS Reporting Path

Most firm owners can describe what a breach feelslike — the locked files, the strange logins, the sick realisation that client data may be gone. Far fewer can describe what they're legally required to donext. Tax preparers sit under a reporting framework that's genuinely different from a normal small business, because the IRS is part of it.

Here is the chain of who to notify, why, and how fast — in the order that does the most good.

The Reporting Chain

Why the IRS Comes First

The instinct is to call your IT person and lock everything down — and yes, contain the incident immediately. But the step unique to your profession is reporting the theft to your IRS Stakeholder Liaison. The reason is simple and powerful: the IRS can flag the affected taxpayer accounts so that criminals can't file fraudulent returns under your clients' identities. No other notification protects your clients as directly. The faster you report, the more fraud the IRS can head off.

The FTC Safeguards Wrinkle Most Preparers Miss

Tax preparers are “financial institutions” under the FTC Safeguards Rule. A 2024 amendment added a breach-notification duty: if a security event affects the unencrypted information of 500 or more consumers, you must notify the FTC as soon as possible and no later than 30 daysafter discovery. Many firms built a WISP for the Safeguards Rule but never noticed this newer reporting obligation. It's real, and it's separate from state law.

The Safeguards Rule and the WISP behind it are covered in full in IRS Publication 4557 & the WISP every tax preparer needs.

The States — Without Calling All Fifty

Your client list almost certainly spans multiple states, and most states have their own breach-notification laws with their own clocks. The practical tool is the Federation of Tax Administrators, which maintains a single reporting contact so you can notify participating state tax agencies at once. You may also owe notice to one or more state attorneys general depending on the numbers involved. The multi-state mechanics are the same ones we cover for other regulated SMBs in our first-24-hours incident-response guide.

Being Ready Beats Being Fast

Every firm that handled a breach well had three unglamorous things in place beforehand: logging, so they could determine what was actually accessed instead of assuming the worst; encryption, which can take a breach out of notification scope entirely under many state laws; and a written incident-response plannaming who calls the IRS, who calls counsel, and who notifies clients. That plan is part of a complete WISP, and it's the difference between a controlled 30-day response and a six-week scramble.

The Bottom Line

A tax-firm breach isn't just an IT event — it's a reporting project with the IRS, the states, the FTC, and your clients all on the line, each with their own clock. Report to the IRS first to protect your clients, meet the FTC's 30-day duty for large events, use the FTA to reach the states, and notify affected individuals under state law. The firms that do this calmly are the ones that prepared before anything went wrong.

See how we build that readiness into managed security for firms on the cybersecurity for accounting & tax firms page.

This article is general information, not legal advice. Breach-reporting requirements are fact-specific, change over time, and vary by state; confirm current IRS, FTA, FTC, and state details and consult qualified counsel for your firm's situation.