Skip to content

Tax Preparer Data Breach: Who to Call, in What Order, and the Deadlines That Actually Exist

Checked against the primary record: July 18, 2026Rule last amended: November 13, 2023 (88 FR 77508)

Dolev Arama, Founder/Last updated July 19, 2026/Every figure primary-sourced

The short answer

Call the IRS first. A tax practice that discovers a client-data breach reports it immediately to its IRS Stakeholder Liaison (202-317-4015), then to local police, then the FBI. After those calls come the states and the FTC, then your insurer and your clients, each on its own clock. Every deadline on this page comes from the primary record.

This page maps who a tax practice contacts after a client-data breach, and on what clock. It's general information, not legal advice for your specific situation. For that, consult a qualified professional.

Who do you call first?

The first call is the IRS Stakeholder Liaison, the agency's contact channel for preparer data theft. The IRS's instruction is one word, "immediately," and its stated reason is operational: "Speed is critical." A quick report lets the IRS take steps to block fraudulent returns in your clients' names (Tax Tip 2022-150). That call protects your clients faster than anything else on this page.

Reaching the liaison looks different than older write-ups describe. The IRS's Stakeholder Liaison contact page (last reviewed December 17, 2025) no longer shows a per-state liaison list: it organizes the country into five regional areas with one phone line, 202-317-4015, and a per-region email address. If you don't know your liaison, the page's own instruction covers you: "If you are a tax professional and believe you are a victim of a data breach, contact us immediately."

One correction before the table, because runbooks in this field state it as fact: some claim a 24-hour or 48-hour deadline for the liaison call. We can find no IRS primary that sets an hour-based deadline. That is an absence claim, so here is its depth: we checked the IRS contact tip, the data-theft hub, the 2023 follow-up tip, the Stakeholder Liaison contact page, and the response checklist in Publication 4557, on July 18, 2026. The IRS's actual word is "immediately." Treat that as faster than any invented clock, not slower.

Who else has to be notified, and by when?

None of the government pages this table draws on shows the full list end to end. The IRS's pieces sit on a contact tip and a data-theft hub, with more in Publication 4557; the FTC's reporting duty lives in the Safeguards Rule itself. The table below reconciles them. Each row links the record it comes from, and the basis column is the answer to "says who?"

Who a tax practice notifies after a data breach, with each duty's basis
ContactWhenBasisHave ready
IRS Stakeholder LiaisonImmediately. "Speed is critical."Tax Tip 2022-150 and the liaison contact pageWhat happened, when you discovered it, roughly how many clients look affected
Local policeWith your first calls, to file a report on the breachTax Tip 2022-150An incident summary for the report
FBIWith the first calls: the Internet Crime Complaint Center, and the local field officeTax Tip 2022-150 and the IRS data-theft hubThe same summary, plus any phishing email or ransom note you still have
Secret ServiceYour local office, only "if directed"IRS data-theft hubThe same incident summary
A security professionalEarly, because scope and cause drive every later stepTax Tip 2022-150Access to the affected systems and their logs
State tax agenciesOnce you know which states: every state where you prepare returnsIRS data-theft hub, via the FTA Report a Data Breach listingThe list of states you file in
State attorneys generalPer each state's own law: "Most states require that the attorney general be notified of data breaches"IRS data-theft hubCounsel, or each state's own AG guidance
The FTC (Safeguards report)If a notification event (unencrypted information) involves 500 or more consumers: as soon as possible, no later than 30 days after discovery16 CFR 314.4(j) and the FTC reporting formThe form's fields: contact person, event dates, information types, consumer count, description
Your insurerOn the policy's own notice terms: read the notice clause todayTax Tip 2022-150; the clock is the policy's ownPolicy number and the incident timeline
Credit bureausPer the IRS contact list, alongside any state identity-protection requirementsTax Tip 2022-150The scope of the exposed data
Your clientsIndividual letters; the IRS says to work with law enforcement on timingIRS data-theft hubThe letter draft, with the concrete next step for each client
Prepared by Safeguards Monitor from the IRS, FTC, and eCFR records linked in each row. Checked July 18, 2026.

What does the first 72 hours look like?

The table is the reference. This is the clock. Times other than the rule's own 30-day bound are working order, not law.

  1. Hour one: call the Stakeholder Liaison at 202-317-4015 or through your regional contact. Then isolate the affected machines from the network and preserve everything. Don't wipe, don't reinstall: the systems are evidence.
  2. Same day: police report and the FBI complaint. Both want the same incident summary, so write it once.
  3. Same day: read your cyber policy's notice clause and put the insurer on notice the way the clause says to.
  4. Day one to two: get a security professional into the systems. Scope decides everything downstream: whose data, which systems, what left the building.
  5. Day two: open the consumer count. The FTC report triggers at 500 consumers, and its outer bound is 30 days from discovery, so calendar that date now, while the count is still being established.
  6. Day two to three: the states. Work the FTA listing for each state where you prepare returns, and settle the attorney-general question per state. If returns you didn't file start appearing, or your e-file numbers look wrong, how the IRS handles a compromised EFIN is its own page.
  7. Draft the client letter, and set its timing with law enforcement. From hour one, keep a dated log of every call, every name, every case number, every decision. It will matter later.

Do you report to the FTC, the IRS, or both?

Both, through different instruments, on different clocks. The IRS leg is a phone call with no deadline in the IRS's own instructions; the agency's word is "immediately." The FTC leg is a formal report with hard numbers. Under 16 CFR 314.4(j), "if the notification event involves the information of at least 500 consumers, you must notify the Federal Trade Commission as soon as possible, and no later than 30 days after discovery of the event." A notification event means unencrypted customer information was acquired without authorization. The duty took effect on May 13, 2024, and the report is filed on the FTC's online form. Read the form page before you file: it advises, twice, "Your report may be made public," and it includes a checkbox for a law-enforcement request to delay that publication. The reporting paragraph is one duty inside a larger rule; the Safeguards Rule, element by element is its own page.

Here is why the field's runbooks disagree about this, read on July 18, 2026. The IRS contact tip most of them inherit was issued September 29, 2022, and still routes the FTC leg as "go to the FTC for guidance": it predates the reporting duty by a year and a half. The IRS data-theft hub, in a revision reviewed March 26, 2026, now instructs "File a report with the FTC if you have 500 or more people that have been affected," though the hub page itself carries no deadline; the 30-day bound above is the rule's. Publication 4557's response checklist (Rev. 6-2024) routes to the FTC's general breach-response guide. None of that changes the duty. It explains the confusion, and it is why every row in the table above links a primary record instead of another runbook.

When do clients file Form 14039?

Form 14039, the Identity Theft Affidavit, belongs to your clients, and only conditionally. It is not a form the practice files about its own breach, and write-ups that route it at the preparer misroute it. The IRS's instruction on its data-theft hub is exact: "Clients should complete IRS Form 14039, Identity Theft Affidavit, only if they receive a notice/letter from the IRS or their e-filed return is rejected because of a duplicate Social Security number" (IRS data-theft hub).

Your job on this front is different. The liaison report is what lets the IRS "take steps to block fraudulent returns" filed against your clients. Then tell clients plainly which signals trigger the form: an IRS letter they didn't expect, or an e-filed return that bounces because a return already exists under their Social Security number. A client with no signal has nothing to file.

What do you tell clients, and when?

The IRS instruction is an individual letter to every affected client, with one nuance the field skips: "work with law enforcement on timing." A letter that outruns an active investigation can tip off the people being investigated, so the send date is a decision you make with the investigators, not alone. The letter itself is plain. It says what happened and which information was involved, then what your firm is doing about it, then the client's concrete next step, including the Form 14039 condition above and where questions go.

Client notification is this runbook's most situation-specific step: state notice laws differ, and an active investigation changes the answer. Before letters go out, put an attorney who handles breach response, or another qualified professional, in the loop.

The version of this that works is the one written before the breach

The IRS warned in 2024 that criminals phish tax practices for EFINs and e-Services credentials to file fraudulent refund returns (IR-2024-36), and it publishes the signs that a practice has been breached. The defenses are ordinary: multi-factor authentication, a verified-portal rule for anything that touches your credentials, staff who know the tells. What separates firms that handle a breach well isn't luck. It's that this page's sequence existed in writing, with names and numbers filled in, before anyone needed it. That is exactly what the incident-response section of the written plan the Safeguards Rule requires is for.

FAQ

What are the signs of a data breach at a tax practice?

The IRS publishes the list (Tax Tip 2024-74). The signals worth knowing cold: client e-filed returns rejected because a return with that Social Security number already exists; IRS authentication letters your clients didn't expect; e-file acknowledgments for returns you never transmitted; slow or strange computer behavior; notice that your CAF number was compromised. Any one of them is enough to start the sequence at the top of this page.

Does the under-5,000 exemption remove the FTC report?

No. Section 314.6 waives four program requirements for firms under the threshold, and the reporting duty at 314.4(j) is not one of them: it has been in effect since May 13, 2024 for covered firms of every size. If unencrypted information of at least 500 consumers is involved, an exempt firm files the same report on the same 30-day clock as any covered firm. Exactly what the exemption does waive is its own page.

Do I have to notify every state where I have a client?

The IRS instruction is by where you work, not where every client lives: report to the tax agencies of the states where you prepare returns, through the FTA's state-by-state listing, and then, quoting the hub, "Determine if you need to contact the state attorney general for each state in which you prepare returns. Most states require that the attorney general be notified of data breaches." Exactly which offices, and on what clock, varies by state statute, and that per-state answer is beyond one page. For a multi-state client base it gets settled state by state, and early, because notice clocks differ.

Does my insurer have a deadline for breach notice?

Your policy sets it. Cyber policies carry their own notice clauses, and there is no universal number we could honestly print here. Read the notice provision the day you discover the event and follow it to the letter, because late notice is a coverage argument you do not want to be having in the same month as a breach.

What records should I keep from day one?

A dated log: every call, who you spoke to, case and report numbers, what was decided, plus the discovery date itself, since the FTC's 30-day outer bound runs from discovery. Keep copies of every notice you send. The firms that come out of a breach with their standing intact are the ones that can show what they did and when they did it.

The bottom line

A breach at a tax practice is survivable. The sequence is knowable: liaison, police and FBI, scope, states, the FTC count, the letters. What decides how it goes is whether the sequence existed in writing before the crisis, and whether you kept the record while it ran. If your firm doesn't have that document yet, write it this week, on a calm day.