Skip to content

EFIN Suspension Over Data Security: What the IRS Can Actually Do

Checked against the primary record: July 10, 2026Source revision: Pub 3112 (Rev. 11-2025)

Dolev Arama, Founder/Last updated July 18, 2026/Every figure primary-sourced

The short answer

Yes, the IRS can suspend or expel you from e-file over a data-security failure, and it can act at its own discretion. Losing your EFIN won't automatically end your practice, but for a firm that e-files, it's a serious blow. Here's what the IRS can actually do, what has actually happened, and what keeps your EFIN out of it.

This explains how the IRS can suspend or revoke an EFIN over data-security failures. It's general information, not legal advice for your specific situation. For that, consult a qualified professional.

Can the IRS really take your EFIN over data security?

An EFIN (Electronic Filing Identification Number) is the credential that lets your firm e-file federal returns. A firm's EFIN covers the preparers working under it, and a firm may hold more than one for separate office locations (IRS EFIN FAQ). The IRS can sanction any authorized e-file provider that stops meeting its requirements, and safeguarding taxpayer data is one of those requirements: Publication 1345, the handbook that governs e-file providers, states that providers must "safeguard taxpayer information from unauthorized disclosure, use and destruction," and that violating the handbook "may subject the Provider to sanctions."

Here's why that matters to you. If you reasonably expect to file 11 or more covered individual, trust, or estate returns in a year, you're a "specified tax return preparer," and you're generally required to e-file them (IRC § 6011(e)(3)). E-filing requires an EFIN. So the credential the IRS can pull is the same one most working preparers can't run a modern practice without.

One honest qualifier, because the field tends to overstate this. The IRS can sanction over a data-security lapse, but the documented cases where a preparer actually lost an EFIN run through fraud or abuse tied to that EFIN, not through a missing form. We found no case of the IRS expelling a preparer simply for not having a written plan. The realistic risk isn't a paperwork audit. It's that weak security lets a criminal use your EFIN, and that is what triggers the chain below.

A note on the other regulator, because it reorders the risk. The written plan most vendors point to is required by the FTC's Safeguards Rule, not the IRS. But as of mid-2026, we found no public record of an FTC Safeguards enforcement action against a small tax-preparation firm. The lever that has actually reached preparers is the IRS, through the EFIN. That's the honest order, and it's why this page leads with it.

How the IRS e-file sanction chain works (Publication 3112)

The IRS monitors authorized e-file providers and sorts violations into three "levels of infraction," with sanctions that climb from a written reprimand to suspension to expulsion, "depending on the seriousness of the infraction" (IRS Publication 3112, Rev. 11-2025).

IRS e-file infraction levels and typical sanctions
Infraction levelWhat it means (in the IRS's assessment)Typical sanction
Level OneLittle or no adverse impact on e-filed returns or on IRS e-fileWritten reprimand (or other sanction)
Level TwoAdverse impact; includes a Level One issue that continues after the IRS flags itSuspension from e-file, generally one year (or restricted participation)
Level ThreeSignificant adverse impact; includes identity theft, fraud, or criminal conductSuspension for two years, or expulsion with no future participation
Prepared by Safeguards Monitor from IRS Publication 3112 (Rev. 11-2025).

A few edges matter more than the table shows. A suspended provider is usually locked out for one or two years; an expelled one can ask for reconsideration only after five, and any returns transmitted under a suspended or expelled EFIN are rejected automatically by the IRS. You can appeal a suspension or an expulsion through the Administrative Review Process, though a written reprimand can't be appealed because it carries no immediate consequence. The IRS can also make the action public: it may list in the Internal Revenue Bulletin the name and owner of any entity suspended, expelled, or revoked from e-file.

This is where "can" earns its weight. The IRS decides, in its own stated opinion, which impact level a violation falls into, and that discretion is wide. As a federal court put it in 2025, quoting Publication 3112, "in certain circumstances, the IRS can immediately suspend or expel a Provider, Principal or Responsible Official without warning or notice." If you ever receive a sanction letter, the deadlines are short (you generally have 30 days to respond or appeal), and what's at stake is your e-file access, so talk to a tax attorney or another qualified professional before you reply.

What happened when one firm fought an EFIN suspension

At a glance

Zirin Tax Co. v. United States (U.S. District Court, E.D.N.Y., No. 24-cv-01511)

Timeline
EFINs suspended Feb 2024 · suit dismissed Oct 15, 2025
What the IRS did
Suspended the firm's EFINs for two years
Stated basis (per the record)
A criminal investigation had determined that fraudulent returns were filed using the EFINs (the underlying fraud was never adjudicated)
Outcome
The court refused to restore the EFINs and dismissed the suit, holding that an EFIN is not constitutionally protected property and that the decision to suspend is committed to the IRS's discretion
Prepared by Safeguards Monitor from the court record (E.D.N.Y. No. 24-cv-01511) and IRS Publication 3112.

The firm argued that losing e-file was "existential," that it couldn't run a tax practice without the ability to e-file. The court didn't accept that. It pointed out that the firm had kept filing hundreds of returns on paper during the case, and it held that the ability to e-file isn't a constitutionally protected property interest. The suspension stood.

Two honest takeaways, and they pull in opposite directions:

  1. The consequence is real and fast. The IRS suspended first and disclosed little about its basis, and the court didn't require more.
  2. It isn't an automatic death sentence. Paper filing stayed available, and a preparer under an e-file sanction is administratively exempt from the e-file mandate for the length of that sanction (IRS Notice 2011-26). The fear that matches reality is "a severe operational hit," not "your business is instantly over."

Notice the posture, because it changes what you should guard against. In Zirin, the firm itself was the subject of a criminal investigation. The more common risk for a careful preparer is EFIN theft, where a criminal steals your EFIN and files fraudulent returns under it. There you're the victim, not the target, and the IRS's own process is to inactivate the compromised EFIN and issue you a new one after you verify your identity. Monitoring and protecting your EFIN is how you catch that early, before someone else's fraud becomes your problem. If a compromise or breach has already happened, the first-response steps are different; see our data-breach reporting runbook.

Why EFIN theft is a live threat right now

EFIN theft is a recurring phishing scam. Criminals pose as your tax-software provider or as the IRS and ask you to "verify" or hand over your EFIN documents, then use them to file fraudulent refund returns. The IRS warned about this exact scam in February 2024 (IR-2024-36) and has kept warning about it since (see also Tax Tip 2025-57). The risk climbs during filing season, when a stolen EFIN can be used to push through fraudulent returns fastest.

The tells the IRS flagged: an email pressing you to fax EFIN documents, "helpful" instructions to pull your EFIN Application Summary from e-Services, and small inconsistencies in the wording. The move is simple. Never send EFIN information by email or fax, and confirm any request through your software provider's own verified portal.

How to protect your EFIN (a short routine)

  1. Watch your EFIN return count. In IRS e-Services, open your EFIN Status and match the number of returns the IRS received to your own records. The IRS updates this count weekly and recommends checking during filing season. A count higher than you filed can mean your EFIN is compromised; call the IRS e-help Desk at 866-255-0654 (how the IRS says to monitor it).
  2. Keep your e-file application current. Update it within 30 days of any change to your address, phone, or the principals and responsible officials on file.
  3. Never confirm your EFIN by email. Requests to "verify" your EFIN belong in your software provider's verified portal, not in an email or fax reply.
  4. Lock down the accounts that hold it. Use strong, unique passwords and multi-factor authentication on both your e-Services account and your tax software. (MFA is required under the FTC Safeguards Rule, with a narrow written exception a firm's Qualified Individual can approve.)
  5. Keep the written plan the rule already requires. The FTC Safeguards Rule requires a written information security plan, and the IRS points preparers to Publication 4557, "Safeguarding Taxpayer Data," for the baseline; we cover Publication 4557, explained, on its own page. A plan you actually follow is what breaks the phishing-to-fraud chain before it ever reaches your EFIN.

Most firms don't fail this because the steps are hard. They fail because no one wrote the plan down and no one checks it. If you don't have a written information security plan yet, start with a real one instead of a blank form.

What EFIN loss does, and doesn't, mean

It does not legally shut your business. You can file on paper, and while a sanction is in effect you're administratively exempt from the e-file mandate; a court has said much the same. What it does do is real: for a firm built on e-file, paper filing is slow, a compromise is disruptive while you sort it out, and rebuilding standing with the IRS takes time. A suspended EFIN can be reactivated once the suspension period ends; an expelled one generally can't come back for five years, and even reapplying for a fresh EFIN takes weeks.

On the money question: EFIN sanctions are about your e-file access, not a fine. Separate FTC and IRS monetary penalties can apply to data-security and disclosure failures. Those figures, with their primary sources, live on one dedicated page here.

FAQ

Can the IRS revoke my EFIN without warning?

In certain circumstances, yes. For the most serious (Level Three) infractions, the IRS reserves the right to act before administrative review. As a federal court noted in 2025, quoting Publication 3112, the IRS "can immediately suspend or expel a Provider ... without warning or notice." You can appeal a suspension or expulsion, but not a written reprimand.

Does losing my EFIN affect my PTIN?

No. The EFIN belongs to the firm and authorizes e-filing; the PTIN identifies you as an individual preparer. A firm can lose its EFIN while its preparers keep their PTINs, and the reverse is true too. You need both to run a practice, but they sit on separate tracks.

Do I actually have to e-file?

If you reasonably expect to file 11 or more covered returns for individuals, trusts, or estates in a calendar year, you're a "specified tax return preparer" and generally must e-file (26 CFR § 301.6011-7). Undue-hardship waivers and some exemptions exist, including an automatic one while an e-file sanction is in effect.

How often should I check my EFIN return count?

The IRS updates the count weekly and suggests checking during filing season. Match it to your records; if it's higher than what you filed, call the e-help Desk at 866-255-0654.

Someone stole my EFIN. What happens now?

The IRS inactivates a compromised EFIN and issues a new one after a principal or responsible official verifies identity, and it may open a fraud referral. Report it, then watch for returns filed under your number.

The bottom line

The IRS can take your EFIN over a data-security failure, and it doesn't need a courtroom to do it. What prevents that is ordinary: watch your return count, guard the credentials that unlock it, and keep a written plan you actually follow. Start with the plan.