Skip to content

IRS Publication 4557, Explained: What Binds You, What Guides You, and What to Do with the Checklist

Checked against the primary record: July 17, 2026Source revision: Pub 4557 (Rev. 6-2024)

Dolev Arama, Founder/Last updated July 18, 2026/Every figure primary-sourced

The short answer

IRS Publication 4557, Safeguarding Taxpayer Data, is the IRS's data-security guide for tax professionals. It maps your duties to the laws behind them and builds to a working checklist. The publication itself is guidance. The duties are law, chiefly the FTC Safeguards Rule. Here is how to read it, and what to actually do with it.

This guide explains IRS Publication 4557: what it covers, which obligations behind it are binding, and how to use its checklist. It is general information, not legal advice for your specific situation. For that, consult a qualified professional.

What is IRS Publication 4557?

Publication 4557 ("Safeguarding Taxpayer Data: A Guide for Your Business") is the IRS's security handbook for tax practices. The current revision is June 2024 (Rev. 6-2024, Catalog Number 48905Y), and it runs in five parts: an introduction that states the legal duty, two practice sections ("Protect Your Clients; Protect Yourself" and "Be on Guard"), a "Report and Respond" section for incidents, and a closing section called "Comply with the FTC Safeguards Rule" that carries the formal checklist. A glossary ends it.

You were probably sent here by something: a software vendor's security notice, a Security Summit reminder, a peer, or the IRS's own Protect Your Clients; Protect Yourself hub, which links the publication near the top. That routing is the pub's actual job. It is the orientation document the IRS points every preparer to, and nearly every data-security duty you have shows up somewhere in its pages. What it is not: a law, a certification standard, or a finished security plan. The next three sections take those in order.

Is Publication 4557 legally binding?

No. Publication 4557 is IRS guidance, and nothing in it creates a legal duty on its own. What makes the question worth asking is that the duties it describes are binding; they just come from outside the publication. The pub is unusually direct about this, naming its own legal ground in the opening lines:

Primary record

IRS Publication 4557, Introduction · Safeguarding Taxpayer Data

Protecting taxpayer data is the law. Federal law gives the Federal Trade Commission authority to set data safeguard regulations for various entities, including professional tax return preparers. According to the FTC Safeguards Rule, tax return preparers must create and enact security plans to protect client data. See Publication 5708 for information on creating a written information security plan. Failure to do so may result in an FTC investigation.
Prepared by Safeguards Monitor from IRS Publication 4557 (irs.gov), current as of July 2026.
Publication 4557, Rev. 6-2024 · Verified July 17, 2026

Unpack that and you get the three layers that actually bind a tax practice. First, the FTC Safeguards Rule (16 CFR Part 314), the regulation behind the pub's "must create and enact security plans" sentence; our Safeguards Rule guide walks it element by element against the rule text. Second, the tax code's own confidentiality statutes: for a preparer, knowingly or recklessly disclosing return information, or using it for anything beyond preparing the return, is a federal misdemeanor under 26 USC 7216, with a civil-penalty counterpart at 26 USC 6713. Third, state law where your clients live: Massachusetts requires a written information security program of anyone holding its residents' personal information (201 CMR 17.00), and New York's SHIELD Act imposes a reasonable-safeguards duty (GBS 899-bb). Penalty exposure exists on the books across these layers; this page deliberately carries no figures, because every penalty figure lives on one dedicated page with its source and as-of date.

One correction while we are here, because the field keeps blurring it. Pages in the field market services in "IRS 4557 compliant" terms (a live page-title pattern as of our July 2026 scans). Read the pub itself and the framing collapses: 4557 contains no certification mechanism, no seal, no filing, and no auditor. Its own vocabulary splits in two, stating the law in must-language ("tax return preparers must create and enact security plans") and framing its practice items as recommendations ("consider implementing the following practices"). You can follow Publication 4557; you cannot be certified against it. Any page claiming otherwise is selling the word "compliant," not a legal status.

Which of these layers reach your firm, and how far, depends on where your clients live and how your practice runs. If the binding-status map above leaves you unsure what applies to your firm, put that specific question to a qualified professional.

Which document does what?

Five documents circle every WISP conversation, and their jobs are easy to blur. Our WISP guide maps who requires what at the requirement level. Here is the usage map instead: which document you open, when, and what you do with it.

The document family around the written-plan duty, by usage
DocumentBinding?How you use it
IRS Publication 4557 (Rev. 6-2024)No. IRS guidance.Read it first, for orientation. Work its checklist, marking each item done, needed, or not applicable, and carry every gap into your plan.
IRS Publication 5708 (Rev. 8-2024)No. IRS template.Open it when you sit down to write. Your 4557 checklist answers feed straight into its blanks, and the finished document is the plan itself.
IRS Publication 5709 (Rev. 5-2024)No. IRS overview.A capsule overview of the written-plan duty that points into 5708. Read it for a first orientation, or skip straight to the template.
16 CFR Part 314 (FTC Safeguards Rule)Yes. Federal regulation.Cite it, and check against it. When your plan names its legal basis, this is the citation; when a vendor page and the rule disagree, the rule text wins.
Form W-12, Line 11 (Rev. October 2025)The form is mandatory; Line 11 attests awareness.Check it truthfully at each PTIN renewal. The box records that you know the written-plan duty exists, under a perjury signature, so have the program behind it before you sign.
Prepared by Safeguards Monitor from the current IRS revisions (Pub 4557 Rev. 6-2024, Pub 5708 Rev. 8-2024, Pub 5709 Rev. 5-2024, Form W-12 Rev. October 2025) and the eCFR, current as of July 2026.

What is on the 4557 checklist?

The formal checklist sits in the pub's closing section, "Comply with the FTC Safeguards Rule," under the heading "Checklist for Creating Plan." It runs in three areas: "Employee Management and Training" (hiring checks, confidentiality agreements, limiting access to those with a business need); "Information Systems" (knowing where client data lives, secure transmission, secure disposal); and "Detecting and Managing System Failures" (vendor patches, up-to-date protections, oversight procedures). The practice sections earlier in the pub are checklist material too, just not labeled that way. Here is the working pass, start to finish:

  1. Read the introduction as the legal frame. Two minutes. It states the duty ("Protecting taxpayer data is the law") and names the FTC rule behind it, so every checkbox after it has a reason.
  2. Work "Protect Your Clients; Protect Yourself" as your baseline-controls list. Security software, strong passwords, wireless security, and how stored client data is protected. Mark what your practice already does and what it lacks.
  3. Work "Be on Guard" as your threat-recognition list. The signs of data theft, monitoring your EFIN and PTIN activity, and the phishing patterns aimed at preparers. This is the section that turns staff into a defense.
  4. Note "Report and Respond" now, not mid-incident. Its first instruction is contacting the IRS through your Stakeholder Liaison, with law enforcement alongside. Copy the contact path into your own response notes today.
  5. Do the formal checklist in "Comply with the FTC Safeguards Rule." All three areas, every item, marked honestly at your firm's size. The "needed" answers are the whole point of the exercise.
  6. Carry every "needed" into the written plan. The checklist's output is the WISP's input: Publication 5708's fill-in blanks are where those answers land, and the pub itself points you there.

Notice what that pass produces and what it does not. You end holding a marked-up guide and a gap list, which is real progress. You do not end holding the central artifact the law asks your firm to have: the written program. The checklist tells you what; the plan is where your answers live. That step is on you, and it is smaller than the vendors selling it imply.

What is the Security Six, and is it mandatory?

The Security Six is the IRS's campaign name for six baseline protections for tax practices: anti-virus software, firewalls, two-factor authentication, backup software or services, drive encryption, and virtual private networks. The name and the list come from the Security Summit's 2019 campaign (Tax Tip 2019-117, August 27, 2019), and the framing there is best-practice language, protections tax professionals "should use," not a mandate.

The list has aged in one specific way, and tracking it tells you something about how IRS guidance moves. The 2019 tip says "two-factor authentication," and the IRS's living checklist page, Tax Security 2.0, still lists two-factor authentication among the six (page last reviewed October 8, 2025, as of our July 17, 2026 check). But in August 2024 the IRS announced that "All tax professionals are now required under the Federal Trade Commission's safeguards rule to use multi-factor authentication, or MFA, to protect clients' sensitive information" (IR-2024-201, August 6, 2024). The current Publication 4557 uses the multi-factor formulation as well, telling firms to implement it for anyone accessing customer information. And a detail worth knowing when you go looking: the current revision covers all six controls individually, but the name "Security Six" appears nowhere in it (Rev. 6-2024, checked July 17, 2026). The branding lives in the campaign materials, not the guide.

So is the Security Six mandatory? As a named list, no: the IRS's own framing has stayed "should use" since 2019. As individual controls, one of the six became binding by a different road. Multi-factor authentication sits on the Safeguards Rule's own list of required safeguards (16 CFR 314.4(c)), which is exactly what IR-2024-201 was announcing. The honest reading for a small firm: treat the six as the floor the IRS has pointed at for years, and treat MFA as a rule element your written plan has to address either way.

Does following 4557 satisfy the FTC Safeguards Rule?

Mostly, but not by itself, and the gap is precise. The overlap is real: the checklist's three areas track the rule's safeguards, and a firm that has honestly worked the pub has touched most of what 16 CFR 314.4 requires. But the rule demands specific acts no reading of a checklist performs. It requires your firm to designate a Qualified Individual to run the program (314.4(a)), to hold the comprehensive written program itself (314.3(a)), to bind service providers by contract and oversee them (314.4(f)), to evaluate and adjust the program as the practice changes (314.4(g)), and, since May 2024, to notify the FTC after qualifying breaches (314.4(j)). A fully ticked 4557 with none of those in writing leaves the rule unmet. The pub is the map; the rule is the territory, and our Safeguards Rule guide walks all of it against the rule text, including what the under-5,000-consumer exception does and does not waive.

FAQ

Do I have to read all of Publication 4557?

No. Read the introduction (the legal frame) and work the checklist areas that map to your practice; the working pass above orders it. The two practice sections matter most day to day, and the "Report and Respond" contact path is worth copying out before you ever need it. The glossary is reference material.

Should I start with Publication 4557 or 5708?

4557 first, briefly: it maps the duties and produces your gap list. Then 5708 to write the plan, feeding those answers into its blanks. They are companions, not competitors: 4557 is the what, 5708 is the where-it-gets-written, and 4557's own introduction points to 5708 by name.

Is the Security Six enough to make my firm compliant?

No list of tools makes a firm compliant, ours or the IRS's. The six are baseline controls framed by the IRS as protections preparers should use. The binding duty is a written information security program with the Safeguards Rule's required elements, of which multi-factor authentication is one. Run the six and you have a strong floor; write and run the program and you have what the rule actually asks for.

Does the IRS check or audit Publication 4557 compliance?

We can find no IRS program that audits preparers against Publication 4557 (an absence claim, so here is its depth: we checked the current publication itself, the IRS's tax-professional security pages, and this year's Security Summit materials, on July 17, 2026). The pressure arrives by other roads. The perjury-signed attestation returns with every PTIN renewal, and the e-file program needs no audit before acting: the IRS can suspend or expel a provider at its own discretion. The guide itself goes unchecked. The duties it maps do not.

Where does the official checklist live?

Inside the publication itself: the "Checklist for Creating Plan" sits in the "Comply with the FTC Safeguards Rule" section of the current PDF. The Security Summit's separate campaign checklist, Tax Security 2.0, lives on its own IRS page. Work the publication's version; skim the campaign's.

The bottom line

Publication 4557 is the IRS's own map of duties that are very much law, even though the map itself is not, and it costs a tax practice nothing but an afternoon. Read it with its two vocabularies in view, must for the legal frame and consider for the practices. Work the checklist honestly, then do the one thing no checklist does for you: put the written plan behind your answers.