If you own or manage a CPA firm in Connecticut, WISP compliance is not optional — it is a federal legal requirement. A Written Information Security Plan is mandated by the IRS for every tax professional and required by the FTC Safeguards Rule for every firm handling client financial data. Yet most Connecticut CPA firms either don’t have one, have one that’s outdated, or have one that doesn’t reflect their actual technology environment. At MR. Computer, LLC we help Connecticut accounting firms get compliant quickly and affordably. Here’s everything you need to know.
What Is a WISP and Why Does Your Connecticut CPA Firm Need One?
A Written Information Security Plan — commonly called a WISP — is a formal document that describes how your firm protects client data. It outlines your security controls, your risk assessment process, your employee training procedures, your vendor oversight and your incident response procedures.
The FTC Safeguards Rule under the Gramm-Leach-Bliley Act classifies CPA firms and tax preparers as financial institutions — meaning WISP compliance is not a best practice suggestion. It is federal law. IRS Publication 4557 further reinforces this requirement specifically for tax professionals. When you renew your PTIN each year you are confirming awareness of these requirements. Falsely claiming compliance is considered perjury.
What Happens to Connecticut CPA Firms Without a WISP?
The consequences of non-compliance are serious and very real:
- FTC fines — up to $100,000 per violation per day for non-compliance
- Personal liability — firm partners and officers can face personal fines up to $10,000
- PTIN suspension — IRS can suspend your PTIN effectively halting your ability to practice
- Public breach reports — if your firm suffers a breach affecting 500 or more clients you must notify the FTC within 30 days and that report becomes publicly available
- Reputational damage — clients Google your firm after a breach and find the FTC report
According to the IRS Security Summit nearly 300 data breaches affecting 250,000 clients were reported among tax professionals in the first half of 2025 alone. Connecticut CPA firms are not immune — they are prime targets because of the sensitive financial data they hold.
Does Your Small Connecticut CPA Firm Need a WISP?
Yes — but here is the good news. Firms with fewer than 5,000 consumer records qualify for the small firm exemption under Section 314.6 of the FTC Safeguards Rule. This means smaller practices are exempt from four of the most burdensome requirements:
- Formal written risk assessment criteria
- Annual penetration testing
- Bi-annual vulnerability scans
- Formal written incident response plan
- Annual written report to board or senior officer
However — small firms still must have a WISP document, MFA on all systems, encrypted data backup, access controls, employee training, vendor oversight and FTC breach notification procedures. Getting compliant is simpler than most small firm owners think.
What Must a Connecticut CPA Firm WISP Include?
At minimum your WISP must address these core requirements:
1. Designated Qualified Individual
Every firm must designate a specific person responsible for the information security program. In a small firm this is typically the owner or managing partner. As your managed IT provider MR. Computer can serve as your Qualified Individual — taking this responsibility off your plate entirely.
2. Risk Assessment
Your WISP must include a documented risk assessment identifying where client data lives, who has access, and what threats exist. For small firms this does not need to be an elaborate document — but it must be written and reviewed periodically.
3. The IRS Security Six — Technical Controls
Every CPA firm regardless of size must implement the IRS Security Six:
- Antivirus software — installed and updated on all devices
- Firewall — protecting your network
- Multi-factor authentication (MFA) — required on ALL systems with client data
- Encrypted data backup — automated, tested regularly
- Drive encryption — all devices with client data must be encrypted
- VPN — required for all remote access to firm systems
4. Access Controls
Only staff who need access to client data should have it. Access controls must be documented in your WISP and reviewed when staff join or leave.
5. Employee Training
Staff must receive documented security awareness training. This includes recognizing phishing emails, handling client data securely and understanding your firm’s security policies.
6. Vendor Oversight
Every vendor with access to client data — your tax software provider, cloud storage, email provider — must be identified in your WISP with documented oversight procedures.
7. FTC Breach Notification
Your WISP must include your breach notification procedure. If a breach affects 500 or more clients you must notify the FTC within 30 days via their online form at ftc.gov. That report becomes publicly available — which is exactly why preventing breaches matters so much.
The Most Common WISP Mistakes Connecticut CPA Firms Make
After working with accounting firms throughout Connecticut we see the same mistakes repeatedly:
- Using a generic template — a WISP must reflect your actual technology environment not a one-size-fits-all document
- Never updating it — a WISP from 2022 with no revision history will not satisfy a 2026 audit
- No MFA implemented — the most common gap we find in our assessments
- Untested backups — having a backup is not enough — it must be tested and documented
- No vendor documentation — most firms have no written vendor oversight process
How MR. Computer Helps Connecticut CPA Firms Achieve WISP Compliance
MR. Computer, LLC has been providing IT support for Connecticut businesses since 2005. We offer a straightforward $250 WISP Compliance Assessment specifically designed for Connecticut CPA firms and accounting practices. Here’s what it includes:
- Complete IT security audit of your firm’s technology environment
- Review of your existing WISP — or creation of one if you don’t have it
- IRS Security Six compliance check
- Gap analysis identifying exactly what’s missing
- Written Report of Findings — a professional document you can keep on file
- Recommended remediation plan with clear next steps
We serve accounting firms throughout Connecticut including New Haven, Meriden, Middletown, Hamden, Waterbury, West Haven, Wallingford, Hartford and surrounding communities.
Get Your Connecticut CPA Firm WISP Compliant Today
WISP compliance is not as complicated or expensive as most CPA firm owners assume. The right IT partner makes it straightforward. MR. Computer has been helping Connecticut small businesses stay secure and compliant for over 20 years.
Call us at (203) 269-1739 to schedule your $250 WISP Compliance Assessment. We serve CPA firms and accounting practices throughout Connecticut with fast, local and personalized IT support.
