Need IT help now? Call (321) 221-7117 — We respond within 24 hours.

Need IT help? Help Desk Request Assistance Priority Intake
Cybersecurity

Renewing your PTIN this fall? Line 11 asks more than most preparers realize

Jul 17, 2026·4 min read·By Ric Acevedo

PTIN renewal opens in October. Most preparers move through it in about five minutes: confirm your details, pay the fee, done before December 31.

There’s one line in there worth slowing down for.

Form W-12, Line 11 reads: “As a paid tax return preparer, I am aware of my legal obligation to have a data security plan and to provide data and system security protections for all taxpayer information.” You check a box to confirm you’re aware of that responsibility — on a form you sign under penalty of perjury.

Read it closely, because the wording matters. Line 11 doesn’t ask you to prove you have a plan. It asks you to confirm you know you’re required to have one. The requirement itself comes from elsewhere — the FTC Safeguards Rule and IRS Publications 4557 and 5708 — and it applies whether or not you’ve ever looked at that box.

Which is arguably worse. You’re not signing up for an obligation. You’re acknowledging one you already have.

What the obligation actually covers

Here’s the part that surprises people: it isn’t only a document sitting in a folder. The IRS ties it to a set of practices for anyone handling taxpayer data:

  • A written security plan, with a named person responsible for it
  • Multi-factor authentication on accounts that touch client data
  • Current endpoint protection on the machines used for tax prep
  • Annual security awareness training for everyone in the office
  • A plan for what happens if data does get out

Why it matters more than it used to

The FTC Safeguards Rule now covers tax preparers directly. Two things follow from that.

First, penalties are real: civil penalties run north of $50,000 per violation. That’s not a parking ticket.

Second, there’s a clock. If a breach affects 500 or more people, you’re required to report it to the FTC within 30 days of discovering it. Thirty days is not very long when you’re also trying to work out what happened, tell your clients, and keep filing returns.

One useful nuance, and you won’t hear it from anyone selling you a template: firm size changes what you owe. If you hold information on fewer than 5,000 consumers, the Safeguards Rule exempts you from some of its requirements — including the written risk assessment and the written incident response plan. That does not make you exempt from the rule. It does mean a solo preparer and a 40-person firm are not carrying identical paperwork, and anyone telling you otherwise hasn’t read it.

The honest test

Forget the paperwork for a second. Ask yourself one question:

If someone asked you to prove it on Tuesday, could you?

  • Could you show that multi-factor authentication is switched on for every person who touches client data — not “we set that up,” but actually show it?
  • Could you produce this year’s training records for each person in the office?
  • Could you hand over the plan and point to the last time anyone reviewed it?
  • Do you know what happens in the first 30 days after a breach, before you have to find out the hard way?

A template someone filled in during 2023 and hasn’t opened since answers none of those. It’s a document, and what’s being asked for is a practice.

That’s not a criticism of templates. A template is a fine starting point. It’s just not evidence.

What to do between now and October

You have roughly ten weeks before renewal opens. That’s plenty, if you start.

  1. Find your current plan. If you can’t find it in five minutes, that’s your answer — and it’s a common one.
  2. Check MFA on everything that touches client data — email, your tax software, remote access, cloud storage. This is usually the fastest real improvement available.
  3. Write down who’s responsible. The plan needs a named person. It’s a requirement, and it’s also how things actually get done.
  4. Get training on the calendar before season starts, not during it.
  5. Read your incident plan out loud. If you don’t have one, that’s the piece that hurts most at 6pm on a Friday.

None of this needs to be perfect by October. It needs to be true.

If you’d rather not do it alone

We work with tax firms around Central Florida, and this comes up every year about this time. If you want a straight answer about where you stand — no sales pitch, no scare tactics — we’re happy to walk through it with you.

The goal isn’t a nicer PDF. It’s that when you check that box, what you’re acknowledging is actually true, and you could prove it.


Sources: IRS Form W-12 · IRS — PTIN requirements for tax return preparers · IRS Publication 4557, Safeguarding Taxpayer Data · IRS Publication 5708, Creating a WISP · FTC Safeguards Rule

Recent Articles

Is ChatGPT HIPAA Compliant for a Medical or Dental Practice?
Cybersecurity
Is ChatGPT HIPAA Compliant for a Medical or Dental Practice?
Jul 13, 2026
Cybersecurity
Federal Agencies Say AI Cyberattacks Are Months Away, Not Years. Here's What That Means for Your Business.
Jul 8, 2026
Voice Cloning Scams: The 2026 Attack Targeting Small Business Owners
Business IT
Voice Cloning Scams: The 2026 Attack Targeting Small Business Owners
Jun 15, 2026
Law Firm Cybersecurity: What Central Florida Attorneys Need in 2026
Business IT
Law Firm Cybersecurity: What Central Florida Attorneys Need in 2026
May 25, 2026
"We Already Have Windows Defender" — Why That's Not Actually a Security Strategy
Business IT
"We Already Have Windows Defender" — Why That's Not Actually a Security Strategy
May 18, 2026

Related posts

Digital Business Card