Data Privacy Policy

Written Information Security Plan (Wisp) For Frevitt Ranch Tax Prep And Internal Auditing LLC

Last Modified/Reviewed: 2025-05-16 

Annual review date: 2026-03-14

I. Objective

Our objective, in the development and implementation of this  comprehensive Written Information Security Plan (WISP), is to create  effective administrative, technical, and physical safeguards for the protection of the Personally Identifiable Information (PII) retained by Frevitt Ranch  Tax Prep and Internal Auditing LLC, (hereinafter known as the Firm). This  WISP is to comply with obligations under the Gramm-Leach-Bliley Act and  Federal Trade Commission Financial Privacy and Safeguards Rules to which  the Firm is subject. The WISP sets forth our procedure for evaluating our  electronic and physical methods of accessing, collecting, storing, using,  transmitting, and protecting PII retained by the Firm. For purposes of this  WISP, PII means information containing the first name and last name or first  initial and last name of a Taxpayer, Spouse, Dependent, or Legal  Guardianship person in combination with any of the following data elements  retained by the Firm that relate to Clients, Business Entities, or Firm  Employees: 

  • Social Security number, Date of Birth or Employment data.

  • Driver’s license number or state-issued identification card number. 

  • Income data, Tax Filing data, Retirement Plan data, Asset  Ownership data, Investment data. 

  • Financial account number, credit or debit card number, with or  without security code, access code, personal identification number,  or passwords(s) that permit access to a client’s financial accounts. 

  • E-mail addresses, non-listed phone numbers, residential or mobile  or contact information. 

PII shall not include information that is obtained from publicly available  sources such as a Mailing Address or Phone Directory listing; or from federal,  state or local government records lawfully made available to the general  public.

II. Purpose

The purpose of the WISP is to: 

  • Ensure the Security and Confidentiality of all PII retained by the  Firm. 

  • Protect PII against anticipated threats or hazards to the security or  integrity of such information. 

  • Protect against any unauthorized access to or use of PII in a manner that creates a substantial risk of Identity Theft or Fraudulent or  Harmful use. 

III. Scope

The Scope of the WISP related to the Firm shall be limited to the following  protocols: 

  • Identify reasonably foreseeable internal and external risks to the  security, confidentiality, and/or integrity of any electronic, paper, or  other records containing PII. 

  • Assess the potential damage of these threats, taking into  consideration the sensitivity of the PII. 

  • Evaluate the sufficiency of existing policies, procedures, customer  information systems, and other safeguards in place to control  identified risks. 

  • Design and implement this WISP to place safeguards to minimize  those risks, consistent with the requirements of the Gramm-Leach Bliley Act, the Federal Trade Commission Financial Privacy and  Safeguards Rule, and National Institute of Standards recommendations. Regular monitoring and assessment of the effectiveness of  aforementioned safeguards.

IV. Identified Responsible Officials 

Frevitt Ranch Tax Prep and Internal Auditing LLC has designated Katharine Leavitt to be the Data Security Coordinator (hereinafter the DSC). The DSC is  the official responsible for the Firm data security processes and will  implement, supervise, and maintain the WISP. Accordingly, the DSC, will be  responsible for the following, if applicable: 

  • Implementing the WISP, including all daily operational protocols. 

  • Identifying all the Firm’s repositories of data subject to the WISP  protocols and designating them as Secured Assets with Restricted  Access. 

  • Verifying all employees have completed recurring Information Security  Plan Training. 

  • Monitoring and testing employee compliance with the plan’s policies  and procedures. 

  • Evaluating the ability of any third-party service providers not directly  involved with tax preparation and electronic transmission of tax  returns to implement and maintain appropriate security measures for  the PII to which we have permitted them access. 

  • Requiring third-party service providers to implement and maintain  appropriate security measures that comply with this WISP.

  • Reviewing the scope of the security measures in the WISP at least  annually or whenever there is a material change in our business  practices that affect the security or integrity of records containing PII. 

  • Conducting an annual training session for all owners, managers,  employees, and independent contractors, including temporary and  contract employees who have access to PII enumerated in the  elements of the WISP. All attendees at such training sessions are  required to certify their attendance at the training and their familiarity  with our requirements for ensuring the protection of PII. 

Frevitt Ranch Tax Prep and Internal Auditing LLC has designated Katharine Leavitt to be the Public Information Officer (hereinafter the PIO). The PIO will be the firm’s designated public statement spokesperson. To prevent  misunderstandings and hearsay, all outward-facing communications should  be approved through this person who shall be in charge of the following, if applicable: 

  • All client communications by phone conversation or in writing.

  • All statements to law enforcement agencies. 

  • All releases to news media. 

  • All information released to business associates, neighboring  businesses, and trade associations to which the firm belongs. 

V. Inside the Firm Risk Mitigation

To reduce internal risks to the security, confidentiality, and/or integrity of  any retained electronic, paper, or other records containing PII, the Firm has  implemented mandatory policies and procedures as follows: 

PII Collection and Retention Policy 

  • We will only collect the PII of clients, customers, or employees that  is necessary to accomplish our legitimate business needs, while  maintaining compliance with all federal, state, or local regulations. 

  • Access to records containing PII is limited to employees whose  duties, relevant to their job descriptions, constitute a legitimate  need to access said records, and only for job-related purposes. 

  • The DSC will identify and document the locations where PII may be stored on the Company premises: 

    • Laptop Computers 

  • Designated written and electronic records containing PII shall be  destroyed or deleted at the earliest opportunity consistent with  business needs or legal retention requirements. 

    • Paper-based records shall be securely destroyed by incineration at the end of their service life. 

    • Electronic records shall be securely destroyed by deleting the file directory and byy reformatting the drive on which they were housed. 

Personnel Accountability Policy 

  • A copy of the WISP will be distributed to all current employees and  to new employees on the beginning dates of their employment. It  will be the employee's responsibility to acknowledge in writing, by  signing the attached sheet, that he/she/they received a copy of the  WISP and will abide by its provisions. Employees are actively  encouraged to advise the DSC of any activity or operation that  poses risk to the secure retention of PII. If the DSC is the source of  these risks, employees should advise any other Principal or the  Business owner. 

    • The firm will create and establish general Rules of Behavior  and Conduct regarding policies safeguarding PII according to  IRS Pub. 4557 Guidelines. 

    • The Firm will screen the procedures prior to granting new  access to PII for existing employees. 

    • The Firm may require non-disclosure agreements for  employees who have access to the PII of any designated client determined to have highly sensitive data or security concerns  related to their account. 

    • The DSC or designated authorized representative will immediately  train all existing employees on the detailed provisions of the Plan.  All employees will be subject to periodic reviews by the DSC to  ensure compliance. 

  • All employees are responsible for maintaining the privacy and  integrity of the Firm’s retained PII. Any paper records containing PII  are to be secured appropriately when not in use. Employees may  not keep files containing PII open on their desks when they are not  at their desks. Any computer file stored on the company network  containing PII will be password-protected and/or encrypted.  Computers must be locked from access when employees are not at  their desks. At the end of the workday, all files and other records containing PII will be secured by employees in a manner that is  consistent with the Plan’s rules for protecting the security of PII. 

  • Any employee who willfully discloses PII or fails to comply with these policies will face immediate disciplinary action up to and including termination of employment. 

  • Terminated employees’ computer access logins and passwords will  be disabled at the time of termination. Physical access to any  documents or resources containing PII will be immediately  discontinued. Terminated employees will be required to surrender  all keys, IDs or access codes or badges, and business cards that  permit access to the firm’s premises or information. Terminated  employees’ remote electronic access to personal information will be disabled; voicemail access, e-mail access, Internet access, Tax  Software download/update access, accounts and passwords will be  inactivated. The DSC or designee shall maintain a highly secured  master list of all lock combinations, passwords, and keys, and will  determine the need for changes to be made relevant to the  terminated employee’s access rights. 

PII Disclosure Policy 

  • No PII will be disclosed without authenticating the receiving party  and without securing written authorization from the individual  whose PII is contained in such disclosure. Access is restricted for  areas in which personal information is stored, including file rooms,  filing cabinets, desks, and computers with access to retained PII. An  escort will accompany all visitors while within any restricted area of  stored PII data. 

  • The Firm will take all possible measures to ensure that employees  are trained to keep all paper and electronic records containing PII  securely on premises at all times. When there is a need to bring  records containing PII offsite, only the minimum information  necessary will be checked out. Records taken offsite will be  returned to the secure storage location as soon as possible. Under  no circumstances will documents, electronic devices, or digital media containing PII be left unattended in an employee’s car, home, or in any other potentially insecure location. 

  • All security measures in this WISP shall be reviewed annually,  beginning 2026-03-14 to ensure that the policies contained in the  WISP are adequate and meet all applicable federal and state  regulations. Changes may be made to the WISP at any time they  are warranted. When the WISP is amended, employees will be  informed in writing. The DSC and principal owners of the firm will be responsible for the review and modification of the WISP, including  any security improvement recommendations from employees,  security consultants, IT contractors, and regulatory sources. 

  • Frevitt Ranch Tax Prep and Internal Auditing LLC shares Employee PII  in the form of employment records, pension and insurance  information, and other information required of any employer. The  Firm may share the PII of our clients with the state and federal tax  authorities, Tax Software Vendor, a bookkeeping service, a payroll  service, a CPA firm, an Enrolled Agent, legal counsel, and/or  business advisors in the normal course of business for any Tax  Preparation firm. Law enforcement and governmental agencies may also have customer PII shared with them in order to protect our  clients or in the event of a lawfully executed subpoena. An IT  support company may occasionally see PII in the course of  contracted services. Access to PII by these third-party organizations  will be the minimum required to conduct business. Any third-party  service provider that does require access to information must be  compliant with the standards contained in this WISP at a minimum.  The exceptions are tax software vendors and e-Filing transmitters;  and the state and federal tax authorities, which are already  compliant with laws that are stricter than this WISP requires. These  additional requirements are outlined in IRS Publication 1345. 

Reportable Event Policy 

  • If there is a Data Security Incident that requires notifications under  the provisions of regulatory laws such as The Gramm-Leach-Bliley  Act, there will be a mandatory post-incident review by the DSC of  the events and actions taken. The DSC will determine if any  changes in operations are required to improve the security of  retained PII for which the Firm is responsible. Records of and changes or amendments to the Information Security Plan will be  tracked and kept on file as an addendum to this WISP. 

  • The DSC is responsible for maintaining any Data Theft Liability  Insurance, Cyber Theft Insurance Riders, or Legal Counsel on  retainer as deemed prudent and necessary by the principal  ownership of the Firm. 

  • The DSC will also notify the IRS Stakeholder Liaison, and state and  local Law Enforcement Authorities in the event of a Data Security  Incident, coordinating all actions and responses taken by the Firm.  The DSC or person designated by the coordinator shall be the sole  point of contact with any outside organization not related to Law  Enforcement, such as news media, non-client inquiries by other  local firms or businesses and other inquirers. 

VI. Outside The Firm Risk Mitigation

To combat external risks from outside the firm network to the security,  confidentiality, and/or integrity of electronic, paper, or other records  containing PII, and improve -where necessary- the effectiveness of the  current safeguards for limiting such risks, the Firm has implemented the  following policies and procedures. 

Network Protection Policy 

  • All system security and software products shall be up to date and  installed on any computer that accesses, stores, or processes PII  data on the Firms network. This includes any third-party devices connected to the network. 

    • Operating system security patches. 

    • Anti-virus software. 

    • Anti-malware software. 

    • Internet security software. 

  • Secure user authentication protocols will be in place to:

    • Control username ID, passwords and Two-Factor  Authentication processes. 

    • Restrict access to currently active user accounts. 

    • Require strong passwords in a manner that conforms to  accepted security standards, including:

      • Upper-case letters. 

      • Lower-case letters. 

      • Numbers. 

      • Special characters. 

      • Twelve or more characters in length. 

      • No common passwords such as “Password” or  “12345.” 

    • Change all passwords at least every 6 Months or more often if  conditions warrant, such as user requests or when there is  evidence of a compromise. 

    • Unique firm related passwords must not be used on other  sites; or personal passwords used for firm business. Firm  passwords will be for access to Firm resources only and not  mixed with personal passwords. 

  • All computer systems will be continually monitored for unauthorized access or unauthorized use of PII data. Event Logging will remain  enabled on all systems containing PII. Review of event logs by the  DSC or IT partner will be scheduled at random intervals not to exceed 90 days. 

  • The Firm will maintain a firewall between the internet and the  internal private network. This firewall will be secured and  maintained by the Firm’s IT Service Provider. The Firewall will follow firmware/software updates per vendor recommendations for  security patches. Workstations will also have a software-based  firewall enabled. 

  • Operating System (OS) patches and security updates will be  reviewed and installed continuously. The DSC will conduct a top down security review at least every 30 days. 

Firm User Access Control Policy 

  • The Firm will use 2-Factor Authentication (2FA) for remote login  authentication via a cell phone text message, or an app, such as  Google Authenticator or Duo, and will adhere to Federal Trade  Commission 15 U.S.C § 6805. Section 314.4(c.5) regarding the  implementation of multi-factor authentication to ensure only  authorized devices can gain remote access to the Firm’s systems.

  • All users will have unique passwords to the computer network. The  firm will not have any shared passwords or accounts to our  computer systems, internet access, software vendor for product  downloads, and so on. The passwords can be changed by the  individual without disclosure of the password(s) to the DSC or any other Firm employee at any time. 

  • Passwords will be refreshed every 6 Months at a minimum and  more often if conditions warrant in accordance with the National  Institute of Standards and Technology (NIST) guidelines. The DSC  will notify employees when accelerated password reset is  necessary. 

Electronic Exchange of PII Policy 

  • It is Firm policy that PII will not be in any unprotected format, such  as e-mailed in plain text, rich text, html, or other e-mail formats  unless encryption or password protection is present. 

  • Passwords MUST be communicated to the receiving party via a  method other than what is used to send the data; such as by phone  call or SMS text message (out of stream from the data sent). 

  • The Firm may use a Password Protected Portal to exchange  documents containing PII upon approval of data security protocols  by the DSC. 

  • MS BitLocker or similar encryption will be used on interface drives,  such as a USB drive, for files containing PII. 

Wi-Fi Access Policy 

  • Wireless Access (Wi-Fi) points or nodes, if available, will use strong  encryption. 

    • Firm Wi-Fi will require a password for access.

    • If Open Wi-Fi for clients is made available (guest Wi-Fi), it will  be on a different network and Wi-Fi node from the Firm’s  Private work-related Wi-Fi. 

  • All devices with wireless capability will have default factory  passwords changed to Firm-assigned passwords. All default  passwords will be reset, or the device will be disabled from wireless  capability, or the device will be replaced with a non-wireless  capable device can include, but is not limited to All-in-one copiers and printers. 

Remote Access Policy 

Remote access will only be allowed using 2 factor Authentication (2FA)  in addition to username and password authentication. 

Connected Devices Policy 

Any new devices that connect to the Internal Network will undergo a  thorough security review before they are added to the network. The Firm will ensure the devices meet all security patch standards and  login and password protocols before they are connected to the  network. 

The Firm or a certified third-party vendor will erase the hard drives or  memory storage devices the Firm removes from the network at the  end of their respective service lives. 

The firm runs approved and licensed anti-virus software, which is  updated on all servers continuously. Virus and malware definition  updates are also updated as they are made available. The system is  tested weekly to ensure the protection is current and up to date. 

Information Security Training Policy 

All employees will be trained on maintaining the privacy and  confidentiality of the Firm’s PII. All new employees will be trained  before PII access is granted, and periodic reviews or refreshers will be  scheduled until all employees are of the same mindset regarding  Information Security. Disciplinary action may be recommended for any  employee who disregards these policies.

VII. Implementation 

Effective 2025-05-16, Frevitt Ranch Tax Prep and Internal Auditing LLC has created this Written Information Security Plan (WISP) in compliance with regulatory rulings regarding implementation of a written data security plan found in the Gramm-Leach-Bliley Act and the Federal Trade Commission  Financial Privacy and Safeguards Rules.