FTC Safeguards Rule - What Firms Need To Know

If your accounting or tax practice handles sensitive client information, the FTC Safeguards Rule applies to you. As cybersecurity threats continue to rise, the Federal Trade Commission (FTC) is stepping up enforcement to ensure businesses protect consumer data. In this article, we’ll break down what the Safeguards Rule is, who it affects, and what your firm needs to do to stay compliant.

What Is the FTC Safeguards Rule?

The FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA) and mandates that certain financial institutions — including accounting and tax firms — develop, implement, and maintain a comprehensive written information security program. The goal is to ensure the security of customer information.

While the rule isn’t new, recent amendments significantly expanded the requirements, and small firms are no longer exempt from scrutiny.

Who Must Comply?

If your firm is “significantly engaged” in providing financial products or services — including preparing taxes, offering financial planning, or advising clients on credit or debt matters — you are likely considered a financial institution under the rule.

Examples of covered entities:

• CPA firms handling tax return preparation

• Bookkeepers who offer payroll or loan assistance

• Enrolled agents and tax preparers collecting personal financial data

Even sole practitioners and small firms are now within the FTC’s enforcement scope.

Key Requirements of the Safeguards Rule

To comply, your firm must implement a written information security plan tailored to the size and complexity of your operations. Here are the core components:

1. Appoint a Qualified Individual

Designate someone — internal or external — to oversee your information security program.

2. Conduct a Risk Assessment

Identify and document potential risks to customer data. This includes physical, technical, and administrative vulnerabilities.

3. Implement Safeguards

Based on your risk assessment, apply appropriate security measures. This may include:

• User access controls

• Encryption of sensitive data

• Multi-factor authentication (MFA)

• Secure disposal of client records

4. Monitor and Test Your Program

Regularly test your safeguards, either continuously (automated tools) or annually (manual review).

5. Train Your Staff

Employees and contractors must receive security awareness training that’s relevant and current.

6. Have a Written Incident Response Plan

Be ready to detect, respond to, and recover from security events.

7. Service Provider Oversight

Vet vendors who have access to customer data and ensure they meet security requirements.

Why It Matters

Your clients trust you with some of their most sensitive personal and financial information. A data breach not only risks that trust, it can also trigger legal penalties, regulatory investigations, and long-term reputational harm.

While penalties vary quite widely, average estimates range from between $10,000-$50,000 per violation, per day.

Next Steps for Compliance

If your firm hasn’t yet formalized its cybersecurity practices, don’t panic — but don’t delay. Here are some steps to consider:

• Engage a qualified consultant to help with your risk assessment and documentation

• Develop or update your Written Information Security Plan (WISP)

• Train your staff on their responsibilities under the Safeguards Rule

• Schedule an internal or third-party review of your current safeguards

  
  

Final Thoughts

Complying with the FTC Safeguards Rule isn’t just about checking a regulatory box, it’s about protecting your clients, your reputation, and your business. With the right approach, even small firms can meet the requirements without overburdening their operations.

Interested in a free consultation? Schedule a call with a consultant here!