Who the FTC Safeguards Rule covers
Most CPA and tax preparation firms are covered.
The FTC Safeguards Rule (16 CFR Part 314) was enacted under the Gramm-Leach-Bliley Act, which defines "financial institution" broadly to include tax preparation firms, accounting firms that provide financial services, insurance agencies, investment advisors, mortgage companies, and real estate settlement services companies. If your firm prepares tax returns, manages client financial records, or handles any customer financial information, the rule almost certainly applies.
The FTC has enforcement authority over financial institutions that are not regulated by other federal agencies. That category covers most CPA firms and independent tax preparers.
The 2021 update to the Safeguards Rule significantly expanded the requirements. The updated rule became effective for most provisions in December 2022.
What the rule requires
The core obligation is to develop, implement, and maintain a written information security program (WISP) that protects customer financial information. "Customer information" means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form.
Your written program must include the following elements.
A Qualified Individual. You must designate one person to oversee your information security program. This does not need to be a full-time employee. The rule allows an outside contractor or IT provider to hold the designation, but your firm keeps responsibility for compliance and must name a senior employee to oversee the arrangement. The Qualified Individual must report to your board of directors (or equivalent governing body) at least annually on the state of the program.
A risk assessment. You must identify the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. The assessment must be documented. This is not a checkbox. It is a written record of what you reviewed, what you found, and what you concluded.
Safeguards to address identified risks. Based on the risk assessment, you must implement controls that adequately address the risks you identified. The rule specifies several categories: access controls, data inventory and classification, encryption of customer information, secure development practices (for firms that build software), multi-factor authentication, secure disposal of customer information, change management procedures, and monitoring and testing.
Workforce training. Staff who handle customer information must receive security awareness training. The training must address the risks your assessment identified.
Service provider oversight. Every vendor with access to your customer information must be selected based on their ability to maintain appropriate safeguards. Your contracts with them must require appropriate safeguards. You must periodically review their performance.
A regular review and update process. The program must be reviewed and updated whenever material circumstances change. This includes changes in business operations, results of monitoring and testing, and changes in the threat environment.
An incident response plan. You must have a written plan for responding to a security event. The plan must address the roles of those involved, internal processes for breach response, notification procedures, and how the event will be documented.
The small business exemption
Firms that maintain customer information on fewer than 5,000 consumers have a reduced set of requirements. Specifically, firms below this threshold are not required to:
- Keep the risk assessment in writing (the underlying duty to base your program on a risk assessment still applies)
- Perform continuous monitoring, or in its place annual penetration testing and vulnerability assessments at least every six months
- Maintain a written incident response plan
- Provide the Qualified Individual's regular written report to the board or governing body
That is the full scope of the exemption. Everything else still applies. You still need an information security program, a Qualified Individual, safeguards such as access controls, encryption, and multi-factor authentication, workforce training, and service provider oversight.
Most small CPA firms and tax preparers that look at the exemption assume it covers more than it does. It removes four specific requirements, not the program itself.
What the notification requirement means
The updated rule added a requirement to notify the FTC when a security breach affects the information of 500 or more customers. Notification must occur as soon as possible, within 30 days of discovery. The FTC publishes these notifications on its website.
For smaller incidents (under 500 customers), notification to the FTC is not required. State law may require notification to affected customers depending on the nature of the data and the state.
What happens without a program
The FTC can bring enforcement actions against covered financial institutions that fail to maintain a compliant information security program. State attorneys general also have enforcement authority under the Gramm-Leach-Bliley Act. These are the facts of the rule, not a prediction about your firm.
The practical value of the program is what it saves you on an ordinary day. Most cyber insurance applications now ask whether you maintain a written information security program, a risk assessment, and multi-factor authentication. Answering yes is what lets a small firm qualify and bind coverage; answering no can raise the premium, narrow the policy, or leave a claim open to dispute later. If your firm does experience a breach, having the documented program, the risk assessment, and evidence of the controls you ran means an FTC or state inquiry starts from your own records rather than from a blank file. Documentation is not a guarantee of any outcome. It is the evidence of due diligence that supports an insurance claim and shortens an investigation, and for a 5 to 15 person office it is far cheaper to maintain than a denied claim or a disputed policy is to absorb.
What I do for CPA firms and financial offices
For CPA firms, insurance agencies, investment advisors, and title offices in Houston, the work is building and maintaining a written information security program that meets the FTC Safeguards Rule requirements.
The engagement starts with the free 14-Point Safeguards Gap Report on your current environment: what customer data you hold, where it lives, how it is protected today, and where the gaps are relative to the rule's requirements. It produces a written findings report and a prioritized fix list. No commitment is required to receive the findings.
From there, I support your designated Qualified Individual, implement the technical controls the program requires, maintain the risk assessment documentation, provide workforce training documentation, and review your vendor agreements. The written program is something I help you build and maintain, not a one-time deliverable.
If you have questions about whether the rule applies to your firm, reach out through the contact page.
Hammad Arain is the founder of Arain Systems. He has six years in IT including MSP work with banks, financial firms, and compliance-regulated environments.