CPA Firm Data Security: What the FTC Safeguards Rule Requires and How to Implement It

Who Is Covered by the FTC Safeguards Rule

The Safeguards Rule applies to "financial institutions" as defined by the Gramm-Leach-Bliley Act — and this definition includes CPA firms, tax preparers, bookkeepers, and other firms that provide financial advisory services. If you prepare tax returns, manage payroll, or provide financial planning services, you're covered.

The 2023 amendments created two tiers:

• Firms with more than 5 employees: Must comply with the full updated Safeguards Rule requirements
• Firms with 5 or fewer employees: Exempt from some specific requirements (annual penetration testing, independent security assessments) but still required to have a written information security program

The Nine Required Elements of Your Information Security Program

The updated Safeguards Rule specifies nine categories of safeguards. Your written information security program must address all of them:

1. Qualified Individual

Designate a specific individual responsible for your information security program. This can be an employee or a service provider (like your IT provider or a fractional CISO). The qualified individual must report to your board or senior leadership annually on the program's status.

2. Risk Assessment

Conduct a written risk assessment that identifies and classifies foreseeable security and privacy risks to customer information. The assessment must be updated whenever circumstances change materially.

3. Access Controls

• Limit access to customer information to authorized users only
• Implement the principle of least privilege — staff should only access what they need for their job
• Control physical access to systems containing customer data

4. Encryption

Encrypt all customer information: in transit (TLS for email and web transmission) and at rest (full disk encryption on laptops, servers, and portable storage containing customer data).

5. Multi-Factor Authentication

The 2023 update explicitly requires MFA for any individual accessing any information system containing customer information. This is not optional — MFA must be deployed on email, tax software, document management, and any cloud service holding client financial data.

6. Secure Development

For firms developing or procuring applications to access customer information: implement secure development practices and procedures. For most CPA firms this applies to custom macros, integrations, or scripts that handle client data.

7. Change Management

Implement procedures to monitor and detect unauthorized changes to your systems. Security event logging and monitoring — reviewing logs for unauthorized access attempts — is required for firms above the 5-employee threshold.

8. Penetration Testing

Conduct penetration testing at least annually. If you don't have an automated continuous monitoring system, vulnerability assessments are required every 6 months. Firms with 5 or fewer employees are exempt from this specific requirement.

9. Incident Response Plan

Maintain a written incident response plan that addresses: the goals of the plan, internal process for responding to security events, clear roles and responsibilities, external reporting requirements (state breach notification laws), and post-incident review process.

The Written Information Security Plan (WISP)

The IRS has published a WISP template specifically for tax professionals. The FTC Safeguards Rule requires something equivalent. Key components:

• Firm name and the name of the designated Qualified Individual
• List of all types of customer information collected and maintained
• Risk assessment results and responses
• Specific security controls implemented for each required category
• Employee training program description
• Incident response procedure
• Vendor due diligence process
• Annual review procedure

The IRS's Publication 5708 provides a free WISP creation guide for tax professionals. However, the template alone doesn't constitute compliance — the controls described in your WISP must actually be implemented and documented.

Vendor Due Diligence Requirements

The Safeguards Rule requires oversight of service providers — anyone who accesses customer information on your behalf must be covered by written contracts requiring them to implement appropriate safeguards. This includes:

• Your IT provider (requires a signed data processing agreement specifying security requirements)
• Your cloud storage and document management provider
• Your tax software vendor if they have access to client data
• Any third-party who processes payroll or financial data for your clients

See our guide on IRS safe harbor requirements for CPA firms for the tax-specific requirements that complement the FTC Safeguards Rule.

Frequently Asked Questions

What is the penalty for violating the FTC Safeguards Rule?

FTC civil penalties can reach $50,120 per violation per day. The FTC can also require a firm to implement specific remediation measures and submit to ongoing oversight. Additionally, most state data breach notification laws impose separate notification requirements and potential penalties for breaches resulting from inadequate security programs.

Is my CPA firm required to get cyber insurance under the Safeguards Rule?

The FTC Safeguards Rule does not explicitly require cyber insurance. However, having adequate security controls (as required by the rule) makes you more insurable and eligible for lower premiums. Given the financial exposure from a breach at a CPA firm (client financial data is extremely valuable), cyber insurance is strongly advisable regardless of regulatory requirements.

How often must the information security program be reviewed?

The Safeguards Rule requires the program to be reviewed and adjusted whenever circumstances change materially. Practically, conduct a formal annual review even if no major changes occurred. Document the review with a date and the name of the reviewer. The designated Qualified Individual must report program status annually to board or senior management.