If you prepare tax returns or advise on money, the FTC Safeguards Rule applies to you — written security plan, MFA, encryption, monitoring, the works. Enforcement started in June 2023, and the IRS reminds you at every PTIN renewal. We make compliance a byproduct of well-run IT, not a yearly scramble.
Under the Gramm-Leach-Bliley Act, "financial institution" includes professional tax preparers and firms providing financial planning. That's CPA firms. The FTC Safeguards Rule (16 CFR Part 314) requires a documented security program — and since 2024, breaches affecting 500+ people must be reported to the FTC within 30 days.
What the rule expects your firm to have:
We run the risk assessment and write the Written Information Security Plan the IRS and FTC expect — then keep it current.
Multi-factor on email, tax software, and remote access — with least-privilege access so staff only see what they need.
Encrypted, tested backups and a real recovery plan — because March 15 and April 15 don't wait for IT tickets.
Training records, monitoring logs, vendor reviews — kept audit-ready so an examiner letter isn't a fire drill.
One flat-rate partner for IT support, security, and the Safeguards Rule paperwork that comes with handling client financial data.
The written risk assessment and security plan the rule is built on — drafted, maintained, and ready to show.
Multi-factor authentication across email, tax applications, and remote access — deployed without derailing your staff.
Encrypted portals and email protection so 1040s and K-1s never travel as plain attachments again.
Automated, encrypted, tested backups of your tax software, documents, and email — with recovery times you've seen proven.
Continuous monitoring, patching, and endpoint protection — the "detect and respond" the Safeguards Rule requires.
Phishing simulations and short trainings that satisfy the rule — and stop the #1 way tax firms actually get breached.
Rate your firm against 14 key Safeguards Rule requirements and get an instant readiness score with your top gaps — including whether your WISP foundation is even in place.
Yes. Under the Gramm-Leach-Bliley Act, firms that prepare tax returns or provide financial planning are "financial institutions" — which puts CPA, accounting, and tax firms squarely under the FTC Safeguards Rule (16 CFR Part 314). Full compliance has been enforceable since June 2023.
A WISP is a Written Information Security Plan — the documented security program the Safeguards Rule requires. The IRS also reminds every PTIN holder at renewal that federal law requires paid tax preparers to have one. If you don't have a current, written WISP, that's the first gap to close.
Yes. Firms maintaining information on fewer than 5,000 consumers are exempt from a few of the written-reporting requirements, but the core safeguards — risk assessment, access controls, MFA, encryption, training, vendor oversight, incident response — apply to firms of every size.
The FTC can seek civil penalties that run to five figures per violation, and since 2024 breaches affecting 500 or more consumers must be reported to the FTC within 30 days. Beyond fines: client notification, E&O and cyber-insurance complications, and the reputational damage of telling tax clients their data was exposed.
That's the point of our CPA offering: we run the risk assessment, write and maintain the WISP, roll out MFA and encryption, monitor your systems 24/7, manage vendors, train your staff, and keep the evidence organized — so compliance is a byproduct of how your IT runs, not a yearly scramble.
Book a free, no-obligation discovery call. We'll tell you straight where your firm stands against the Safeguards Rule and what closing the gaps actually takes.