FTC safeguard rule
🛡️ FTC Safeguards Rule
🔍 What Is the FTC Safeguards Rule?
The FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA), a federal law enacted in 1999. It requires financial institutions — including tax preparers, accountants, CPAs, and bookkeepers — to develop, implement, and maintain a comprehensive information security program to protect sensitive customer data.
📅 The rule was significantly updated in 2021, and enforcement began in June 2023.
🎯 Who Must Comply?
You must comply with the Safeguards Rule if you are classified as a “financial institution” under the GLBA — this includes:
- Tax preparers
- CPA firms
- Bookkeepers & payroll services
- Loan brokers
- Investment advisors not regulated by the SEC
- Mortgage lenders & servicers
📝 Even small firms or sole proprietors are covered if they handle consumer financial information.
⚖️ Legal Authority:
- Law: Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801–6809)
- Regulation: FTC’s 16 CFR Part 314 — “Standards for Safeguarding Customer Information”
- Official Text FTC
🔐 What the Rule Requires: 9 Key Elements of a Safeguards Program
You must design and implement a written information security program that contains administrative, technical, and physical safeguards. Here’s what it must include:
1. ✅ Appoint a Qualified Individual
Assign someone (internal or external) to be responsible for your security program.
- Must oversee implementation and training
- Must report to leadership annually
- Can be a contractor or IT provider for small businesses
2. 🧠 Conduct a Risk Assessment
Identify risks to the security, confidentiality, and integrity of customer data.
- Must be written/documented
- Must evaluate internal and external risks (e.g., malware, unauthorized access, remote access)
- Use findings to develop controls
3. 🔒 Design and Implement Safeguards
Based on your risk assessment, create safeguards that are reasonable and appropriate for your firm’s size and complexity.
Examples:
- Firewalls and antivirus software
- Multifactor authentication (MFA)
- Role-based access controls
- Secure remote access
- Monitoring and logging systems
4. 👨🏫 Employee Training and Management
Train staff to understand and follow data security policies.
- Conduct initial and periodic security training
- Include phishing awareness
- Enforce security responsibilities
5. 📦 Monitor Service Providers
If you use third-party vendors (e.g., cloud software, payroll systems), you must:
- Vet their security practices
- Ensure they are contractually required to safeguard data
- Periodically reassess their performance
6. 🔁 Regularly Monitor and Test Safeguards
Ongoing testing is required to ensure your protections work.
- Use continuous monitoring or
- Perform annual penetration testing and vulnerability scans
7. ♻️ Keep the Program Current
As your firm changes (new software, remote work, new threats), you must update your safeguards accordingly.
8. 🧽 Create an Incident Response Plan
You must be ready to respond to a security event or breach. Your plan should:
- Define roles/responsibilities
- Describe how you’ll contain, report, and recover from incidents
- Detail how you’ll notify customers and regulators if needed
9. 📊 Annual Report to Senior Management
Your Qualified Individual must report at least once a year to firm leadership with:
- Program status
- Risk assessments
- Test results
- Incidents and responses
- Recommendations for improvement
📌 Safeguards Rule vs. IRS Publication 4557
While Publication 4557 is IRS guidance, the Safeguards Rule is federal law enforced by the FTC.
| Requirement | IRS Pub 4557 | FTC Safeguards Rule |
|---|---|---|
| Written Plan | Recommended | Mandatory |
| Risk Assessment | Recommended | Mandatory |
| Training | Advised | Required |
| Incident Response Plan | Strongly advised | Mandatory |
| Annual Report | Not required | Mandatory |
🛠️ Penalties for Non-Compliance
Violating the Safeguards Rule can result in:
- Civil penalties from the FTC
- Injunctions or mandatory compliance orders
- Loss of PTIN (Preparer Tax Identification Number) or e-File privileges
- Loss of trust from clients due to data breaches
✅ Quick Checklist for Small Firms
✔ Appoint a security officer (internal or external)
✔ Write and maintain a WISP
✔ Conduct and document a risk assessment
✔ Use firewalls, antivirus, encryption, MFA
✔ Train employees annually
✔ Vet and contractually bind all vendors
✔ Test security controls (annually at minimum)
✔ Maintain an incident response plan
✔ Deliver an annual report to leadership
