FTC Safeguards Rule

Most of the businesses the FTC Safeguards Rule covers don't think of themselves as financial institutions. That's the problem. The Rule's definition reaches tax preparers, CPA firms, bookkeepers, mortgage brokers, auto dealers that arrange financing, payday lenders, and any business significantly engaged in financial activities. If your firm prepares tax returns for compensation or handles consumer financial data as part of how it makes money, the Rule almost certainly applies to you, and it has applied with enforcement teeth since June 2023.

Here's the read after the firms we've reviewed: most of them don't have a security problem, they have a coordination problem. The MFA is on, the laptops are encrypted, the backups run. What doesn't exist is a written program tying those pieces together with one named person answering for it, and the program is the thing the Rule actually demands. Pieces of compliance and a compliance program are different things, and an examiner only credits the second.

This page covers what the Rule actually requires, where Wichita-area firms usually fall short, and how the work gets done as part of a Managed IT engagement instead of a binder that goes on a shelf. If you run an accounting or tax practice, the operational side of your world (tax season, seasonal staff, the client portal) lives on our IT for CPAs page. This page is about the Rule itself.

What the Rule requires, in plain English

The Safeguards Rule was issued in 2003 under the Gramm-Leach-Bliley Act. The version that matters is the 2021 update, with most provisions effective December 9, 2022 and the remainder enforceable from June 9, 2023. It replaced vague expectations with a specific checklist.

You need a designated Qualified Individual who owns the information security program and answers for it. You need a written Information Security Program built on a written risk assessment, not a template with your logo on it. You need access controls and an inventory of where customer information lives, encryption of that information at rest and in transit, and multi-factor authentication on any system that touches it. You need secure disposal, change management, and monitoring and logging of activity on systems that hold customer information. You need either continuous monitoring or periodic penetration testing and vulnerability scanning. You need security awareness training, contractual oversight of your service providers (your IT firm included), a written incident response plan, and an annual written report from the Qualified Individual to ownership or senior management.

Some provisions relax for firms holding information on fewer than 5,000 consumers, but the core program applies regardless of size: the Qualified Individual, the risk assessment, MFA, encryption, and the incident response plan. There is no small-firm exemption.

What non-compliance actually costs

The FTC's civil penalty authority adjusts with inflation and currently runs to $46,517 per violation per day. The agency has been active in financial-sector data security, and the enforcement pattern is consistent: the breach itself is survivable, but a breach plus a missing written program, a stale risk assessment, and no incident response plan turns into a consent order that follows the firm for twenty years.

There's a quieter cost too. Cyber insurance carriers ask the same questions the Rule does, and an application that claims controls you don't have gives the carrier grounds to deny a claim. For tax preparers, IRS Publication 4557 layers parallel obligations on top, including the Security Six controls and a written data security plan, and the IRS checks during PTIN renewals. The good news is that one properly built program satisfies all three audiences. We build it once and document it for each context.

Where firms usually fall short

Almost no firm we review is at zero. The pattern is partial coverage with documentation gaps. MFA is on email but not on the tax software or the practice management system. A risk assessment exists but predates the current office layout. The written program is a webinar template nobody has opened since it was downloaded. The incident response plan is a verbal understanding. The annual report has never happened, and nobody has been formally named Qualified Individual.

Picture the typical version. A CPA firm has MFA, encrypted laptops, and a client portal, and the partners reasonably assume that adds up to compliance. On a prospect review we find no designated Qualified Individual, a risk assessment from four years and one office move ago, and an annual report that has never been written. The technology was mostly fine. The program around it didn't exist, and the Rule is written about the program.

None of that is negligence. Compliance slides to the side of the desk at a firm whose actual job is serving clients, and the gaps accumulate quietly. But an FTC examiner reads gaps in the paperwork as gaps in the program, and closing them systematically costs far less than explaining them after an incident. We run the same discipline on our own business, hosting and securing our own customer-facing infrastructure and carrying our own annual compliance obligations, so the program we build for you is one we know from the inside.

How we do the work

The work folds into a Managed IT Services engagement rather than running as a standalone consulting project, for the reason that runs through everything on our Compliance Services page: the documents describe a security posture that's supposed to be live on real systems, and when one firm writes the documents while another runs the systems, the two drift apart within a quarter.

In practice that means we run the risk assessment against your actual environment, write the Information Security Program to match, implement the technical controls (MFA everywhere customer information lives, encryption, monitoring, vulnerability scanning), support your Qualified Individual, build the incident response plan, set up the service provider oversight, and produce the annual report on schedule. When the firm changes, the documentation changes with it, because the team making the change is the team holding the pen.

For accounting and tax firms specifically, the operational rhythm behind all of this (tax season scheduling, seasonal staff access, the client portal) is covered on the IT for CPAs page linked at the top of this page.

Where to start

A short call is enough to find out whether the Rule applies to you and where your current posture sits against it. Bring your written program if you have one, or come without one, which is its own answer. We'll tell you what we'd fix first and what a realistic timeline looks like. The most common starting point we hear is "I'm not sure where we stand," and that's a fine place to begin.

Frequently asked questions

1. Does the Safeguards Rule really apply to a small firm like ours?

If you're significantly engaged in financial activities as the FTC defines them, yes. Tax preparation for compensation is explicitly covered, as are bookkeeping, mortgage brokering, and consumer lending. Firm size changes some documentation obligations (a few provisions apply only at 5,000 or more consumer records) but not the core requirements. There is no exemption for being small.

2. We have an IT company. Doesn't that cover us?

Not by itself. The Rule requires a written program, a named Qualified Individual, a current risk assessment, service provider oversight, and an annual report, none of which a typical IT support contract produces. Good IT support is necessary for Safeguards compliance and not sufficient on its own. The question to ask your current provider is who wrote your risk assessment and when.

3. What's the difference between this and IRS Publication 4557?

Publication 4557 is the IRS version of the same obligations for paid tax return preparers, built around the Security Six controls and a written data security plan. A firm that genuinely meets the Safeguards Rule generally meets Pub 4557 with minor documentation differences. We document once for both.

4. What happens if we have a breach?

You work the incident response plan we wrote before the incident. It names who decides, who calls counsel and the carrier, what notification obligations trigger, and how the firm keeps operating during the investigation. The Rule also requires reporting certain breaches involving 500 or more consumers to the FTC, and the plan accounts for it. The difference between a contained incident and a firm-defining one is usually the first 24 hours.

5. What does Safeguards compliance cost?

It depends on your starting posture and how much of the work is documentation versus new technical controls. The work is bundled with Managed IT Services, with the program build folded into onboarding rather than billed as a separate consulting project. The exploratory call is where we put a real number against your situation.