FTC Safeguards Rule: A CPA Firm Compliance Guide

Your client hands you their Social Security number, bank routing details, W-2s, and Schedule K-1s. They’re not thinking about cybersecurity—they’re thinking about their refund. But the FTC Safeguards Rule puts that trust squarely on your firm’s shoulders, and the penalties for non-compliance are real.

The Safeguards Rule, enforced by the Federal Trade Commission under the Gramm-Leach-Bliley Act, applies to tax preparers and CPA firms because you qualify as financial institutions under that statute. If you collect or handle nonpublic personal information (NPI)—and every firm does—you’re covered. This isn’t optional compliance.

Here’s what a practical, working implementation looks like for a small-to-mid-size CPA firm.

Start With a Written Information Security Program

The Safeguards Rule requires a Written Information Security Program (WISP). The IRS also pushes WISPs hard for tax professionals, so one document can satisfy both regulators.

Your WISP must:

• Name a qualified individual responsible for the program (this can be you, a partner, or an outsourced IT contact)
• Identify the NPI your firm collects, stores, and transmits
• Assess internal and external risks to that data
• Document the safeguards you’ve implemented and how you’ll monitor them
• Include an incident response plan
• Address vendor oversight

For a 10-person firm, this doesn’t require a 40-page document. A clear, honest 8-10 page WISP that reflects how your firm actually operates will outperform a bloated template you pulled from the internet and never read again. The IRS even publishes a WISP template through its Security Summit program IRS specifically for small tax professionals—start there and adapt it.

Conduct a Risk Assessment Before You Touch Anything Else

Every safeguard you implement should trace back to a documented risk assessment. Skipping this step is the single biggest compliance gap I see in small firms.

A practical risk assessment for a CPA firm covers:

Where does NPI live? Map it. Tax software databases (Drake, Lacerte, ProSeries, UltraTax, ATX), QuickBooks company files, email attachments, scanned documents in shared folders, portable drives someone took home two years ago.

Who has access? List every user with access to each system. Seasonal staff often get overlooked. Former employees sometimes aren’t.

What could go wrong? Ransomware targeting accounting software, phishing emails impersonating the IRS, an unencrypted laptop left in a car, a disgruntled former employee.

What’s your current control for each risk? Be honest. If the answer is ‘nothing,’ write that down. That’s your priority list.

Document this annually. The rule requires periodic reassessment—not a one-time checkbox.

The Nine Required Safeguards

The Safeguards Rule lays out specific technical and organizational controls. Here’s what each means in practice for a CPA firm:

1. Access controls — Multi-factor authentication (MFA) on every system that touches NPI. No exceptions. Role-based permissions so staff see only what their job requires.

1. Data inventory — Know what NPI you hold and where. If you can’t answer that in 10 minutes, you have a gap.

1. Encryption — Encrypt NPI in transit (TLS for email and file transfers) and at rest (encrypted hard drives, encrypted backups). Emailing a client’s unencrypted tax return is a violation.

1. Secure development practices — Applies mainly if you build internal tools or automate workflows. Most CPA firms can address this briefly in the WISP.

1. Authentication — Passwords alone don’t cut it. MFA plus a password manager for firm-wide credential hygiene.

1. Change management — When you add a new application or change a system configuration, document it and assess the security impact first.

1. Monitoring and testing — Annual penetration testing or vulnerability assessments for larger firms; at minimum, regular log reviews and testing of backup restoration.

1. Staff training — Annual security awareness training, documented. Phishing simulations are worth the modest cost.

1. Vendor management — Every third-party vendor with access to your NPI needs a written contract requiring them to implement appropriate safeguards. This includes your cloud hosting provider, payroll processor, and document management vendor.

Vendor Management Is Where Most Firms Drop the Ball

The rule requires you to select and oversee service providers by contract. That means before you hand a vendor access to client data, you need:

• A written contract with explicit security obligations
• Due diligence that the vendor actually meets those obligations
• Periodic review—not a one-time check at onboarding

Cloud hosting vendors that handle your QuickBooks files, tax software, or client documents are squarely in scope. Get their security policies in writing. Ask about encryption, access controls, incident response timelines, and backup procedures. If they can’t answer those questions clearly, that’s your answer.

Incident Response: Have a Plan Before You Need One

The rule requires a written incident response plan. Keep it short and functional:

• Who declares an incident and who’s on the response team
• How you contain and assess the breach
• Notification obligations (the Safeguards Rule requires notifying the FTC for breaches affecting 500 or more customers; state breach notification laws may require notifying affected clients much sooner)
• Post-incident review and documentation

Run a tabletop exercise once a year. Walk through a ransomware scenario. The first time you run through the plan should not be during an actual breach.

How Sagenext Helps

One of the harder parts of Safeguards Rule compliance for CPA firms is controlling the environment where client data actually lives. When tax software and accounting applications run on local desktops or unmanaged servers, the firm is on the hook for every patch, every backup, every access control.

Sagenext hosts QuickBooks Desktop, Enterprise, Premier, and Pro, along with Sage 50, Sage 100, Drake, Lacerte, ProSeries, UltraTax, ATX, and other tax and accounting tools on fully managed cloud infrastructure. Provisioning, security updates, and data backups are handled for you. Staff access the software through a remote desktop session from any device, with access controls managed at the hosting layer.

For a CPA firm building a Safeguards-compliant environment, that shifts meaningful vendor responsibility to a provider whose job is infrastructure security—and gives you a concrete, documentable answer when your WISP asks ‘who manages the environment where NPI is stored?’ You can try it with a free trial, no credit card required.

For a broader look at how cloud hosting fits into a firm’s data security posture, see Considerations For Cloud Security.

Key Takeaways

• The FTC Safeguards Rule applies to CPA firms and tax preparers as financial institutions under GLBA—non-compliance exposes the firm to FTC enforcement.
• A Written Information Security Program (WISP) is required and must be tailored to how your firm actually operates, not copied wholesale from a generic template.
• A documented risk assessment is the foundation—every control you implement should trace back to a specific risk you identified.
• MFA, encryption at rest and in transit, and role-based access controls are non-negotiable technical requirements under the rule.
• Every vendor with access to client NPI needs a written contract specifying their security obligations; audit that list annually.
• Moving tax and accounting software to a fully managed cloud hosting environment gives you a documented, vendor-controlled security layer and reduces the compliance surface you manage internally.

Frequently Asked Questions

Does the FTC Safeguards Rule apply to small CPA firms with only a few clients?

Yes. The rule applies to any financial institution that collects nonpublic personal information, regardless of firm size. A solo practitioner preparing tax returns is covered. The rule does scale somewhat—smaller firms have simpler risk profiles—but the core requirements, including a WISP, risk assessment, MFA, and encryption, apply across the board. Size affects complexity, not applicability.

What counts as nonpublic personal information under the Safeguards Rule?

NPI includes any information a client provides to obtain a financial service—Social Security numbers, income figures, account numbers, tax return data, and similar details. It also includes information you derive from transactions with clients. In practice, nearly every piece of data in your tax software or accounting files qualifies.

What happens if a CPA firm has a data breach and wasn’t compliant with the Safeguards Rule?

The FTC can pursue civil penalties for Safeguards Rule violations. State attorneys general can also act under state law. Beyond regulatory exposure, a breach exposes the firm to client lawsuits and reputational damage. Compliance isn’t a guarantee against breaches, but it is your primary legal defense and your clients’ primary protection.

How often do we need to update our WISP?

The rule requires you to review and adjust the program in response to material changes—new software, new staff, a breach, a new service provider—and at least annually as part of a formal reassessment. A WISP that hasn’t been touched in three years does not meet the standard, even if it was excellent when written.

Can we use a third-party IT provider to satisfy the ‘qualified individual’ requirement?

Yes. The Safeguards Rule allows the qualified individual overseeing your information security program to be an outside service provider. If you go that route, document the arrangement clearly in your WISP, specify their responsibilities in a written contract, and keep oversight internal—someone at the firm needs to receive their reports and hold them accountable.