What is the FTC Safeguards Rule?
The FTC Safeguards Rule (16 CFR Part 314) was originally enacted in 2003 under the Gramm-Leach-Bliley Act (GLBA). The FTC significantly updated the rule in 2023, adding specific technical requirements that reflect modern cybersecurity threats.
The rule requires covered businesses to develop, implement, and maintain a comprehensive written information security program — a WISP.
Does the Safeguards Rule Apply to Tax Preparers?
Yes — unambiguously. The FTC defines "financial institution" broadly to include any business that is "significantly engaged" in providing financial products or services. The FTC has explicitly confirmed that tax preparers fall under this definition.
There is no minimum revenue, employee count, or client volume threshold. A solo tax preparer working part-time from home has the same obligations as a large accounting firm.
💡 The rule applies to you if you: prepare tax returns, provide bookkeeping services, offer financial planning, handle payroll, or provide any other financial service to consumers.
What Does the Safeguards Rule Require?
The updated rule has nine core requirements:
1. Designate a Qualified Individual
You must designate one person — the Qualified Individual (QI) — who is responsible for overseeing your information security program. In a small firm this is usually the owner.
2. Conduct a Risk Assessment
You must identify the reasonably foreseeable internal and external risks to the security of customer information. This must be documented and reviewed at least annually.
3. Implement Safeguards
Based on your risk assessment, you must implement and monitor safeguards to control those risks — including encryption, access controls, and MFA.
4. Require Multi-Factor Authentication
The 2023 update specifically requires MFA for any system containing customer information. This is one of the most commonly overlooked requirements.
5. Encrypt Customer Information
All customer data must be encrypted both in transit and at rest.
6. Train Employees
All employees with access to customer information must receive security awareness training at hiring and annually thereafter.
7. Monitor Service Providers
Any third-party vendors with access to customer data must be contractually required to maintain appropriate safeguards.
8. Keep Your Program Current
Your security program must be reviewed and updated at least annually, or whenever there is a material change to your business operations.
9. Report to Senior Management
Your Qualified Individual must report to senior management at least annually on the status of the security program.
⚠️ The FTC can impose civil penalties of $50,120 per violation. Each missing safeguard — no MFA, no encryption, no employee training — can be counted as a separate violation.
What is the Written Information Security Plan?
The WISP is the document that ties all nine requirements together. It's your written proof that you have a security program in place. Without a WISP, you have no documentation — and no documentation means no defense if you're ever investigated or audited.
Has the FTC Actually Enforced This?
Yes. The FTC has pursued enforcement actions against financial services companies for Safeguards Rule violations. While most publicized cases involve larger companies, the rule applies equally to small businesses and solo practitioners.
Need Help Organizing Your WISP Documentation?
- Guided questionnaire included
- Customized WISP document
- Word & PDF versions
- Loom video walkthrough
- Delivered in 48 hours
SafeguardsReady is not a law firm and does not provide legal advice. Documents are prepared based on publicly available FTC and IRS guidance. Consult a licensed attorney for advice specific to your compliance obligations.