Is Your CPA Firm Compliant with the FTC’s Safeguards Rule?

What you need to know.

As a tax preparer, you are probably familiar with IRS Publication 4557, Safeguarding Taxpayer Data, and its application to professionals who practice before the IRS or hold a preparer tax identification number. However, there is another rule that tax preparers might not think applies to them: the Federal Trade Commission’s (FTC’s) Standards for Safeguarding Customer Information (the Safeguards Rule). While the Safeguards Rule has existed for decades, CPA firms may not have given it more than a passing thought. However, the latest amendments to the Safeguards Rule may require firms to think differently.

Background

The Safeguards Rule obligates covered financial institutions to “develop, implement, and maintain” an information security program (ISP) that includes specific “administrative, technical, and physical safeguards” designed to protect customer information. The ISP must be in writing and “appropriate to the size and complexity of the [covered] financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.”

In December 2021, the FTC amended the Safeguards Rule to expand its definition of a financial institution and to provide more concrete guidance regarding specific safeguards that covered financial institutions should have in place to help protect the security of customer information.

Are CPA Firms Really Institutions?

But are CPA firms really financial institutions? According to the Safeguards Rule, “an entity is a ‘financial institution’ if its business is engaging in an activity that is financial in nature or incidental to such financial activities.” This includes providing tax planning and preparation services to any person for personal, family, or household purposes.

What Elements Should be Included in the Written Information Security Plan (WISP)?

The Safeguards Rule specifies certain elements that should be included in a covered financial institution’s ISP. Required ISP elements are as follows:

1. Designate a qualified individual to implement and supervise the ISP. This person must have the requisite skill and experience to fulfill the role and may be a partner or employee of the firm or an outside service provider. If a service provider is used, the firm remains responsible and must identify a senior-level person to supervise the provider.

2. Conduct a risk assessment to identify and inventory customer information, where it is stored, and foreseeable risks and threats to the “security, confidentiality, and integrity of [such] information.” The assessment must be in writing and updated periodically as operations change and new threats to data security emerge.

3. Design and implement the following specific safeguards to help control risks related to the security, confidentiality, and integrity of customer information:

  • Implement access controls to determine and regularly reevaluate whether individuals’ access reflects legitimate business needs.
  • Conduct a data inventory to identify all systems, devices, platforms, and personnel that access customer information and understand how information is collected, stored, and transmitted.
  • Encrypt customer information in transit and when stored on your system.
  • Assess internally developed and third-party applications that store, access, or transmit customer information.
  • Implement multifactor authentication to require at least two authentication factors for anyone accessing customer information.
  • Securely dispose of customer information when it is no longer necessary for a legitimate business need or legal requirement.
  • Build change management protocols into the ISP to anticipate and respond to changes in business, emerging threats, or lessons learned during risk assessments.
  • Log user activity and monitor for unauthorized access of customer information.
  • Test or otherwise monitor the effectiveness of safeguards, including continuous monitoring or periodic penetration testing and vulnerability assessments.
  • Train personnel, as an ISP is only as strong as its weakest link.
  • Select and monitor service providers to ensure they maintain appropriate safeguards to help protect customer information. Execute detailed contracts that specify security requirements and provide for monitoring and periodic reassessments of the service provider’s suitability. Though System and Organization Controls (SOC) the regulations do not specifically address two reports, consider obtaining one from the service provider. Among other things, a SOC 2 report assures the safeguards that a service provider has implemented to help protect customer information.
  • Keep the ISP current and updated as the business and threat landscapes evolve.
  • Develop a written incident response plan to guide the response and recovery following a security event.
  • Require the qualified individual to report to the company’s governing body at least annually regarding the company’s compliance with its ISP.

Conclusion

There are exceptions to the Safeguards Rule, such as for businesses with fewer than ten employees and certain non-profit organizations. However, if you are a CPA firm with significant operations, the Safeguards Rule may apply to you. Therefore, it is essential to consult with legal counsel to determine whether your business is subject to the Safeguards Rule and, if so, to develop and implement an appropriate ISP.

Partner with AVAIL to ensure your CPA firm complies with the FTC’s Safeguards Rule. We offer tailored solutions to navigate the intricacies of information security plans required by the latest amendments, including risk assessments, access controls, data encryption, and multi-factor authentication. With AVAIL’s assistance, you can effortlessly create a Written Information Security Plan (WISP) and stay ahead of compliance requirements with our continuous maintenance, annual vulnerability assessments, testing, and incident response planning. Connect with AVAIL to keep your practices secure and compliant.