FTC Safeguards Rule Explained: Tax Preparer’s Compliance Checklist

The FTC Safeguards Rule mandates that financial institutions—including tax preparers—develop, implement, and maintain comprehensive written information security programs to protect customer data. Under 16 CFR Part 314, covered entities must deploy administrative, technical, and physical safeguards appropriate to their size, complexity, and the sensitivity of nonpublic personal information (NPPI) they handle. Non-compliance exposes tax professionals to federal enforcement actions, state-level penalties, and the average $4.88 million cost of a data breach (IBM Cost of a Data Breach Report 2024). This guide provides tax preparers with a detailed compliance checklist to meet FTC Safeguards Rule requirements while protecting client data and their practice.

Understanding the FTC Safeguards Rule: Legal Foundation and Scope

The FTC Safeguards Rule, formally titled the Standards for Safeguarding Customer Information, was established under the Gramm-Leach-Bliley Act (GLBA) to ensure that financial institutions protect the security, confidentiality, and integrity of customer information. Originally enacted in 2003 and substantially amended in December 2021 with additional breach notification requirements added in 2023 (effective May 2024), the Rule now imposes specific technical and procedural requirements on covered entities.

Tax preparers fall under the FTC Safeguards Rule because tax preparation is classified as a “financial activity” under the GLBA. When you collect Social Security numbers, income details, bank account information, or other NPPI to prepare returns, you operate as a financial institution under FTC jurisdiction. According to the official FTC guidance, this classification requires you to implement the same level of data protection as banks, credit unions, and other traditional financial entities.

⚡ Key FTC Safeguards Rule Applicability Factors for Tax Preparers:

✅ Collection, storage, or transmission of NPPI (Social Security numbers, tax identification numbers, financial account details)
✅ Volume of returns processed (practices handling thousands of returns annually face heightened scrutiny)
✅ Use of third-party service providers (cloud tax software, document storage, payment processors)
✅ Classification as an “authorized IRS e-file provider” subject to IRS Publication 4557 security standards

Why Tax Preparers Must Prioritize FTC Safeguards Rule Compliance

Tax professionals handle some of the most sensitive personal and financial data available—Social Security numbers, employer identification numbers, wage and income statements, bank account details, investment records, and dependent information. This data concentration makes tax preparation firms highly attractive targets for cybercriminals seeking to commit identity theft, file fraudulent returns, and monetize stolen credentials on the dark web.

The FTC Safeguards Rule recognizes this risk profile and establishes mandatory baseline security controls. Beyond regulatory compliance, implementing these safeguards provides tangible business benefits including reduced breach risk, enhanced client trust, competitive differentiation, lower cyber insurance premiums, and operational resilience during tax season’s critical periods.

“The average cost of a data breach reached $4.88 million in 2024, with healthcare, financial services, and professional services sectors experiencing the highest per-record costs.” – IBM Security Cost of a Data Breach Report 2024

Non-compliance consequences extend beyond financial penalties. The FTC can pursue enforcement actions resulting in mandatory corrective measures, ongoing compliance monitoring, and public disclosure of security failures. State attorneys general can bring parallel actions under state consumer protection laws. Affected clients may file civil lawsuits for negligence and breach of fiduciary duty. Professional licensing boards and the IRS can suspend or revoke credentials, effectively ending your ability to practice.

Core FTC Safeguards Rule Requirements: Complete Compliance Framework

Designate a Qualified Individual to Oversee Your Information Security Program

Under 16 CFR § 314.4(a), every covered tax preparation practice must designate a “Qualified Individual” responsible for overseeing, implementing, and enforcing the information security program. This individual must possess the knowledge, experience, and authority to develop and execute security policies appropriate to your practice’s size and complexity.

The Qualified Individual may be an employee, an affiliate, or a contracted service provider—but if you outsource this role, you remain legally responsible for program adequacy and compliance. This person must report in writing at least annually to your board of directors, senior management, or equivalent governing body on the status of the security program, material incidents, and compliance with the FTC Safeguards Rule.

For solo practitioners and small firms, the Qualified Individual is often the owner or a contracted cybersecurity professional with specific expertise in financial services compliance. Larger firms may appoint an internal IT director or information security officer. Regardless of firm size, document this designation in writing, including the individual’s qualifications, responsibilities, reporting relationships, and authority to enforce security policies across the organization.

💡 Pro Tip

If your practice has fewer than 5,000 consumers, you qualify for limited exceptions: you are not required to conduct biannual vulnerability assessments, annual penetration testing, or maintain a written incident response plan—but you must still designate a Qualified Individual, implement encryption and MFA, and maintain core safeguards.

Conduct and Document a Comprehensive Written Risk Assessment

The FTC Safeguards Rule requires a documented, periodic risk assessment that identifies reasonably foreseeable internal and external threats to the security, confidentiality, and integrity of customer information. Your assessment must evaluate:

Asset Inventory: Catalog all systems, applications, and physical locations where NPPI is collected, stored, processed, or transmitted—including workstations, servers, cloud platforms, mobile devices, and paper files.
Threat Identification: Document potential threats such as phishing attacks, ransomware, insider threats, lost or stolen devices, unauthorized access, and natural disasters.
Vulnerability Analysis: Assess weaknesses in your current controls—outdated software, lack of MFA, unencrypted backups, insufficient employee training, weak passwords.
Likelihood and Impact: Prioritize risks based on probability of occurrence and potential damage (regulatory fines, client notification costs, reputational harm, business interruption).

According to the IRS Tax Security 2.0 initiative, tax preparers should align their risk assessments with Revenue Procedure 2007-40 and the NIST Cybersecurity Framework to ensure comprehensive coverage of technical, administrative, and physical controls.

Practices maintaining information for 5,000 or more consumers must produce a written risk assessment. Smaller practices should still document their assessment process even if exempted from this specific requirement, as documentation demonstrates good-faith compliance efforts and provides valuable evidence in the event of regulatory inquiry or litigation.

Design and Implement Risk-Based Safeguards

Based on your risk assessment findings, you must design and implement safeguards to control identified risks. The FTC Safeguards Rule specifies minimum technical requirements that all covered tax preparers must deploy:

Access Controls and Authentication

Role-Based Access Control (RBAC): Grant access to NPPI only to employees whose job functions require it. Implement least-privilege principles—tax preparers access client returns; administrative staff access scheduling systems.
Multi-Factor Authentication (MFA): Require at least two independent authentication factors (something you know, something you have, something you are) for any user accessing systems containing customer information. Acceptable implementations include hardware tokens, authenticator apps (Google Authenticator, Microsoft Authenticator), SMS codes, or biometric verification.
Strong Password Policies: Enforce minimum password complexity (12+ characters, mixed case, numbers, symbols), prohibit password reuse, and mandate password changes after suspected compromise.
Session Timeouts: Configure automatic lockout after 5–10 minutes of inactivity to prevent unauthorized access to unattended workstations.

The implementation of multi-factor authentication represents one of the most effective security controls available, blocking approximately 99.9% of automated credential-stuffing attacks according to Microsoft security research.

Encryption Requirements

The FTC Safeguards Rule mandates encryption of customer information at rest and in transit, or deployment of equivalent effective controls with documented justification:

Data at Rest: Encrypt all NPPI stored on workstations, laptops, servers, external drives, and backup media using AES-256 or equivalent. Enable full-disk encryption via BitLocker (Windows) or FileVault (macOS). For detailed implementation guidance, see our IRS Security Six encryption requirements resource.
Data in Transit: Require TLS 1.2 or higher for all web-based communications, client portals, e-file transmissions, and email. Prohibit insecure protocols including FTP, HTTP, and Telnet.
Encryption Key Management: Store encryption keys separately from encrypted data, rotate keys periodically, and restrict key access to authorized personnel only.

Secure Development and Change Management

Implement procedures to evaluate and address security during system development, acquisition, and maintenance.
Test security controls before deploying new software, updates, or configuration changes.
Maintain change logs documenting who made changes, when, and why.

Logging, Monitoring, and Disposal

Activity Logging: Enable detailed logs on firewalls, servers, tax software, and authentication systems. Retain logs for at least 12 months to support incident investigations and compliance audits.
Continuous Monitoring: Deploy automated tools to detect suspicious login attempts, malware, unauthorized file access, and configuration changes.
Secure Disposal: Per 16 CFR § 314.4(d)(2), securely dispose of customer information no later than two years after its last use to serve the customer, unless retention is required by law or legitimate business need. Use cross-cut shredders for paper documents and certified data-destruction services for electronic media.

“Financial institutions must encrypt customer information at rest and in transit, or implement effective alternative controls, and maintain documentation justifying any deviation from encryption standards.” – 16 CFR § 314.4(c), FTC Safeguards Rule

Monitor and Test the Effectiveness of Your Safeguards

The FTC Safeguards Rule requires regular monitoring and testing of the effectiveness of your safeguards. Practices with 5,000 or more consumers must conduct:

Annual Penetration Testing: Hire a qualified third-party ethical hacker to simulate real-world cyberattacks against your network perimeter, web applications, and internal systems. Document findings, prioritize remediation by risk level, and retest after implementing fixes.
Biannual Vulnerability Assessments: Perform automated vulnerability scans at least every six months and after any material changes to your network or systems. Use tools compliant with the Security Content Automation Protocol (SCAP) to identify missing patches, misconfigurations, and weak encryption.
Continuous Monitoring (Alternative): If you implement continuous monitoring and testing of your safeguards, you may substitute it for the periodic penetration and vulnerability testing requirements.

Practices with fewer than 5,000 consumers are exempt from the penetration testing and vulnerability assessment requirements but must still monitor system performance and security events to detect anomalies.

Implement a Written Incident Response Plan

A documented incident response plan (IRP) is mandatory under the FTC Safeguards Rule for practices maintaining information for 5,000 or more consumers. Your IRP must define:

Incident Response Team (IRT): Designate roles—IT lead, legal counsel, communications officer, senior partner—with clear responsibilities for detection, containment, eradication, recovery, and post-incident review.
Incident Classification: Define categories (data breach, ransomware, phishing, DDoS, insider threat) and severity levels (critical, high, medium, low) to prioritize response.
Containment Procedures: Document steps to isolate affected systems, revoke compromised credentials, disable network segments, and preserve forensic evidence.
Recovery Steps: Specify how to restore from encrypted backups, rebuild compromised endpoints, verify data integrity, and return to normal operations.
Notification Protocols: Outline timelines and procedures for notifying the FTC, affected clients, state attorneys general, and law enforcement. Include template breach notification letters and contact lists.
Post-Incident Review: Conduct a “lessons learned” meeting after every significant incident to update policies, retrain staff, and improve controls.

For a comprehensive guide to building an effective IRP tailored to tax practices, consult our incident response plan resource.

⚠️ Critical Compliance Alert

If your practice experiences a “notification event”—unauthorized acquisition of unencrypted information for at least 500 consumers—you must notify the FTC electronically as soon as possible and no later than 30 days after discovery. Failure to report within this window may result in additional penalties and enforcement actions. This breach notification requirement became effective May 13, 2024.

Provide Ongoing Security Training for All Personnel

Your employees are the first line of defense—and often the weakest link—in your security posture. The FTC Safeguards Rule requires training for all personnel whose responsibilities involve handling customer information. Effective training programs should include:

Security Awareness Fundamentals: Teach staff to recognize phishing emails, social engineering tactics, suspicious attachments, and fake login pages. According to the 2024 Verizon Data Breach Investigations Report, 68% of breaches involve a human element.
Data Handling Procedures: Instruct employees on secure file storage, proper disposal of paper documents (cross-cut shredders for any document containing NPPI), use of locked cabinets, and screen-locking protocols.
Incident Reporting: Establish clear escalation procedures for reporting potential security incidents—lost laptops, suspicious login alerts, unexpected system behavior—and ensure staff know whom to contact immediately (IT lead, Qualified Individual, or IRT).
Role-Based Training: Tailor training to specific responsibilities—front-desk personnel learn secure client intake; tax preparers learn secure portal workflows; IT staff learn firewall configuration and intrusion detection.
Simulated Phishing Tests: Conduct quarterly phishing simulations and use results to provide targeted remedial training for users who click malicious links or provide credentials.

Document all training sessions with attendance logs, training materials, evaluation results, and follow-up actions. Retain these records for at least two years to demonstrate compliance during audits.

Oversee and Manage Third-Party Service Providers

Many tax preparers rely on third-party vendors—cloud tax software platforms (Drake, Lacerte, ProSeries), document storage services (ShareFile, SmartVault), payment processors, and IT support companies. When these providers handle your clients’ NPPI, the FTC Safeguards Rule requires you to:

Select Competent Providers: Perform due diligence before onboarding any vendor. Request security questionnaires covering encryption standards, access controls, incident response capabilities, and compliance certifications (SOC 2 Type II, ISO 27001, NIST compliance). Understanding the differences between cybersecurity and IT service providers is critical when evaluating vendors.
Contractual Requirements: Include data protection addendums in all service agreements that require vendors to implement security measures at least as stringent as your own. Mandate breach notification within 24–48 hours, grant your practice the right to audit vendor security annually, and require secure return or deletion of NPPI upon contract termination.
Ongoing Monitoring: Request annual security attestation reports (SOC 2 Type II), penetration-testing results, and vulnerability scan summaries. Conduct quarterly review meetings to discuss changes in vendor security posture, new product features, or emerging threats.
Access Restrictions: Grant vendors only the minimum access necessary—narrow user accounts, scoped API tokens, or dedicated service accounts. Isolate vendor connections through VLANs, VPN tunnels, or zero-trust network architecture to prevent lateral movement in case of vendor compromise.

Maintain and Update Your Information Security Program

The FTC Safeguards Rule requires your information security program to be a living document that evolves with your practice, technology landscape, and threat environment. You must:

Conduct Annual Program Reviews: Reassess your Written Information Security Plan (WISP) at least annually and whenever significant changes occur (new tax software, cloud migration, office expansion, merger/acquisition). For a turnkey solution, download our free IRS WISP template.
Incorporate Lessons Learned: Update policies and controls based on incident post-mortems, penetration-test findings, employee feedback, and new regulatory guidance from the FTC, IRS, or NIST.
Document Changes: Maintain version control for your WISP, data security policies, and incident response plan. For each revision, note the date, author, and summary of changes to create a clear audit trail.
Stay Current with Threats: Subscribe to threat intelligence feeds (US-CERT, IRS e-Services alerts, CISA advisories) to receive early warnings of emerging threats targeting tax professionals—such as phishing campaigns impersonating IRS or state tax agencies.

Technical Implementation Checklist for FTC Safeguards Rule Compliance

To operationalize the FTC Safeguards Rule requirements, tax preparers should implement the following technical and administrative controls:

✅ FTC Safeguards Rule Compliance Checklist

☐ Designate a Qualified Individual (employee, affiliate, or contractor) with documented authority and annual reporting to senior management
☐ Conduct and document a comprehensive written risk assessment identifying assets, threats, vulnerabilities, and prioritized risks
☐ Develop a Written Information Security Plan (WISP) covering access controls, encryption, monitoring, training, vendor management, incident response, and disposal
☐ Implement role-based access control (RBAC) and enforce least-privilege principles for all systems handling NPPI
☐ Deploy multi-factor authentication (MFA) for all user accounts accessing customer information
☐ Encrypt NPPI at rest using AES-256 (BitLocker, FileVault, or equivalent) and in transit using TLS 1.2+ or VPN
☐ Enable detailed activity logging on firewalls, servers, authentication systems, and tax software; retain logs for 12+ months
☐ Conduct annual penetration testing and biannual vulnerability assessments (or implement continuous monitoring as alternative)
☐ Deploy endpoint detection and response (EDR) or antivirus with real-time threat protection on all devices
☐ Provide annual security awareness training to all staff; conduct quarterly simulated phishing tests and document results
☐ Establish and document vendor oversight procedures: security questionnaires, contractual safeguards, SOC 2 reviews, periodic audits
☐ Create and maintain a written incident response plan with defined roles, containment procedures, and notification protocols
☐ Implement secure disposal procedures: cross-cut shredders for paper, certified data destruction for electronic media, disposal within two years of last use (unless retention required)
☐ Configure automatic session timeouts (5–10 minutes) and screen-locking on all workstations and laptops
☐ Maintain encrypted backups stored offline (air-gapped) or in immutable cloud storage to defend against ransomware
☐ Review and update your WISP and security policies annually or after significant changes
☐ Prepare breach notification templates, contact lists, and reporting workflows for FTC, state AG, and client notifications

Breach Notification and Reporting Requirements Under the FTC Safeguards Rule

Understanding the Notification Event Threshold

Effective May 13, 2024, the FTC Safeguards Rule requires covered financial institutions—including tax preparers—to report a “notification event” to the FTC. A notification event occurs when there is unauthorized acquisition of unencrypted customer information affecting at least 500 consumers. This includes situations where encrypted information was acquired along with the means to decrypt it (such as the encryption key).

Reporting Timeline and Procedures

If your practice experiences a notification event, you must:

Notify the FTC Electronically: Submit a notification via the FTC’s electronic reporting system as soon as possible and no later than 30 days after discovering the breach. Include details such as the nature of the breach, categories of data involved, estimated number of affected individuals, remediation steps taken, and contact information for further inquiries.
Law Enforcement Coordination: If a law enforcement agency determines that notification would impede a criminal investigation, it may request a delay of up to 30 days, which may be extended for up to 60 additional days with written justification. Further delay requires approval from FTC staff.
State Notification Laws: Most states require notification to affected individuals within 30–60 days of discovery. If the breach affects more than 500 residents of a single state, you may also need to notify the state attorney general and major consumer reporting agencies (Equifax, Experian, TransUnion).
IRS Notification: The IRS requires tax preparers to report data thefts via the Stakeholder Liaison or the e-Services “Secure Protect Our Systems” (SPOS) portal. Contact your local IRS Stakeholder Liaison for guidance.

Record Retention for Breach Documentation

Maintain comprehensive records of all security incidents and breach responses for at least two years (or longer as required by state law). Your documentation should include:

Incident tickets, forensic reports, and containment timelines
Copies of breach notification letters sent to clients, regulatory filings, and communications with law enforcement
Post-incident review notes documenting lessons learned and updated controls
Forensic artifacts (disk images, memory dumps, log files) for potential legal investigation and future threat intelligence

Notification Requirement	Timeline	Authority
FTC notification for events affecting 500+ consumers	As soon as possible, no later than 30 days after discovery	16 CFR § 314.4(j)
State breach notification to affected individuals	30–60 days (varies by state)	State data breach statutes
State attorney general notification (if 500+ state residents affected)	Concurrent with individual notification	State data breach statutes
Consumer reporting agencies (if 1,000+ individuals affected)	Concurrent with individual notification	State data breach statutes
IRS Stakeholder Liaison or SPOS portal	Immediately upon discovery	IRS e-Services requirements

Aligning FTC Safeguards Rule Compliance with IRS and NIST Standards

Tax preparers operate within a complex regulatory landscape where FTC Safeguards Rule requirements intersect with IRS mandates and industry best practices. To achieve comprehensive compliance and optimal security, align your program with:

IRS Publication 4557: The IRS document “Safeguarding Taxpayer Data” provides detailed technical guidance for authorized e-file providers. Compliance with Pub 4557 satisfies many FTC Safeguards Rule technical requirements and is mandatory for maintaining your EFIN (Electronic Filing Identification Number).
IRS Security Six: The IRS “Security Six” framework identifies six critical safeguards—antivirus software, firewalls, two-factor authentication, data encryption, secure data wiping, and security software updates—that form the foundation of any tax preparer security program.
NIST Cybersecurity Framework: The National Institute of Standards and Technology provides a voluntary framework organized around five functions—Identify, Protect, Detect, Respond, and Recover—that offers a structured approach to managing cybersecurity risk. The NIST CSF is referenced by both the FTC and IRS as a recommended implementation guide.
NIST Small Business Fundamentals: NIST Interagency Report 7621 Revision 1 provides actionable guidance specifically tailored to small and medium-sized businesses, with step-by-step instructions for implementing access controls, encryption, logging, and incident response. Download the guide from the NIST Publications portal.

By integrating FTC Safeguards Rule mandates with IRS and NIST standards, tax preparers create a defense-in-depth security posture that meets all regulatory requirements while protecting against the full spectrum of cyber threats. For a comprehensive overview of all regulatory obligations, consult our 2025 cybersecurity compliance guide for tax professionals.

Common FTC Safeguards Rule Compliance Challenges and Solutions

Challenge 1: Resource Constraints in Small Practices

Solo practitioners and small tax firms often lack dedicated IT staff or cybersecurity budgets, making FTC Safeguards Rule compliance seem overwhelming.

Solution: Leverage the small-business exceptions (practices with fewer than 5,000 consumers are exempt from penetration testing, biannual vulnerability assessments, and written incident response plans). Focus resources on the highest-impact controls: enable BitLocker/FileVault encryption on all devices, activate MFA on tax software and email, use a commercial password manager (1Password, Bitwarden), subscribe to a managed EDR service, and conduct annual employee security training. Many compliance requirements can be satisfied with low-cost or free tools and templates.

Challenge 2: Vendor Oversight Complexity

Tax preparers typically work with multiple vendors—software providers, cloud storage, payment processors, e-signature platforms—each with different security postures and contract terms.

Solution: Create a standardized vendor security questionnaire covering encryption, MFA, SOC 2 compliance, breach notification timelines, and data retention/deletion policies. Use a vendor risk matrix to prioritize oversight based on data sensitivity and access level. Negotiate uniform security addendums for all contracts that include breach notification within 48 hours, annual SOC 2 reports, right-to-audit clauses, and secure data return/deletion upon termination. Consolidate vendors where possible to reduce your attack surface and simplify oversight.

Challenge 3: Balancing Security with Client Convenience

Clients may resist MFA, encrypted portals, or other security measures that add friction to the tax preparation process.

Solution: Frame security as a client benefit—emphasize that encryption and MFA protect their Social Security numbers, bank accounts, and refunds from identity theft and tax fraud. Provide clear, step-by-step setup guides with screenshots for MFA enrollment. Offer brief training sessions or video tutorials. Remind clients that the IRS reports over $5.7 billion in confirmed tax identity theft refund fraud annually, and your security measures are designed to prevent them from becoming victims. Most clients will accept minor inconvenience once they understand the protection it provides.

Frequently Asked Questions

Who is subject to the FTC Safeguards Rule?

The FTC Safeguards Rule applies to financial institutions under FTC jurisdiction, including tax preparers, mortgage lenders, payday lenders, check cashers, collection agencies, certain investment advisors, and finders. If your practice collects, stores, or transmits nonpublic personal information (NPPI) such as Social Security numbers, income details, or bank account information, you are likely covered. Authorization as an IRS e-file provider further subjects you to overlapping requirements under IRS Publication 4557.

What is the penalty for non-compliance with the FTC Safeguards Rule?

The FTC can pursue civil enforcement actions for FTC Safeguards Rule violations, resulting in significant monetary penalties, mandatory corrective actions, and ongoing compliance monitoring. Civil penalties can reach tens of thousands of dollars per violation. Additionally, non-compliance exposes your practice to state-level fines, private lawsuits from affected clients, loss of professional credentials, and reputational damage that may permanently harm your business. Data breaches resulting from inadequate safeguards carry an average cost of $4.88 million, according to the IBM 2024 Cost of a Data Breach Report.

What is the difference between the FTC Safeguards Rule and the IRS Publication 4557?

The FTC Safeguards Rule is a federal regulation under the Gramm-Leach-Bliley Act that applies broadly to financial institutions, including tax preparers. IRS Publication 4557 provides specific technical guidance for authorized e-file providers and details the IRS’s expectations for safeguarding taxpayer data. While the two frameworks overlap significantly—both require encryption, MFA, risk assessments, and incident response—Pub 4557 includes IRS-specific requirements such as use of IRS e-Services, Secure Object Repository, and reporting via the SPOS portal. Compliance with both is mandatory for authorized e-file providers; non-e-file preparers must still comply with the FTC rule.

Do I need to hire a cybersecurity professional to comply with the FTC Safeguards Rule?

The FTC Safeguards Rule requires you to designate a “Qualified Individual” to oversee your information security program. This person may be an employee, an affiliate, or a contracted service provider, but they must have the knowledge, experience, and authority to implement and enforce security policies. Solo practitioners and small firms with limited budgets can designate an experienced IT consultant or managed security service provider (MSSP) as their Qualified Individual. However, you remain legally responsible for the adequacy of your program even if you outsource the role. Many small practices benefit from partnering with a specialized tax-focused cybersecurity provider who understands both FTC and IRS requirements.

How often must I conduct risk assessments under the FTC Safeguards Rule?

The FTC Safeguards Rule requires you to conduct written risk assessments periodically and whenever significant changes occur in your practice—such as deploying new tax software, migrating to the cloud, opening a new office, or experiencing a security incident. Best practice is to perform a comprehensive risk assessment at least annually and to conduct targeted assessments whenever you onboard a new vendor, upgrade infrastructure, or change operational procedures. Document each assessment with dates, methodologies, findings, and remediation timelines, and retain these records for audit purposes.

What is a notification event under the FTC Safeguards Rule?

A “notification event” under the FTC Safeguards Rule occurs when there is unauthorized acquisition of unencrypted customer information (or encrypted information acquired with the means to decrypt it) affecting at least 500 consumers. If your practice experiences a notification event, you must report it to the FTC electronically as soon as possible and no later than 30 days after discovery. This breach notification requirement became effective May 13, 2024, and applies to all covered financial institutions regardless of size.

Are there exemptions from the FTC Safeguards Rule for small tax practices?

Yes. The FTC Safeguards Rule provides limited exemptions for financial institutions that maintain customer information for fewer than 5,000 consumers. These small practices are not required to conduct biannual vulnerability assessments, annual penetration testing, or maintain a written incident response plan. However, they must still designate a Qualified Individual, implement encryption (at rest and in transit), deploy multi-factor authentication, conduct risk assessments, provide employee training, oversee service providers, and comply with all other core safeguards requirements.

Taking Action: Your Next Steps for FTC Safeguards Rule Compliance

Achieving and maintaining FTC Safeguards Rule compliance requires a structured, proactive approach that integrates regulatory requirements with practical security controls. Tax preparers should take the following steps to protect client data, avoid enforcement actions, and build a resilient practice:

Assess Your Current State: Conduct a gap analysis comparing your existing security controls against FTC Safeguards Rule requirements, IRS Publication 4557 mandates, and the NIST Cybersecurity Framework. Identify missing controls, outdated policies, and high-risk vulnerabilities.
Designate Your Qualified Individual: Appoint an employee, partner, or contracted cybersecurity professional with the expertise and authority to oversee your information security program. Document this designation and establish a reporting cadence (at least annually) to senior management or ownership.
Develop Your Written Information Security Plan (WISP): Create or update your WISP using our free IRS WISP template to document risk assessments, safeguards, employee training, vendor oversight, incident response, and program maintenance procedures.
Implement Core Technical Controls: Enable full-disk encryption (BitLocker/FileVault), deploy MFA on all systems handling NPPI, configure TLS 1.2+ for data in transit, activate endpoint detection and response (EDR), enable activity logging, and establish encrypted offline backups.
Train Your Team: Conduct comprehensive security awareness training for all employees, perform quarterly simulated phishing tests, and provide role-specific instruction on secure data handling, access controls, and incident reporting.
Establish Vendor Oversight: Inventory all third-party service providers, collect SOC 2 reports or security questionnaires, negotiate contractual security requirements, and schedule periodic vendor reviews.
Test and Monitor: If your practice maintains information for 5,000+ consumers, schedule annual penetration testing and biannual vulnerability assessments. Implement continuous monitoring with automated alerts for suspicious activity, malware, and configuration changes.
Prepare for Incidents: Develop a written incident response plan, create breach notification templates, establish contact lists for FTC, state AG, and client notifications, and conduct tabletop exercises to test your IRT’s readiness.
Document Everything: Maintain detailed records of risk assessments, training logs, vendor reviews, testing results, incident responses, and WISP revisions for at least two years to demonstrate compliance during audits.
Review and Update Regularly: Schedule annual reviews of your information security program, update policies to address new threats and regulatory guidance, and continuously improve controls based on lessons learned from incidents and testing.

Get Your Free FTC Safeguards Rule Compliance Assessment

Bellator Cyber specializes in FTC Safeguards Rule compliance for tax professionals. Schedule a free 30-minute consultation to assess your current security posture, identify gaps, and develop a practical roadmap to full compliance—protecting your clients, your practice, and your reputation.

Schedule Your Free Assessment →

Official Resources for FTC Safeguards Rule Compliance

Tax preparers seeking authoritative guidance on FTC Safeguards Rule requirements and implementation should consult the following official resources:

FTC Safeguards Rule: What Your Business Needs to Know – Official FTC plain-language compliance guide covering scope, requirements, breach notification, and glossary
16 CFR Part 314 – Standards for Safeguarding Customer Information – Full regulatory text on eCFR with amendments, definitions, and authority citations
FTC Legal Library: Safeguards Rule – Comprehensive hub linking to Federal Register notices, press releases, workshops, and enforcement cases
FTC Gramm-Leach-Bliley Act Guidance – Overview of GLBA Privacy Rule and Safeguards Rule with industry-specific FAQs and model forms
IRS Tax Security 2.0: Data Security Plan Guidance – IRS news release explaining federal law requirements, Revenue Procedure 2007-40, and NIST implementation resources
IRS Safeguards Program – Official IRS page detailing safeguards requirements for authorized e-file providers and Publication 4557 guidance
NIST Small Business Information Security: The Fundamentals – Practical step-by-step cybersecurity guide for small and medium-sized businesses (NIST IR 7621 Rev 1)
NIST Cybersecurity Framework – Voluntary framework for managing cybersecurity risk aligned with industry standards and best practices

By implementing the controls outlined in this guide, documenting your program in a comprehensive WISP, and staying current with evolving regulatory guidance, your tax preparation practice will meet all FTC Safeguards Rule requirements while building a security-first culture that protects client data and strengthens client trust. Compliance is not a one-time project—it is an ongoing commitment to vigilance, adaptation, and continuous improvement in the face of persistent and evolving cyber threats.

FREE WISP TEMPLATE

Ready to Transform Your Cybersecurity?

Opt for Bellator and invest in top-tier protection and peace of mind. Our solutions deliver unmatched safety through innovative design, tailored specifically for your needs.

Meet IRS Security Requirements (GLBA/FTC)

Buy a Fully-Compliant WISP Buy a Written Information Security Plan (WISP) Custom Tailored to Your Practice

Written Information Security Plan

IRS WISP Explained

Create Your Own WISP

What Happens If I'm Not Compliant?

Simplify IRS and FTC Cybersecurity Rules

IRS Publication 4557 Essentials

FTC Safeguards Rule Guide

IRS Compliance Simplified

Incident Response Plan

IRS Security Six Series:

Antivirus

Firewall

Encryption

Backups

2FA

VPN

Everything You Need to Stay Secure & Compliant

Buy a WISP

Book Your Free Compliance Review

Tax Preparer Solutions

Cybersecurity Product Shop

IRS Compliance Package

Empower Yourself With Free Guides & Templates

In-Depth White Paper

Explore →

IRS-Compliant WISP Template

Incident Response Plan Template

Employee Cybersecurity Training Guide

Access Control Setup Guide

FTC Compliance Checklist

Recordkeeping Guide

Ransomware Rollback™ Guide