FTC Safeguards Rule Explained: Tax Preparer’s Compliance Checklist

FTC Safeguards Rule for Tax Preparers: Your 2026 Compliance Roadmap

The FTC Safeguards Rule requires financial institutions—including tax preparers—to develop, implement, and maintain a written information security program that protects customer data. Under 16 CFR Part 314, covered entities must deploy administrative, technical, and physical safeguards appropriate to their size, complexity, and the sensitivity of nonpublic personal information (NPI) they handle.

Non-compliance carries steep consequences. Tax professionals face federal enforcement actions, state-level penalties, and reputational damage that can shutter a practice. According to the IBM Cost of a Data Breach Report 2024, the average cost of a data breach reached $4.88 million—a figure that would devastate most tax firms. This guide provides tax preparers with a detailed compliance checklist to meet every FTC Safeguards Rule requirement in 2026.

Legal Foundation and Scope

The FTC Safeguards Rule, formally titled the Standards for Safeguarding Customer Information, was established under the Gramm-Leach-Bliley Act (GLBA) to ensure that financial institutions protect the security, confidentiality, and integrity of customer information. Originally enacted in 2003 and substantially amended in December 2021—with breach notification requirements added in 2023 (effective May 2024)—the Rule now imposes specific technical and procedural requirements on covered entities.

Tax preparers fall under the FTC Safeguards Rule because tax preparation is classified as a "financial activity" under the GLBA. When you collect Social Security numbers, income details, bank account information, or other NPI to prepare returns, you operate as a financial institution under FTC jurisdiction. This classification requires you to implement the same level of data protection as banks, credit unions, and other traditional financial entities. To understand how a Written Information Security Plan (WISP) fits into this framework, review how these requirements intersect with IRS mandates.

Key Applicability Factors for Tax Preparers

• Business type: Any entity preparing tax returns, providing tax advice, or handling taxpayer financial data—including sole proprietors, partnerships, and firms of any size
• Data handled: Social Security numbers, employer identification numbers (EINs), wage statements (W-2s, 1099s), bank account details, investment records, and dependent information
• Regulatory overlap: The FTC Safeguards Rule works alongside IRS Publication 4557 requirements, creating layered compliance obligations that reinforce each other
• No size exemption: Even solo practitioners handling a single client's NPI are covered, though certain requirements scale based on the number of consumers whose data you maintain

Why Tax Preparers Must Prioritize FTC Safeguards Rule Compliance

Tax professionals handle some of the most sensitive personal and financial data available—Social Security numbers, employer identification numbers, wage and income statements, bank account details, investment records, and dependent information. This data concentration makes tax preparation firms high-value targets for cybercriminals seeking to commit identity theft, file fraudulent returns, and monetize stolen credentials on the dark web. For a deeper look at the evolving threat environment, see our analysis of cyberattacks targeting tax firms.

The FTC Safeguards Rule for tax preparers recognizes this risk profile and establishes mandatory baseline security controls. Beyond regulatory compliance, implementing these safeguards delivers tangible business benefits:

• Reduced breach risk through layered security controls and continuous monitoring
• Enhanced client trust that translates directly into client retention and referrals
• Competitive differentiation as security-conscious clients seek verified compliant preparers
• Lower cyber insurance premiums from demonstrable compliance with recognized standards
• Operational resilience enabling your firm to recover rapidly from security incidents

The FTC has signaled aggressive enforcement of the amended Rule. In fiscal year 2025, the agency pursued multiple enforcement actions against financial institutions—including tax-related businesses—for failure to implement required safeguards. Tax practices that delay compliance risk not only penalties but also the operational disruption of responding to an FTC investigation. Firms that invest in proper cybersecurity programs for accounting and CPA practices position themselves well ahead of enforcement actions.

Step 1: Conduct and Document a Written Risk Assessment

The FTC Safeguards Rule requires a documented, periodic risk assessment that identifies reasonably foreseeable internal and external threats to the security, confidentiality, and integrity of customer information. Your risk assessment forms the foundation of your entire security program—every safeguard you deploy should trace back to a risk identified in this assessment.

Your assessment must evaluate four key areas: asset inventory, threat identification, vulnerability analysis, and likelihood and impact scoring. Start by cataloging all systems, applications, and physical locations where NPI is collected, stored, processed, or transmitted. Include cloud-based tax preparation software, client portals, email systems, local workstations, and any mobile devices used for business purposes. Then document potential threats such as phishing attacks, ransomware, insider threats, lost or stolen devices, unauthorized access, and natural disasters.

Next, assess weaknesses in your current controls: outdated software, lack of multi-factor authentication (MFA), unencrypted backups, insufficient employee training, or weak passwords. Finally, prioritize risks based on probability of occurrence and potential damage. The IRS Tax Security 2.0 initiative recommends aligning your risk assessments with IRS Publication 4557 and the NIST Cybersecurity Framework (CSF) 2.0. Your WISP should reference and incorporate your risk assessment findings directly—our guide on how to create a WISP walks through this integration step by step.

Practices maintaining information for 5,000 or more consumers must produce a written risk assessment. Smaller practices should still document their assessment process to demonstrate due diligence during any regulatory review or client inquiry.

Step 2: Design and Implement Risk-Based Safeguards

Once you have completed your risk assessment, the FTC Safeguards Rule for tax preparers requires you to design and implement safeguards that address each identified risk. These controls fall into three categories: administrative, technical, and physical. The Rule specifies several mandatory elements that every covered tax preparer must address.

Access Controls and Authentication

Implement role-based access control (RBAC) to ensure staff members can access only the client data necessary for their specific job functions. A seasonal preparer working on individual returns should not have access to your firm's business client files or administrative systems. Pair RBAC with mandatory MFA on all systems containing NPI—this single control blocks the vast majority of credential-based attacks.

Additional access requirements include strong password policies (minimum 12 characters with complexity requirements), automatic session timeouts after periods of inactivity, and immediate credential revocation when employees leave the firm. For tax practices adopting modern security architectures, a zero-trust approach to data access offers a powerful framework for enforcing least-privilege principles across the organization.

Encryption and Key Management

All NPI must be encrypted both at rest and in transit. Use AES-256 encryption for stored data and Transport Layer Security (TLS) 1.2 or higher for data transmitted over networks. This applies to tax returns stored on local drives, data synced to cloud platforms, email attachments containing client information, and backups. For detailed guidance on meeting these standards, review our resource on tax document encryption requirements.

Implement a formal key management process that includes secure key generation, storage in hardware security modules or equivalent secure containers, regular rotation schedules, and documented procedures for key destruction when no longer needed.

Activity Logging and Monitoring

Deploy logging across all systems that process NPI. Capture authentication events (successful and failed logins), data access and modification records, administrative changes, and file transfers. Retain logs for a minimum period defined in your WISP and review them regularly for anomalous activity. Automated Security Information and Event Management (SIEM) tools or managed detection services can streamline this requirement for smaller firms.

Secure Disposal

Establish documented procedures for the secure destruction of NPI when retention periods expire. Physical records require cross-cut shredding. Electronic records require secure wiping that meets NIST SP 800-88 standards. Maintain destruction certificates for auditing purposes.

Step 3: Monitor and Test the Effectiveness of Your Safeguards

Deploying safeguards is only half the equation—the FTC Safeguards Rule mandates ongoing monitoring and testing to verify those controls actually work. Tax preparers must demonstrate that their security program is not merely a paper exercise but a living, functional system that adapts to new threats.

Penetration Testing and Vulnerability Assessments

Practices maintaining NPI for 5,000 or more consumers must conduct annual penetration testing and biannual vulnerability assessments. Penetration testing simulates real-world attack scenarios against your systems to identify exploitable weaknesses before adversaries do. Vulnerability assessments scan your environment for known security gaps such as missing patches, misconfigurations, and outdated software.

Smaller practices that fall below the 5,000-consumer threshold may substitute continuous monitoring for formal penetration testing. However, engaging a qualified third party for at least one annual vulnerability assessment remains a best practice regardless of firm size. Understanding attacker methodologies through frameworks like MITRE ATT&CK helps you focus testing on the techniques most commonly used against tax industry targets.

Continuous Monitoring

Continuous monitoring provides real-time visibility into your security posture. This includes automated alerting on suspicious login patterns, unauthorized data transfers, malware detections, and configuration changes. For firms without in-house security staff, managed security services can provide 24/7 monitoring and incident triage at a fraction of the cost of building an internal security operations center.

Incident Response Planning

Your incident response plan must define specific roles and responsibilities, communication protocols (internal and external), containment and eradication procedures, evidence preservation steps, and recovery timelines. Test this plan through tabletop exercises at least annually, simulating scenarios relevant to tax practices—such as a ransomware attack during filing season or a compromised client portal. Document the results of each exercise and update the plan based on lessons learned.

Step 4: Provide Ongoing Security Training for All Personnel

Human error remains the leading cause of data breaches. The Verizon Data Breach Investigations Report (DBIR) 2024 found that 68% of breaches involve a human element—whether through clicking phishing links, mishandling sensitive data, or falling victim to social engineering. The FTC Safeguards Rule requires that all personnel receive security awareness training appropriate to their roles and the data they access.

Effective training programs for tax practices should cover several core areas. First, every employee needs foundational security awareness training that addresses password hygiene, recognizing phishing emails, safe browsing practices, and physical security protocols such as locking workstations and securing printed documents. Second, staff must understand your firm's specific data handling procedures—how to receive client documents securely, when and how to use encrypted channels, and proper disposal of NPI.

Third, all personnel need clear guidance on incident reporting: whom to contact, what qualifies as a reportable event, and the timeline expectations for escalation. Fourth, individuals with elevated access or specialized roles—such as firm administrators, IT staff, or those managing third-party integrations—require role-specific training that addresses the additional risks associated with their responsibilities. Understanding common social engineering tactics is particularly valuable for front-desk staff and anyone who interacts directly with clients.

Run phishing simulations at least quarterly to measure staff awareness and identify individuals who need additional coaching. Document all training activities, attendance records, simulation results, and remedial actions. The FTC expects to see evidence of a mature, ongoing training program—not a one-time orientation session.

Step 5: Oversee and Manage Third-Party Service Providers

Tax preparers frequently rely on third-party vendors—cloud tax software providers, IT support companies, document management platforms, and payment processors—that access or store client NPI on their behalf. The FTC Safeguards Rule places the responsibility for protecting that data squarely on the tax preparer, regardless of where the data physically resides.

Before engaging any service provider, conduct documented due diligence to evaluate their security practices. Request evidence of security certifications (SOC 2 Type II, ISO 27001), review their incident response capabilities, and assess their data handling and retention policies. Verify that their tax preparation software meets security standards before granting access to client data.

Execute written contracts that specify the provider's security obligations, including: the specific safeguards they must maintain, their breach notification responsibilities (with timelines faster than or equal to your own obligations), their cooperation during audits or assessments, data return and destruction procedures upon contract termination, and limitations on data use and sharing.

Monitor your vendors on an ongoing basis. Review their security posture at least annually, require notification of any material changes to their security program, and maintain the right to audit. If a vendor fails to meet contractual security requirements, have an exit strategy and transition plan ready to protect your clients' data continuity.

Step 6: Maintain and Update Your Information Security Program

A static security program is an ineffective one. The FTC Safeguards Rule requires covered entities to evaluate and adjust their information security programs in response to changes in their operations, threat environment, or the results of testing and monitoring activities. For tax preparers, this means building a review and update cadence directly into your firm's operational calendar.

Schedule a formal program review at least annually. During this review, assess whether new services, software, or workflows introduced during the year create additional risks that require new or modified controls. Examine the results of penetration tests, vulnerability assessments, and training exercises to identify patterns or persistent gaps. Review any security incidents that occurred during the period and verify that corrective actions were fully implemented.

Maintain version control on all policy and procedure documents. Each revision should include a date, the author of the change, a summary of what was modified and why, and the approval of your designated Qualified Individual. This documentation trail is essential during regulatory examinations and demonstrates your firm's commitment to continuous improvement.

Subscribe to threat intelligence feeds relevant to the tax industry, such as IRS alerts, FBI Internet Crime Complaint Center (IC3) bulletins, and sector-specific threat advisories. A reliable data backup and recovery plan should also be reviewed and tested during each update cycle. These sources help you stay ahead of emerging threats and ensure your safeguards evolve alongside the risks your firm faces.

Breach Notification and Reporting Requirements

The FTC's 2023 amendment to the Safeguards Rule added formal breach notification requirements, effective since May 2024. These requirements apply when a breach affecting the NPI of 500 or more consumers is discovered.

Notification Obligations

When a qualifying breach occurs, covered tax preparers must notify the FTC within 30 days of discovery. The notification must include the nature of the event, the categories and approximate number of affected consumers, and the steps taken in response. Beyond FTC notification, you must comply with applicable state breach notification laws—which vary by jurisdiction and may impose shorter timelines, broader notification requirements, or mandatory credit monitoring offers.

Coordinate with law enforcement when appropriate, particularly for breaches involving suspected criminal activity such as identity theft rings or organized fraud. The IRS requires separate reporting through Form 14039 and the Identity Theft Affidavit process for compromised taxpayer data. Maintain detailed records of every breach, investigation, notification, and remediation action for a minimum of five years.

Building a Notification-Ready Practice

Do not wait for a breach to build your notification process. Draft template notification letters, establish relationships with legal counsel experienced in data breach response, identify your state notification obligations in advance, and maintain current contact information for all relevant regulatory bodies. Firms that prepare in advance respond faster, reduce regulatory exposure, and recover client trust more effectively. For additional guidance, the cybersecurity FAQ page addresses common questions about breach response procedures.

FTC Safeguards Rule Resources for Tax Preparers

The following resources provide authoritative guidance for tax professionals working to align their practices with the FTC Safeguards Rule and related security standards.