FTC Safeguards Rule Explained: Tax Preparer’s Compliance Checklist

The FTC Safeguards Rule mandates that financial institutions—including tax preparers—develop, implement, and maintain comprehensive written information security programs to protect customer data. Under 16 CFR Part 314, covered entities must deploy administrative, technical, and physical safeguards appropriate to their size, complexity, and the sensitivity of nonpublic personal information (NPPI) they handle. Non-compliance exposes tax professionals to federal enforcement actions, state-level penalties, and the average $4.88 million cost of a data breach (IBM Cost of a Data Breach Report 2024). This guide provides tax preparers with a detailed compliance checklist to meet FTC Safeguards Rule requirements while protecting client data and their practice.

Understanding the FTC Safeguards Rule: Legal Foundation and Scope

The FTC Safeguards Rule, formally titled the Standards for Safeguarding Customer Information, was established under the Gramm-Leach-Bliley Act (GLBA) to ensure that financial institutions protect the security, confidentiality, and integrity of customer information. Originally enacted in 2003 and substantially amended in December 2021 with additional breach notification requirements added in 2023 (effective May 2024), the Rule now imposes specific technical and procedural requirements on covered entities.

Tax preparers fall under the FTC Safeguards Rule because tax preparation is classified as a "financial activity" under the GLBA. When you collect Social Security numbers, income details, bank account information, or other NPPI to prepare returns, you operate as a financial institution under FTC jurisdiction. According to the official FTC guidance, this classification requires you to implement the same level of data protection as banks, credit unions, and other traditional financial entities.

Why Tax Preparers Must Prioritize FTC Safeguards Rule Compliance

Tax professionals handle some of the most sensitive personal and financial data available—Social Security numbers, employer identification numbers, wage and income statements, bank account details, investment records, and dependent information. This data concentration makes tax preparation firms highly attractive targets for cybercriminals seeking to commit identity theft, file fraudulent returns, and monetize stolen credentials on the dark web.

The FTC Safeguards Rule recognizes this risk profile and establishes mandatory baseline security controls. Beyond regulatory compliance, implementing these safeguards provides tangible business benefits including reduced breach risk, enhanced client trust, competitive differentiation, lower cyber insurance premiums, and operational resilience during tax season's critical periods.

Conduct and Document a Comprehensive Written Risk Assessment

The FTC Safeguards Rule requires a documented, periodic risk assessment that identifies reasonably foreseeable internal and external threats to the security, confidentiality, and integrity of customer information. Your assessment must evaluate:

• Asset Inventory: Catalog all systems, applications, and physical locations where NPPI is collected, stored, processed, or transmitted—including workstations, servers, cloud platforms, mobile devices, and paper files.
• Threat Identification: Document potential threats such as phishing attacks, ransomware, insider threats, lost or stolen devices, unauthorized access, and natural disasters.
• Vulnerability Analysis: Assess weaknesses in your current controls—outdated software, lack of MFA, unencrypted backups, insufficient employee training, weak passwords.
• Likelihood and Impact: Prioritize risks based on probability of occurrence and potential damage (regulatory fines, client notification costs, reputational harm, business interruption).

According to the IRS Tax Security 2.0 initiative, tax preparers should align their risk assessments with Revenue Procedure 2007-40 and the NIST Cybersecurity Framework to ensure comprehensive coverage of technical, administrative, and physical controls.

Practices maintaining information for 5,000 or more consumers must produce a written risk assessment. Smaller practices should still document their assessment process even if exempted from this specific requirement, as documentation demonstrates good-faith compliance efforts and provides valuable evidence in the event of regulatory inquiry or litigation.

Design and Implement Risk-Based Safeguards

Based on your risk assessment findings, you must design and implement safeguards to control identified risks. The FTC Safeguards Rule specifies minimum technical requirements that all covered tax preparers must deploy:

Access Controls and Authentication

• Role-Based Access Control (RBAC): Grant access to NPPI only to employees whose job functions require it. Implement least-privilege principles—tax preparers access client returns; administrative staff access scheduling systems.
• Multi-Factor Authentication (MFA): Require at least two independent authentication factors (something you know, something you have, something you are) for any user accessing systems containing customer information. Acceptable implementations include hardware tokens, authenticator apps (Google Authenticator, Microsoft Authenticator), SMS codes, or biometric verification.
• Strong Password Policies: Enforce minimum password complexity (12+ characters, mixed case, numbers, symbols), prohibit password reuse, and mandate password changes after suspected compromise.
• Session Timeouts: Configure automatic lockout after 5–10 minutes of inactivity to prevent unauthorized access to unattended workstations.

The implementation of multi-factor authentication represents one of the most effective security controls available, blocking approximately 99.9% of automated credential-stuffing attacks according to Microsoft security research.

Encryption Requirements

The FTC Safeguards Rule mandates encryption of customer information at rest and in transit, or deployment of equivalent effective controls with documented justification:

• Data at Rest: Encrypt all NPPI stored on workstations, laptops, servers, external drives, and backup media using AES-256 or equivalent. Enable full-disk encryption via BitLocker (Windows) or FileVault (macOS). For detailed implementation guidance, see our IRS Security Six encryption requirements resource.
• Data in Transit: Require TLS 1.2 or higher for all web-based communications, client portals, e-file transmissions, and email. Prohibit insecure protocols including FTP, HTTP, and Telnet.
• Encryption Key Management: Store encryption keys separately from encrypted data, rotate keys periodically, and restrict key access to authorized personnel only.

Secure Development and Change Management

• Implement procedures to evaluate and address security during system development, acquisition, and maintenance.
• Test security controls before deploying new software, updates, or configuration changes.
• Maintain change logs documenting who made changes, when, and why.

Logging, Monitoring, and Disposal

• Activity Logging: Enable detailed logs on firewalls, servers, tax software, and authentication systems. Retain logs for at least 12 months to support incident investigations and compliance audits.
• Continuous Monitoring: Deploy automated tools to detect suspicious login attempts, malware, unauthorized file access, and configuration changes.
• Secure Disposal: Per 16 CFR § 314.4(d)(2), securely dispose of customer information no later than two years after its last use to serve the customer, unless retention is required by law or legitimate business need. Use cross-cut shredders for paper documents and certified data-destruction services for electronic media.

Monitor and Test the Effectiveness of Your Safeguards

The FTC Safeguards Rule requires regular monitoring and testing of the effectiveness of your safeguards. Practices with 5,000 or more consumers must conduct:

• Annual Penetration Testing: Hire a qualified third-party ethical hacker to simulate real-world cyberattacks against your network perimeter, web applications, and internal systems. Document findings, prioritize remediation by risk level, and retest after implementing fixes.
• Biannual Vulnerability Assessments: Perform automated vulnerability scans at least every six months and after any material changes to your network or systems. Use tools compliant with the Security Content Automation Protocol (SCAP) to identify missing patches, misconfigurations, and weak encryption.
• Continuous Monitoring (Alternative): If you implement continuous monitoring and testing of your safeguards, you may substitute it for the periodic penetration and vulnerability testing requirements.

Practices with fewer than 5,000 consumers are exempt from the penetration testing and vulnerability assessment requirements but must still monitor system performance and security events to detect anomalies.

A documented incident response plan (IRP) is mandatory under the FTC Safeguards Rule for practices maintaining information for 5,000 or more consumers. For a comprehensive guide to building an effective IRP tailored to tax practices, consult our incident response plan resource.

Provide Ongoing Security Training for All Personnel

Your employees are the first line of defense—and often the weakest link—in your security posture. The FTC Safeguards Rule requires training for all personnel whose responsibilities involve handling customer information. Effective training programs should include:

• Security Awareness Fundamentals: Teach staff to recognize phishing emails, social engineering tactics, suspicious attachments, and fake login pages. According to the 2024 Verizon Data Breach Investigations Report, 68% of breaches involve a human element.
• Data Handling Procedures: Instruct employees on secure file storage, proper disposal of paper documents (cross-cut shredders for any document containing NPPI), use of locked cabinets, and screen-locking protocols.
• Incident Reporting: Establish clear escalation procedures for reporting potential security incidents—lost laptops, suspicious login alerts, unexpected system behavior—and ensure staff know whom to contact immediately (IT lead, Qualified Individual, or IRT).
• Role-Based Training: Tailor training to specific responsibilities—front-desk personnel learn secure client intake; tax preparers learn secure portal workflows; IT staff learn firewall configuration and intrusion detection.
• Simulated Phishing Tests: Conduct quarterly phishing simulations and use results to provide targeted remedial training for users who click malicious links or provide credentials.

Document all training sessions with attendance logs, training materials, evaluation results, and follow-up actions. Retain these records for at least two years to demonstrate compliance during audits.

Oversee and Manage Third-Party Service Providers

Many tax preparers rely on third-party vendors—cloud tax software platforms (Drake, your tax software, ProSeries), document storage services (your tax software, SmartVault), payment processors, and IT support companies. When these providers handle your clients' NPPI, the FTC Safeguards Rule requires you to:

1. Select Competent Providers: Perform due diligence before onboarding any vendor. Request security questionnaires covering encryption standards, access controls, incident response capabilities, and compliance certifications (SOC 2 Type II, ISO 27001, NIST compliance). Understanding the differences between cybersecurity and IT service providers is critical when evaluating vendors.
2. Contractual Requirements: Include data protection addendums in all service agreements that require vendors to implement security measures at least as stringent as your own. Mandate breach notification within 24–48 hours, grant your practice the right to audit vendor security annually, and require secure return or deletion of NPPI upon contract termination.
3. Ongoing Monitoring: Request annual security attestation reports (SOC 2 Type II), penetration-testing results, and vulnerability scan summaries. Conduct quarterly review meetings to discuss changes in vendor security posture, new product features, or emerging threats.
4. Access Restrictions: Grant vendors only the minimum access necessary—narrow user accounts, scoped API tokens, or dedicated service accounts. Isolate vendor connections through VLANs, VPN tunnels, or zero-trust network architecture to prevent lateral movement in case of vendor compromise.

Maintain and Update Your Information Security Program

The FTC Safeguards Rule requires your information security program to be a living document that evolves with your practice, technology landscape, and threat environment. You must:

• Conduct Annual Program Reviews: Reassess your Written Information Security Plan (WISP) at least annually and whenever significant changes occur (new tax software, cloud migration, office expansion, merger/acquisition). For a turnkey solution, download our free IRS WISP template.
• Incorporate Lessons Learned: Update policies and controls based on incident post-mortems, penetration-test findings, employee feedback, and new regulatory guidance from the FTC, IRS, or NIST.
• Document Changes: Maintain version control for your WISP, data security policies, and incident response plan. For each revision, note the date, author, and summary of changes to create a clear audit trail.
• Stay Current with Threats: Subscribe to threat intelligence feeds (US-CERT, IRS e-Services alerts, CISA advisories) to receive early warnings of emerging threats targeting tax professionals—such as phishing campaigns impersonating IRS or state tax agencies.

Breach Notification and Reporting Requirements Under the FTC Safeguards Rule

Understanding the Notification Event Threshold

Effective May 13, 2024, the FTC Safeguards Rule requires covered financial institutions—including tax preparers—to report a "notification event" to the FTC. A notification event occurs when there is unauthorized acquisition of unencrypted customer information affecting at least 500 consumers. This includes situations where encrypted information was acquired along with the means to decrypt it (such as the encryption key).

Reporting Timeline and Procedures

If your practice experiences a notification event, you must:

1. Notify the FTC Electronically: Submit a notification via the FTC's electronic reporting system as soon as possible and no later than 30 days after discovering the breach. Include details such as the nature of the breach, categories of data involved, estimated number of affected individuals, remediation steps taken, and contact information for further inquiries.
2. Law Enforcement Coordination: If a law enforcement agency determines that notification would impede a criminal investigation, it may request a delay of up to 30 days, which may be extended for up to 60 additional days with written justification. Further delay requires approval from FTC staff.
3. State Notification Laws: Most states require notification to affected individuals within 30–60 days of discovery. If the breach affects more than 500 residents of a single state, you may also need to notify the state attorney general and major consumer reporting agencies (Equifax, Experian, TransUnion).
4. IRS Notification: The IRS requires tax preparers to report data thefts via the Stakeholder Liaison or the e-Services "Secure Protect Our Systems" (SPOS) portal. Contact your local IRS Stakeholder Liaison for guidance.

Record Retention for Breach Documentation

Maintain comprehensive records of all security incidents and breach responses for at least two years (or longer as required by state law). Your documentation should include:

• Incident tickets, forensic reports, and containment timelines
• Copies of breach notification letters sent to clients, regulatory filings, and communications with law enforcement
• Post-incident review notes documenting lessons learned and updated controls
• Forensic artifacts (disk images, memory dumps, log files) for potential legal investigation and future threat intelligence

By implementing the controls outlined in this guide, documenting your program in a comprehensive WISP, and staying current with evolving regulatory guidance, your tax preparation practice will meet all FTC Safeguards Rule requirements while building a security-first culture that protects client data and strengthens client trust. Compliance is not a one-time project—it is an ongoing commitment to vigilance, adaptation, and continuous improvement in the face of persistent and evolving cyber threats.