Who the FTC Safeguards Rule Covers — and Why Tax Preparers Are Not Exempt
If you prepare federal or state tax returns for clients, the Federal Trade Commission (FTC) Safeguards Rule applies to your practice. It does not matter whether you operate as a solo preparer out of a home office, a seasonal tax service, or a multi-preparer firm. Under the Gramm-Leach-Bliley Act (GLBA) and its implementing regulation, 16 CFR Part 314, tax return preparers are explicitly classified as financial institutions — businesses that are significantly engaged in financial activities.
The FTC finalized substantial amendments to the Safeguards Rule in October 2021, and the most demanding provisions became enforceable on June 9, 2023. Many tax professionals remain unaware of these obligations or assume that small practice size grants them an exemption. It does not. Every tax return preparer who handles nonpublic personal information (NPI) — which includes names, Social Security numbers, income data, and filing status — must implement a written information security program that meets the rule's specific requirements.
This guide breaks down exactly what the FTC Safeguards Rule requires of a tax return preparer, what the nine mandatory program elements are, how the rule interacts with IRS Publication 4557, and what enforcement looks like in practice. If you are looking to build or audit your current program, start with our free WISP template for 2026 built to satisfy both FTC and IRS requirements.
Tax Preparer Data Security: By the Numbers
IBM Cost of a Data Breach Report, 2024
15 U.S.C. § 45(m), inflation-adjusted 2024
IRS Security Summit, 2024 Tax Professional Threat Report
What the FTC Safeguards Rule Actually Requires
The FTC Safeguards Rule mandates that every covered financial institution — including tax return preparers — develop, implement, and maintain a written information security program. This is not a checkbox exercise. The program must be tailored to the size, complexity, and sensitivity of the information your practice handles, and it must address nine specific elements spelled out in 16 CFR § 314.4.
Think of the rule as a framework rather than a rigid prescription. A two-person tax office is not expected to build the same controls as a bank — but both are expected to have a proportionate, documented program that identifies risks and addresses them systematically.
The Nine Required Elements (16 CFR § 314.4)
- Designate a Qualified Individual (QI): Name one person responsible for overseeing your information security program. This can be an employee, an affiliate, or a qualified third-party service provider with the knowledge, skills, and experience to manage the program effectively.
- Conduct a written risk assessment: Identify foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, and assess whether your current safeguards adequately control those risks.
- Design and implement safeguards: Based on your risk assessment, put controls in place. The rule specifies eight categories of required safeguards, detailed in the section below.
- Regularly monitor and test safeguards: Implement continuous monitoring or conduct periodic testing of key controls, systems, and procedures to verify they are functioning as intended.
- Train and manage staff: All personnel with access to customer information must receive security awareness training. Training must be updated as threats evolve — once at hire is not sufficient.
- Oversee service providers: Select and retain service providers that maintain appropriate safeguards, and require that by contract. This includes cloud storage providers, tax software vendors, and payroll processors.
- Keep the program current: Evaluate and update your program whenever your operations, technology, or threat environment changes materially — not just on an annual review cycle.
- Create a written incident response plan: Document how your practice will respond to and recover from a security event. Note: Practices with fewer than 5,000 customer records are formally exempt from this specific requirement under the FTC rule, but IRS and state law obligations still apply.
- Report to the board or senior officer annually: Your Qualified Individual must present a written report on the overall status of the information security program to your board of directors or, if you have no board, to a senior officer. This requirement is also waived for practices with fewer than 5,000 customer records.
Small Practice Does Not Mean Exempt Practice
The FTC Safeguards Rule applies to all tax return preparers regardless of size. The only two elements that smaller practices (under 5,000 customer records) are formally exempt from are the written incident response plan and the annual board report. All seven remaining elements — including the written risk assessment, designated Qualified Individual, technical safeguards, staff training, and service provider oversight — are required for every covered tax preparer operating today.
The Eight Technical and Operational Safeguards Required
Element three of the Safeguards Rule is where most tax practices fall short. The rule specifies eight categories of safeguards that your information security program must address under 16 CFR § 314.4(c). These are baseline requirements, not optional enhancements.
Access Controls
Limit access to customer information to only those employees who need it to perform their jobs. Implement role-based access controls and ensure that access is revoked promptly when an employee leaves or changes roles. Every user account should have the minimum permissions necessary — a principle known as least privilege.
Data Inventory and Classification
You must know where customer information lives. That means mapping all systems, databases, paper files, portable drives, and cloud storage that contain nonpublic personal information. Without a data inventory, you cannot protect what you cannot locate. Our guide on tax document encryption requirements provides a practical starting point for this exercise.
Encryption
Customer information must be encrypted both in transit — when sent over the internet or email — and at rest, when stored on servers, laptops, and backup media. The FTC does not mandate a specific algorithm, but NIST Special Publication 800-111 recommends AES-256 for storage encryption. Unencrypted tax files transmitted by email remain one of the most exploited vulnerabilities in small tax practices. Attackers intercept these files through man-in-the-middle attacks and email compromise — both well-documented techniques in the MITRE ATT&CK framework.
Multi-Factor Authentication
The Safeguards Rule explicitly requires Multi-Factor Authentication (MFA) for any individual accessing systems containing customer information. This is one of the most specific technical mandates in the rule. MFA must be implemented on tax software portals, email systems, cloud storage, and any remote access tools your practice uses. See our detailed MFA setup guide for tax professionals for implementation steps by platform.
Secure Disposal
When customer information is no longer needed, it must be disposed of securely. For digital records, this means overwriting or cryptographic erasure — deleting a file does not remove it from storage media. For paper records, cross-cut shredding is the minimum acceptable standard. Retention schedules should be documented in your WISP.
Change Management
Anticipate and evaluate changes to information systems before implementing them. New software, new hardware, and changes to network architecture all introduce potential risks. A documented change management process catches security gaps before they become exploitable.
Monitoring and Testing
You must implement continuous monitoring of systems or conduct periodic penetration testing and vulnerability assessments. The 2023 amendments strengthened this requirement: practices with 5,000 or more customer records must conduct annual penetration testing and biannual vulnerability assessments. Smaller practices must still test their key controls. Our overview of penetration testing for tax practices explains what this entails and how to source it cost-effectively.
Secure Development Practices
If your practice configures web forms, client portals, or custom applications to collect client data, those systems must be designed with security in mind — including input validation to prevent injection attacks and secure review of any custom code before deployment.
Building Your FTC-Compliant Information Security Program
Designate Your Qualified Individual
Name a specific person responsible for your information security program in writing. If you are a solo practitioner, you may serve as your own QI or retain a managed security provider to fulfill this role contractually. The designation must be documented.
Complete a Written Risk Assessment
Inventory all locations where customer information is stored or processed. Identify threats — phishing, ransomware, insider misuse, physical theft — and assess the likelihood and impact of each. The FTC expects a written record of findings and your response to them.
Draft or Update Your Written Information Security Plan
Your WISP is the governing document for your information security program. It must address all nine elements of the FTC Safeguards Rule. Use a template calibrated to both FTC and IRS requirements and customize it to reflect your actual systems, risks, and controls.
Implement Required Technical Controls
Deploy MFA on all systems holding customer data, encrypt files at rest and in transit, establish access controls and a data inventory, and configure secure disposal procedures. Prioritize based on your risk assessment findings — address your highest-risk gaps first.
Train Your Staff
Conduct initial security awareness training for all employees with access to customer data, and schedule annual refreshers. Training must cover phishing recognition, password hygiene, proper data handling, and how to report a suspected incident.
Audit Your Service Providers
List every vendor that touches client data — tax software, cloud backup, email providers, payroll services. Review their security practices and update contracts to require them to maintain appropriate safeguards and notify you promptly of security events.
Test and Monitor Your Controls
Schedule vulnerability scans and, for larger practices, annual penetration tests. Set up logging to detect unauthorized access and review logs regularly. Document all testing results — these records are your primary evidence of a functioning program.
Establish an Incident Response Plan
Document how your practice will detect, contain, investigate, and recover from a security incident. Include notification procedures for the IRS, affected clients, and applicable state authorities. Even if the FTC written plan exemption applies to your practice, documented procedures are essential for IRS and state law compliance.
How the FTC Safeguards Rule Interacts With IRS Requirements
Tax return preparers face a layered compliance environment. The FTC Safeguards Rule is federal law enforced by the FTC, but it operates alongside IRS cybersecurity mandates enforced through a separate mechanism. Understanding how these requirements overlap — and where they diverge — is essential for building a program that satisfies both without duplicating effort.
IRS Publication 4557 and the WISP Requirement
The IRS requires all tax preparers handling 11 or more returns to maintain a Written Information Security Plan under IRS Publication 4557. This WISP requirement parallels — but does not replace — the FTC Safeguards Rule obligation. A WISP built to meet FTC requirements will generally satisfy IRS Publication 4557 as well, provided it covers IRS-specific elements such as Electronic Filing Identification Number (EFIN) protection and safeguarding of IRS e-Services credentials. See our complete breakdown of IRS WISP requirements for a side-by-side view of how both sets of obligations map to each other.
Where the FTC Safeguards Rule Goes Further
The FTC Safeguards Rule imposes several requirements that IRS Publication 4557 does not explicitly mandate: a formally designated Qualified Individual, a written and dated risk assessment, specific contractual requirements for service providers, a documented change management process, and — for larger practices — written incident response plans and annual reporting to senior leadership. Treating the IRS WISP requirement as your ceiling for compliance leaves your practice exposed to FTC enforcement risk.
State-Level Data Security Laws
Several states have enacted data security laws that apply to financial institutions and tax preparers independently of federal requirements. New York's SHIELD Act, Massachusetts 201 CMR 17.00, and California's Consumer Privacy Rights Act (CPRA) each impose obligations that may exceed federal standards in specific areas — including breach notification timelines and data minimization requirements. A Safeguards Rule-compliant program should be reviewed against the laws of every state where you have clients or maintain a physical presence. Our resource on IRS cybersecurity requirements for tax professionals provides additional context on how federal and state obligations interact.
FTC Safeguards Rule vs. IRS Publication 4557 vs. NIST SP 800-171
| Feature | FTC Safeguards Rule | RecommendedIRS Pub. 4557 | NIST SP 800-171 |
|---|---|---|---|
| Written Security Plan (WISP) | Required | Required (11+ returns) | Required |
| Designated Qualified Individual / Security Officer | Required | Recommended | Required |
| Written Risk Assessment | Required | Recommended | Required |
| Multi-Factor Authentication | Required | Required | Required |
| Encryption at Rest and in Transit | Required | Required | Required |
| Staff Security Awareness Training | Required | Required | Required |
| Annual Penetration Testing | Required (5,000+ records) | Not specified | Required |
| Written Incident Response Plan | Required (5,000+ records) | Recommended | Required |
| Service Provider Security Contracts | Required | Recommended | Required |
| Annual Report to Board / Senior Officer | Required (5,000+ records) | Not specified | Not specified |
FTC Enforcement: What Noncompliance Costs Tax Preparers
The FTC Safeguards Rule carries enforceable legal penalties — it is not advisory guidance. Under Section 5 of the FTC Act (15 U.S.C. § 45(m)), the FTC can pursue civil penalties of up to $51,744 per violation per day, adjusted annually for inflation. In a multi-element enforcement action, where a practice has failed to implement a risk assessment, has no designated Qualified Individual, and lacks staff training, the aggregate exposure can be substantial. Each day of continued violation can be treated as a separate offense.
Beyond FTC penalties, noncompliance exposes your practice to several additional consequences:
- IRS EFIN suspension: The IRS can suspend or revoke your Electronic Filing Identification Number for failure to maintain adequate data security, effectively shutting down your tax practice during filing season. Our EFIN protection guide details how to safeguard this credential and what to do if it is compromised.
- Client litigation: Clients whose data is exposed due to inadequate safeguards can sue under state consumer protection laws. Data breach litigation has become a standard follow-on to any significant incident, and settlements in the financial services space routinely reach six to seven figures.
- State regulatory action: State attorneys general can bring independent enforcement actions under state data security and consumer protection laws, layering additional penalties on top of any federal action.
- Reputational damage: A reported data breach in the tax preparation space has outsized consequences. Clients trust you with their most sensitive financial information, and a publicly reported incident often ends client relationships permanently — a harm that no penalty payment can reverse.
FTC enforcement of the Safeguards Rule has intensified since the 2023 amendments took effect. While the agency has historically focused on large financial institutions, recent consent decrees and civil investigative demands have targeted smaller financial services companies. Tax preparers cannot assume they fall below the agency's enforcement threshold. If you have experienced a security incident or believe your current program does not meet Safeguards Rule requirements, our tax season cybersecurity checklist provides a prioritized remediation starting point. You can also review the full scope of common attack vectors targeting tax practices in our guide on cyberattacks on tax firms.
Core Security Controls Every Tax Preparer Must Have in Place
Multi-Factor Authentication
Required by the FTC Safeguards Rule for all systems containing customer information. MFA eliminates the majority of credential-based attacks targeting tax software portals and IRS e-Services accounts.
Written Information Security Plan
Your WISP is the governing document for your information security program. The FTC requires it to address all nine mandated elements and be updated whenever your practice or threat environment changes materially.
Staff Security Training
Annual training on phishing recognition, password hygiene, and data handling procedures is required under the Safeguards Rule. Phishing remains the primary entry point for tax preparer data breaches season after season.
Endpoint Detection and Response
Endpoint Detection and Response (EDR) software detects and contains malware before it can exfiltrate client tax data. Standard antivirus alone is insufficient against modern ransomware and credential-stealing tools.
Encrypted Storage and Backups
All customer data must be encrypted at rest and in transit. Encrypted, regularly tested backups stored offsite or in a secure cloud are the primary defense against ransomware attacks that specifically target tax and accounting firms.
Continuous Access Monitoring
Logging all access to systems containing customer information — and reviewing those logs for anomalous activity — is a baseline Safeguards Rule requirement and the earliest warning of unauthorized access or insider misuse.
Practical Compliance Guidance for Small and Solo Tax Practices
Most solo and small-firm tax preparers do not have a dedicated IT department. The FTC Safeguards Rule accommodates this reality — the rule scales requirements to the size and complexity of your operation — but it does not eliminate the obligation to have a documented, functioning security program. The standard is proportionate, not absent.
Start With Your WISP
Your Written Information Security Plan is the foundation of a Safeguards Rule-compliant program. It documents who is responsible for security, what risks exist, what controls are in place to address them, and how you will respond to incidents. Both the IRS and the FTC require it. Our free WISP template for 2026 is built to meet both IRS Publication 4557 and FTC Safeguards Rule requirements. For firm-specific examples and formatting guidance, see accounting firm WISP template examples and best WISP templates for accountants.
Address Your Vendors First
The most commonly overlooked Safeguards Rule requirement for small tax practices is service provider oversight. Review the security practices of your tax software vendor, your cloud backup provider, your email host, and your payroll processor. Require each to contractually commit to maintaining appropriate safeguards and to notify you promptly in the event of a security incident. Many vendors will provide a Data Processing Agreement on request — ask for one, and document that you asked. For guidance on evaluating your software stack, see our analysis of whether tax preparation software is secure for personal information.
Document Every Decision
In an FTC enforcement action or client litigation, documented controls carry far more weight than undocumented practices. Every risk assessment, every training session, every vendor review, and every change to your security program should be recorded in writing with a date and the name of the person responsible. Regulators and plaintiffs' attorneys look for documentation gaps as evidence of willful noncompliance — and the absence of records is treated as the absence of controls.
For additional context on how phishing attacks specifically target tax professionals and how to defend against them, see our guide on phishing attacks targeting tax professionals and our overview of ransomware protection for tax practices. Both threat types are directly relevant to the risk assessment your Safeguards Rule program must address.
Get a Free FTC Safeguards Rule Gap Assessment
Bellator Cyber Guard's tax cybersecurity specialists will evaluate your current information security program against FTC Safeguards Rule requirements, identify gaps, and provide a prioritized remediation roadmap — at no cost to your practice.
Frequently Asked Questions
Yes. The FTC Safeguards Rule applies to any business significantly engaged in financial activities, which includes tax return preparation regardless of whether it is conducted on a full-time, part-time, or seasonal basis. If you prepare tax returns and handle client nonpublic personal information, you are a covered financial institution under 16 CFR Part 314. There is no minimum volume threshold that grants an exemption from the core program requirements.
A Qualified Individual (QI) is the person designated to oversee your information security program. The QI must have the knowledge, skills, and experience to implement and manage the program effectively. For small tax practices, the owner or principal may serve as the QI. Alternatively, you may retain a qualified third-party service provider — such as a managed security services firm — to fulfill this role. The QI designation must be documented in writing, and the person must be able to demonstrate competency in information security relevant to your practice's size and risk profile.
Both require a Written Information Security Plan (WISP), but they operate through different enforcement mechanisms. The IRS WISP requirement flows from IRS Publication 4557 and is enforced through IRS oversight of tax professionals, including potential EFIN suspension. The FTC Safeguards Rule is enforced by the Federal Trade Commission and carries civil monetary penalties of up to $51,744 per violation per day. The FTC rule also imposes additional requirements not explicitly required by the IRS, including a designated Qualified Individual, contractual service provider oversight, and — for practices with 5,000 or more customer records — written incident response plans and annual senior leadership reporting.
Nonpublic personal information (NPI) includes any personally identifiable financial information that a customer provides to you in connection with obtaining a financial product or service. For tax return preparers, this includes Social Security numbers, taxpayer identification numbers, income information, bank account numbers, investment data, filing status, deduction details, and any other information on a client's tax return or related documents. It also includes information you derive from those records. In practice, almost everything in a client's tax file qualifies as NPI.
The FTC Safeguards Rule formally exempts practices with fewer than 5,000 customer records from the requirement to maintain a written incident response plan. However, the IRS requires tax preparers to notify the IRS immediately of any data theft or loss involving client information, and most states have breach notification laws with their own timelines and requirements. Even if the FTC written plan exemption applies to your practice, having documented incident response procedures is essential for meeting IRS and state obligations — and for limiting your liability if a breach occurs.
The FTC can impose civil penalties of up to $51,744 per violation per day under Section 5 of the FTC Act (15 U.S.C. § 45(m)), with this amount adjusted annually for inflation. In a multi-element enforcement action — where a practice has failed to conduct a risk assessment, has no designated Qualified Individual, and lacks staff training — each deficiency can be treated as a separate violation, compounding the total exposure. Beyond FTC penalties, noncompliance can also result in IRS EFIN suspension, client litigation under state consumer protection law, and state regulatory action.
Annual penetration testing and biannual vulnerability assessments are required for tax practices that hold records for 5,000 or more customers. Practices below this threshold must still test their key security controls, but the rule does not specify the exact form or frequency for smaller practices. Conducting at least an annual vulnerability assessment is considered sound practice for any tax preparer, demonstrates good-faith compliance, and often uncovers exploitable gaps before attackers do.
Compliance is demonstrated through documentation. The FTC expects to see a written information security program, a written and dated risk assessment, records of staff training with dates and attendees, vendor contracts containing security requirements, and records of testing and monitoring activity. Your Qualified Individual should maintain a compliance file with dated records of each program element. Well-documented controls are the primary evidence of a functioning program — undocumented practices, even if performed, carry little weight in an enforcement context.
A template can serve as a starting point, but the FTC Safeguards Rule requires your information security program to be tailored to the size, complexity, and nature of your specific practice. A template adopted without customization — and without a supporting risk assessment — is unlikely to satisfy the rule's requirements. Your WISP must reflect the actual systems, data flows, and risks present in your practice. Bellator Cyber Guard's free WISP template for 2026 is designed to guide you through the customization process step by step, with prompts for each required element.
Yes, and cloud-based tax software introduces specific obligations under the rule. The Safeguards Rule requires you to oversee your service providers — including cloud software vendors — and to ensure by contract that they maintain appropriate safeguards. You must also ensure that your own access to cloud-based systems is protected with multi-factor authentication, that data stored in the cloud is encrypted, and that you understand how the vendor handles data retention, deletion, and breach notification. Request your tax software vendor's security documentation and a data processing agreement before relying on cloud storage for client nonpublic personal information.
Free Consultation
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.