FTC Safeguards Rule for Tax Return Preparers (2026)

Who the FTC Safeguards Rule Covers — and Why Tax Preparers Are Not Exempt

If you prepare federal or state tax returns for clients, the FTC Safeguards Rule applies to your practice. It does not matter whether you operate as a solo preparer out of a home office, a seasonal tax service, or a multi-preparer firm. Under the Gramm-Leach-Bliley Act (GLBA) and its implementing regulation, 16 CFR Part 314, tax return preparers are explicitly classified as financial institutions — businesses that are significantly engaged in financial activities.

The FTC finalized substantial amendments to the Safeguards Rule in October 2021, and the most demanding provisions became enforceable on June 9, 2023. Many tax professionals remain unaware of these obligations or assume that small practice size grants them an exemption. It does not.

Every tax return preparer who handles nonpublic personal information (NPI) — which includes names, Social Security numbers, income data, and filing status — must implement a written information security program that meets the rule's specific requirements. This applies whether you file ten returns or ten thousand.

This guide breaks down exactly what the FTC Safeguards Rule requires of a tax return preparer: the nine mandatory program elements, eight technical safeguards, how the rule interacts with IRS Publication 4557, what enforcement looks like in practice, and how to build a compliant program even as a small or solo firm.

If you need to build or audit your current program, start with our free WISP template for 2026 — built to satisfy both FTC and IRS requirements.

What the FTC Safeguards Rule Actually Requires

The FTC Safeguards Rule mandates that every covered financial institution — including tax return preparers — develop, implement, and maintain a written information security program. This is not a checkbox exercise. The program must be tailored to the size, complexity, and sensitivity of the information your practice handles, and it must address nine specific elements spelled out in 16 CFR § 314.4.

Think of the rule as a framework rather than a rigid prescription. A two-person tax office is not expected to build the same controls as a bank — but both are expected to have a proportionate, documented program that identifies risks and addresses them systematically.

The Nine Required Elements (16 CFR § 314.4)

1. Designate a Qualified Individual (QI): Name one person responsible for overseeing your information security program. This can be an employee, an affiliate, or a qualified third-party service provider — such as a managed security provider — with the knowledge, skills, and experience to manage the program effectively.
2. Conduct a written risk assessment: Identify foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, and assess whether your current safeguards adequately control those risks. The assessment must be documented and dated — an undated risk assessment carries little weight in an FTC investigation.
3. Design and implement safeguards: Based on your risk assessment, put controls in place. The rule specifies eight categories of required safeguards, detailed in the section below.
4. Regularly monitor and test safeguards: Implement continuous monitoring or conduct periodic testing of key controls, systems, and procedures to verify they are functioning as intended.
5. Train and manage staff: All personnel with access to customer information must receive security awareness training. Training must be updated as threats evolve — once at hire is not sufficient. Document every session with the date, topics covered, and attendees.
6. Oversee service providers: Select and retain service providers that maintain appropriate safeguards, and require that by contract. This includes cloud storage providers, tax software vendors, and payroll processors.
7. Keep the program current: Evaluate and update your program whenever your operations, technology, or threat environment changes materially — not just on an annual review cycle.
8. Create a written incident response plan: Document how your practice will respond to and recover from a security event. Practices with fewer than 5,000 customer records are formally exempt from this specific FTC requirement, but IRS and state law obligations still apply.
9. Report to the board or senior officer annually: Your Qualified Individual must present a written report on the overall status of the information security program to your board of directors or, if you have no board, to a senior officer. This requirement is also waived for practices with fewer than 5,000 customer records.

The Eight Technical and Operational Safeguards

Element three of the Safeguards Rule is where most tax practices fall short. The rule specifies eight categories of safeguards that your information security program must address under 16 CFR § 314.4(c). These are baseline requirements, not optional enhancements.

1. Access Controls

Limit access to customer information to only those employees who need it to perform their jobs. Implement role-based access controls and ensure that access is revoked promptly when an employee leaves or changes roles. Every user account should have the minimum permissions necessary — a principle known as least privilege. Shared logins are a common violation in small tax offices and should be eliminated entirely.

2. Data Inventory and Classification

You must know where customer information lives. That means mapping all systems, databases, paper files, portable drives, and cloud storage that contain nonpublic personal information. Without a data inventory, you cannot protect what you cannot locate. Our guide on tax document encryption requirements provides a practical starting point for this exercise.

3. Encryption

Customer information must be encrypted both in transit — when sent over the internet or email — and at rest, when stored on servers, laptops, and backup media. The FTC does not mandate a specific algorithm, but NIST Special Publication 800-111 recommends AES-256 for storage encryption. Unencrypted tax files transmitted by email remain one of the most exploited vulnerabilities in small tax practices. Attackers intercept these files through man-in-the-middle attacks and email compromise — both well-documented techniques in the MITRE ATT&CK framework.

4. Multi-Factor Authentication (MFA)

The Safeguards Rule explicitly requires Multi-Factor Authentication (MFA) for any individual accessing systems containing customer information. This is one of the most specific technical mandates in the rule. MFA must be implemented on tax software portals, email systems, cloud storage, and any remote access tools your practice uses. A single compromised password without MFA in place can expose every client record in your system.

5. Secure Disposal

When customer information is no longer needed, it must be disposed of securely. For digital records, this means overwriting or cryptographic erasure — deleting a file does not remove it from storage media. For paper records, cross-cut shredding is the minimum acceptable standard. Retention schedules should be documented in your WISP.

6. Change Management

Anticipate and evaluate changes to information systems before implementing them. New software, new hardware, and changes to network architecture all introduce potential risks. A documented change management process catches security gaps before they become exploitable. Even switching tax preparation software or upgrading your operating system qualifies as a change that should be assessed.

7. Monitoring and Testing

You must implement continuous monitoring of systems or conduct periodic penetration testing and vulnerability assessments. The 2023 amendments strengthened this requirement: practices with 5,000 or more customer records must conduct annual penetration testing and biannual vulnerability assessments. Smaller practices must still test their key controls to verify they function as intended.

8. Secure Development Practices

If your practice configures web forms, client portals, or custom applications to collect client data, those systems must be designed with security in mind — including input validation to prevent injection attacks and secure review of any custom code before deployment.

How the FTC Safeguards Rule Interacts With IRS Requirements

Tax return preparers face a layered compliance environment. The FTC Safeguards Rule is federal law enforced by the FTC, but it operates alongside IRS cybersecurity mandates enforced through a separate mechanism. Understanding how these requirements overlap — and where they diverge — is essential for building a program that satisfies both without duplicating effort.

IRS Publication 4557 and the WISP Requirement

The IRS requires all tax preparers handling 11 or more returns to maintain a Written Information Security Plan (WISP) under IRS Publication 4557. This WISP requirement parallels — but does not replace — the FTC Safeguards Rule obligation. A WISP built to meet FTC requirements will generally satisfy IRS Publication 4557 as well, provided it covers IRS-specific elements such as Electronic Filing Identification Number (EFIN) protection and safeguarding of IRS e-Services credentials.

See our in-depth breakdown of IRS WISP requirements for a side-by-side view of how both sets of obligations map to each other.

Where the FTC Safeguards Rule Goes Further

The FTC Safeguards Rule imposes several requirements that IRS Publication 4557 does not explicitly mandate: a formally designated Qualified Individual, a written and dated risk assessment, specific contractual requirements for service providers, a documented change management process, and — for larger practices — written incident response plans and annual reporting to senior leadership. Treating the IRS WISP requirement as your ceiling for compliance leaves your practice exposed to FTC enforcement risk. The FTC rule is the higher standard, and your program should be built to meet it from the outset.

State-Level Data Security Laws

Several states have enacted data security laws that apply to financial institutions and tax preparers independently of federal requirements. New York's SHIELD Act, Massachusetts 201 CMR 17.00, and California's Consumer Privacy Rights Act (CPRA) each impose obligations that may exceed federal standards in specific areas — including breach notification timelines and data minimization requirements.

A Safeguards Rule-compliant program should be reviewed against the laws of every state where you have clients or maintain a physical presence. Our resource on PTIN and WISP requirements for tax preparers provides additional context on how federal and state obligations interact.

FTC Enforcement: What Noncompliance Costs Tax Preparers

The FTC Safeguards Rule carries enforceable legal penalties — it is not advisory guidance. Under Section 5 of the FTC Act (15 U.S.C. § 45(m)), the FTC can pursue civil penalties of up to $51,744 per violation per day, adjusted annually for inflation. In a multi-element enforcement action — where a practice has failed to implement a risk assessment, has no designated Qualified Individual, and lacks staff training — the aggregate exposure can be substantial. Each day of continued violation can be treated as a separate offense.

Beyond FTC penalties, noncompliance exposes your practice to several additional consequences that compound quickly.

IRS EFIN Suspension: The IRS can suspend or revoke your Electronic Filing Identification Number for failure to maintain adequate data security, effectively shutting down your tax practice during filing season. Our EFIN and PTIN protection guide details how to safeguard these credentials and what to do if they are compromised.

Client Litigation: Clients whose data is exposed due to inadequate safeguards can sue under state consumer protection laws. Data breach litigation has become a standard follow-on to any significant incident, and settlements in the financial services space routinely reach six to seven figures. Courts increasingly look at whether the business had a documented security program in place — and whether it followed that program.

State Regulatory Action: State attorneys general can bring independent enforcement actions under state data security and consumer protection laws, layering additional penalties on top of any federal action. New York, Massachusetts, and California have been particularly active in this space.

Reputational Damage: A reported data breach in the tax preparation space has outsized consequences. Clients trust you with their most sensitive financial information — Social Security numbers, income records, bank accounts — and a publicly reported incident often ends those relationships permanently. That revenue loss is a harm no penalty payment can reverse.

FTC enforcement of the Safeguards Rule has intensified since the 2023 amendments took effect. While the agency historically focused on large financial institutions, recent consent decrees and civil investigative demands have targeted smaller financial services companies. Tax preparers cannot assume they fall below the agency's enforcement threshold. For a detailed look at the most common attack vectors targeting practices like yours, see our guide on cyberattacks on tax firms.

Practical Compliance Guidance for Small and Solo Tax Practices

Most solo and small-firm tax preparers do not have a dedicated IT department. The FTC Safeguards Rule accommodates this reality — the rule scales requirements to the size and complexity of your operation — but it does not eliminate the obligation to have a documented, functioning security program. The standard is proportionate, not absent.

Start With Your WISP

Your Written Information Security Plan is the foundation of a Safeguards Rule-compliant program. It documents who is responsible for security, what risks exist, what controls are in place to address them, and how you will respond to incidents. Both the IRS and the FTC require it. Our free WISP template for 2026 is built to meet both IRS Publication 4557 and FTC Safeguards Rule requirements. For step-by-step guidance on building yours from scratch, see how to create a WISP.

Address Your Vendors First

The most commonly overlooked Safeguards Rule requirement for small tax practices is service provider oversight. Review the security practices of your tax software vendor, your cloud backup provider, your email host, and your payroll processor. Require each to contractually commit to maintaining appropriate safeguards and to notify you promptly in the event of a security incident. Many vendors will provide a Data Processing Agreement on request — ask for one, and document that you asked.

For guidance on evaluating your software stack, see our analysis of whether tax preparation software is secure for personal information.

Document Every Decision

In an FTC enforcement action or client litigation, documented controls carry far more weight than undocumented practices. Every risk assessment, every training session, every vendor review, and every change to your security program should be recorded in writing with a date and the name of the person responsible. Regulators and plaintiffs' attorneys look for documentation gaps as evidence of willful noncompliance — and the absence of records is treated as the absence of controls.

Defend Against the Most Common Threats

Phishing attacks and ransomware are the two threat categories most directly relevant to the risk assessment your Safeguards Rule program must address. Tax preparers are high-value targets because they hold concentrated stores of NPI — Social Security numbers, income records, and bank account details — all usable for identity theft and fraudulent filings. Your program should include specific controls addressing these threats: email filtering, Endpoint Detection and Response (EDR), secure offsite backups, and staff training on recognizing social engineering attempts. These controls map directly to the safeguard categories the FTC rule requires under § 314.4(c).