FTC Safeguards Rule Explained: Tax Preparer’s Checklist

Tax preparation has transformed into a digital battlefield. Every Social Security number, bank account detail and tax return you handle is a high-value target for hackers.

The FTC Safeguards Rule, codified under Section 501 of the Gramm-Leach-Bliley Act (GLBA), specifically targets financial institutions, tax preparers included, tasking them to develop, implement, and maintain robust information security programs that safeguard nonpublic personal information (NPPI). This rule is not static; the FTC’s 2021 update sharpened its teeth to address today’s cyber realities, demanding continuous risk assessments, documented policies, employee training, and vendor management.

Non-compliance isn’t just a regulatory headache; it threatens client trust, your business reputation, and exposes you to crippling penalties. The IRS, via Publication 4557 (“Safeguarding Taxpayer Data”), complements the FTC’s requirements with the IRS Security Six - six foundational controls that every tax preparer must adopt to build a modern cybersecurity defense

What Tax Preparers Must Know

The FTC Safeguards Rule obliges tax preparers to design comprehensive security programs encompassing administrative, technical, and physical safeguards to protect NPPI, which includes sensitive data such as Social Security numbers, income details, bank account numbers, and more.

Applicability:

• Your firm is considered a “financial institution” under the FTC if it offers tax preparation services involving the handling of NPPI.

• The volume of NPPI processed and whether you use third-party services affect your compliance scope.

• Your program must cover data collected, stored, transmitted, or processed—whether on-premises or in the cloud.

The IRS Security Six: Your Tactical Cybersecurity Playbook

The IRS Security Six, outlined in IRS Publication 4557, breaks down the key controls tax preparers must implement:

1. Access Controls: Limit access to NPPI strictly to authorized individuals through role-based permissions and strong authentication mechanisms like multi-factor authentication (MFA).

2. Secure Data Transmission and Storage: Encrypt NPPI both at rest (using AES-256 or equivalent) and in transit (TLS 1.2 or higher).

3. Monitoring and Logging: Maintain detailed logs of system activity involving NPPI for at least 12 months to detect and investigate unauthorized access.

4. Risk Assessments: Conduct formal, documented risk assessments to identify vulnerabilities and tailor your controls accordingly.

5. Incident Response Plan: Establish and rehearse a documented breach response plan that details containment, mitigation, communication, and recovery steps.

6. Employee Training: Deliver ongoing cybersecurity awareness training, including phishing simulations and data handling best practices.

The IRS Security Six maps directly onto the FTC Safeguards Rule, which requires a similarly structured, ongoing security program making compliance a strategic imperative, not a box-checking exercise.

Core FTC Safeguards Rule Requirements

1. Risk Assessments:

   Effective cybersecurity starts with understanding your firm’s unique risk profile. This involves cataloging NPPI assets—physical files, servers, cloud environments—and identifying threats such as phishing attacks, ransomware, insider risks, and hardware theft. Risk assessments must be documented, updated annually or when significant changes occur, and prioritized by likelihood and impact.

2. Written Information Security Program (WISP): A WISP is your overall for managing information security program which includes:

   - Encryption standards for data at rest and in transit.

   - Incident response procedures outlining breach containment, client notifications, regulatory reporting, and forensic investigations.

   - Access controls specifying who can view or modify NPPI.

3. Employee Training: Your team’s vigilance is your first defense. Training programs should be customized by role and reinforced with quarterly phishing simulations. The goal: transform employees from a vulnerability into a cyber defense asset.

4. Continuous Monitoring and Testing:

   Cyber threats evolve rapidly. Schedule monthly vulnerability scans and annual penetration tests. Use findings to refine policies and remediate weaknesses. Regularly review your WISP and adjust to reflect new technologies, threats, or regulatory updates.

5. Vendor Risk Management:

   Third-party providers handling NPPI are extensions of your security perimeter. Conduct due diligence—security questionnaires, audits, contractual safeguards (encryption, breach notification clauses, right to audit)—and enforce least-privilege access with network segmentation feasible

Data Protection Best Practices - Aligning With IRS and FTC Mandates

Encryption: All devices storing NPPI must have full-disk encryption such as BitLocker on Windows or FileVault on macOS. Backups should be encrypted and air-gapped offline to survive ransomware events. Avoid outdated protocols; enforce TLS 1.2+ for data transmission and ban FTP or HTTP entirely from use within your firm.

Access Controls: Implement role-based access control with strict MFA enforcement for all systems containing NPPI, including remote access portals and administrative consoles. Configure automatic session timeouts and lock idle devices within minutes.

Incident Response: Your plan must be clear and actionable. Assemble an Incident Response Team with defined roles: IT lead for technical containment, legal counsel for regulatory engagement, and communications lead for client notifications. Test this plan regularly to ensure rapid, effective breach response.

Managing Third-Party Risks: Extending Your Security Perimeter

Vendors can be a weak link if they're not managed correctly. As a minimum, you should require vendors storing or processing sensitive data:

• Require security certifications like SOC 2 Type II or ISO 27001.

• Review their incident response capabilities and historical security performance.

• Include strict contractual clauses mandating encryption, breach notification within 24-48 hours, data return or destruction on contract termination, and audit rights.

• Restrict vendor access using least-privilege principles and isolate vendor connections via VPNs or VLANs to prevent lateral movement in case of compromise.

Meeting FTC and State Mandates

Breach Reporting:

You must notify the FTC within 30–60 days of discovering a breach involving NPPI, detailing the breach nature, data affected, remediation steps, and contacts for inquiries. Additionally, state breach notification laws may require faster notification to impacted individuals and authorities.

IRS Reporting:

Notify the IRS promptly through the Secure Protect Our Systems (SPOS) portal if e-filed client data or communications are compromised.

Recordkeeping:

Maintain detailed documentation of:

• Annual risk assessments and remediation plans.

• Employee training logs and phishing simulation results.

• WISP versions and updates.

• Incident response activities and forensic reports.

• Vendor security evaluations and contracts.

These records are vital for audits, legal defenses, and continuous improvement.

Compliance Checklist: Your Action Plan to Stay Ahead

• Conduct comprehensive risk assessments covering all NPPI touchpoints.

• Develop and enforce a WISP aligned with FTC and IRS mandates.

• Train your team relentlessly with tailored content and real-world simulations.

• Implement encryption and strict access controls on all data systems.

• Monitor your environment continuously with scans, pentests, and audits.

• Vet, contract, and oversee third-party vendors rigorously.

• Maintain an incident response plan and conduct breach simulations.

• Prepare to meet all FTC, IRS, and state reporting obligations.

Your commitment to these controls is not just compliance, it’s a genuine competitive advantage. In an era where one breach can irreparably damage your reputation, clients entrust you with their most sensitive information. Protect that trust with ComplyWise Online - your partner in cyber resilience.

For a jumpstart, download our WISP Compliance Pack including full policy suite and Incident Response Plan, or schedule a discovery call with ComplyWise Online today.