Most accountants I talk to assume that data security rules are written for banks and big corporations. They are surprised, and usually a little uneasy, to learn that there is a federal rule written specifically for them, that it has real teeth, and that a great many firms are quietly out of compliance without realizing it.
The rule is the FTC Safeguards Rule. If you prepare taxes or provide financial services, there is a strong chance it applies to your firm, no matter how small you are. This is not a scare tactic and it is not a sales trick. It is a straightforward legal obligation that too few accountants have had explained to them in plain language. So that is what I want to do here. No jargon, no fine print, just what it is, whether it applies to you, and what to actually do about it.
What the FTC Safeguards Rule is
The Safeguards Rule is a federal requirement that certain businesses protect the sensitive customer information they handle. It comes out of a law called the Gramm-Leach-Bliley Act, and the Federal Trade Commission enforces it. The short version is this: if your business handles people's financial information, the government expects you to have a real, written plan for keeping that information safe.
The reason most accountants have never heard of it is that the word "accountant" does not appear in the headline. The rule talks about "financial institutions," and almost no CPA thinks of their practice as a financial institution. But the FTC defines that term broadly, and tax preparation and financial advisory work fall squarely inside it.
Does it apply to your firm?
Here is the part that catches people off guard. Whether the rule applies has nothing to do with the size of your firm. A solo tax preparer working from a home office can be just as covered as a hundred-person practice.
What matters is the kind of information you handle. If your firm collects, stores, or processes customer financial information, things like Social Security numbers, income figures, bank account details, or any other nonpublic personal information you gather while providing a financial service, then the rule very likely applies to you. For a tax or accounting practice, that describes essentially every client file you have.
So the honest answer for most accountants is yes. If you prepare returns or advise clients on their finances, you are almost certainly a covered firm, whether you knew it or not.
What the rule actually requires
This is where it stops being abstract. The Safeguards Rule asks for a handful of concrete things, and once you see them, you will notice they are simply good practice for any firm that holds sensitive client data.
You need a written information security plan, often called a WISP. This is a document that describes how your firm protects client information. It is not a one-time form you file and forget. The rule expects you to review it regularly, at least once a year, and update it when your business or the threats around you change.
You need to put someone in charge. The rule requires you to designate a qualified individual responsible for running your security program. For a small firm, this can be an owner, a staff member, or an outside provider who handles it for you. The point is that responsibility cannot be nobody's job.
You need to actually secure the information, not just promise to. In practice that means a baseline of real controls: multi-factor authentication, the extra login code sent to your phone, on email, remote access, and any system holding client data; disciplined control over who can access what; and encryption of sensitive information both on your systems and when it travels, for example over email.
And you need to assess your risks and adjust. The rule expects you to look honestly at where your firm is exposed and to fix the gaps, then revisit that assessment over time rather than treating security as a box you checked once.
There is a lighter path for the smallest firms. If your practice maintains information on fewer than 5,000 individuals, some of the more involved requirements are eased, and the focus narrows to core protections like multi-factor authentication, encryption, and secure disposal of old data. Lighter does not mean exempt. The core safeguards still apply.
Why this is worth your attention now
I am not raising this to make you anxious. I am raising it because the downside of ignoring it has quietly grown, and the work to handle it is very manageable.
The exposure is real on three fronts. There is the regulatory side, where noncompliance can carry penalties. There is the trust side, where a single breach of client tax data can end relationships you spent years building, because clients hand you their most sensitive financial details and expect them guarded. And there is the practical side, because the same protections the rule requires are increasingly what your cyber insurance carrier demands before they will cover you, and what a client may start asking about before they sign on. Compliance, insurance, and client trust are converging on the same short list of basics.
The good news is that getting compliant is not a mysterious or enormous project. It is a written plan, a person in charge, and a baseline of protections that a small firm can put in place without turning the practice upside down.
How we think about it
This is exactly the kind of work we built Red Door Shield to handle, through a simple framework we call KIT: Keep, Inspect, Trust. Keep what is valuable secure, which covers the multi-factor authentication and encryption the rule asks for. Inspect what is coming in, which covers the monitoring that protects client data day to day. And trust through validation, which covers the access control and the documented, reviewable plan that proves you are doing what you say. The same system that satisfies the Safeguards Rule is the system that keeps the criminals out and keeps your insurer satisfied, and we build the written plan and the evidence alongside the protection, so compliance is not a separate scramble.
What ready looks like
Picture a client asking how you protect their tax information, or an insurer's questionnaire landing on your desk, or simply the quiet question in your own head about whether your firm is exposed. In each case you have a clear answer. There is a written plan. Someone owns it. The protections are real and documented. You are not guessing and you are not hoping.
That is the difference between vaguely worrying that you might be out of compliance and knowing that you are covered. For an accountant, whose entire business runs on being trusted with people's most private numbers, that certainty is not just a legal nicety. It is the foundation of the relationship.
You built a practice clients trust with their financial lives. Protecting that information, and being able to prove you do, is part of earning that trust every year. If you want to know exactly where your firm stands against the Safeguards Rule today, that is a conversation worth having before a client, an auditor, or an incident asks the question for you.
Review our 8-point cybersecurity checklist to ensure your business is fully protected.
Know Where Your Business Stands
Our free Business Security Assessment gives you a clear picture of your current security posture in less than 10 minutes. No technical knowledge required. No jargon. Just honest answers.
Not sure where your business actually stands?
Take our free Business Security Assessment. In under 10 minutes, you will know exactly where your gaps are and what it would take to close them.
Get My Free Security Assessment
