Things You Should Know About The FTC Safeguards Rule

The Federal Trade Commission (FTC) recently amended its cornerstone Safeguards Rule to ensure financial institutions adequately protect consumer information. The FTC amended the rule to provide more guidance on complying with specific requirements.

As a professional accounting firm that handles sensitive information, you must understand the main requirements of the FTC Safeguards Rule, how the compliance requirements apply to your business, and the steps you can take to ensure you are following the agency’s guidance. 

At ABL Computers, we are committed to your accounting firm’s success and have outlined the three things you need to know to comply with the FTC Safeguards Rule to maintain network security. 

What Are the FTC Safeguard Rules?

In 2015, the IRS created the Security Summit to bring together state agencies and private-sector security experts to create a robust cybersecurity workgroup. The Security Summit’s mission is to identify and establish security requirements and guidance for tax professionals and other financial institutions. 

As part of its workgroup duties, the Security Summit publishes helpful guides to help tax industry experts meet FTC and other federal agency requirements. 

One of the most cybersecurity Acts your accounting firm should know about is the Gramm-Leach-Bliley (GLB) Act. Requiring non-banking financial institutions of all types to maintain the security of confidential and sensitive financial information, the GLB Act is an important cornerstone of business cybersecurity requirements. 

In 2003, the GLB Act formed the foundation for the FTC’s Safeguards Rule, which outlines requirements to safeguard sensitive taxpayer information through the creation of a written information security plan, among other things. If your accounting firm does not comply with these federal regulations, you may be subject to FTC investigation and fines. 

Does the FTC Safeguards Rule Apply to My Accounting Firm? 

The FTC Safeguards Rule applies to any non-banking financial institution or business engaging in activity that is financial in nature, including CPA firms, regardless of size or number of clients. Section 314.2(h) outlines a handful of examples of the types of entities considered financial institutions under the Rule, including tax preparation firms. 

However, be aware that the Safeguards Rule does offer exceptions. If your accounting firm maintains sensitive customer information for fewer than five thousand consumers, your accounting firm may be exempt from following the provisions of the Rule. 

If you believe your accounting firm may fall under the exemption of Section 314.6, you can consult the information on this page. 

How Can My Accounting Firm Comply With the FTC Safeguards Rule? 

The first step is ensuring your accounting team is familiar with the Safeguards Rule and understands the importance of complying with the outlined requirements. At its core, the Safeguards Rule was established to require non-banking financial institutions like accounting firms to develop, implement, and maintain a written information security program. 

This information security program must outline administrative, technical, and physical safeguards your accounting firm uses to protect sensitive taxpayer and non-public customer information from cybersecurity attacks and breaches. 

“Customer information” includes any record that contains nonpublic personal information about your customers, whether the information is found on paper, electronically, or in some other form. Information is defined as “customer information” if it is handled or maintained by your accounting firm or any of your affiliates. 

The FTC defines “nonpublic personal information” as any personally identifiable financial information or any list, description, or other grouping used to personally identified financial information that is not publicly available. 

The information security program must outline the steps your accounting firm will take to protect your clients’ nonpublic, personal, and customer information. Among other things, the information security program must fulfill nine elements as outlined by the FTC, including:

1. 1. Designating a qualified individual to implement and supervise your accounting firm’s information security program. 
2. 2. Conducting a risk assessment to know the type of information your accounting firm is storing, where the information is stored, and the risks associated with potential breaches. 
3. 3. Designing and implementing safeguards to mitigate the risks identified in the risk assessment.
4. 4. Monitoring and testing the effectiveness of your safeguards. 
5. 5. Ensuring your accounting team is trained to identify gaps in securing sensitive information. 
6. 6. Regularly monitoring your service providers to maintain appropriate security expectations. 
7. 7. Updating your written information security program as your operations change or you experience any threats to your security. 
8. 8. Creating a written incident response plan to respond to security breaches or attacks. 
9. 9. Requiring your qualified individual to report to your board of directors, or the senior officer responsible for your information security program. 

For more information on creating a Data Security Plan, check out our recent blog post outlining the three steps your accounting firm can take today to create a customized plan. 

If your accounting firm is having trouble complying with the FTC’s Safeguards Rule, we encourage you to set up a free consultation with us. We can walk you through the requirements to comply with these cybersecurity requirements, including serving as the qualified individual responsible for writing and maintaining your written information security program.