How the FTC Safeguards Rule Affects Tax Professionals and Their Practice

Protecting customer data is more important than ever. With cyber threats rising, the FTC Safeguards Rule requires financial institutions, such as tax professionals, to adopt comprehensive security measures.

The FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA). It ensures financial institutions take steps to keep customer information secure by directing companies to work towards a strong security program, protecting the client data from hackers and other risks.

In today’s digital world, safeguarding client financial information is not just a question of complying with this rule – it is about maintaining trust with clients and your own business’s reputation.

Who is Covered Under the FTC Safeguards Rule?

The FTC Safeguards Rule applies to all financial institutions that fall under its jurisdiction.

A financial institution isn’t just a bank. Under the FTC Safeguards Rule, any business that deals with “financial information” or is “incidental to financial activities” mentioned in the Bank Holding Company Act (1956) is included. These can be –

• Mortgage brokers
• Account services
• Check cashing businesses
• Wire transferors
• Tax preparation firms
• Investment advisors not regulated by the SEC.
• Collection agencies
• Credit counselors
• Real estate settlement services
• Travel agencies offering financial services
• Auto dealerships offering financing
• Retailers providing credit financing
• Entities handling money orders and stored value cards

Certain exemptions apply to businesses with less than 5,000 clients. For example, they may not require a comprehensive risk assessment or incident response strategy but must still follow basic security steps to protect customer data.

Information Security Program – A Must-Have Requirement to Comply with the FTC Safeguards Rule

Under the FTC safeguards rule, every organization considered a financial institution (which would include tax firms) is mandated to have an Information Security Program.

An Information Security Program, also known as a Written Information Security Plan (WISP), enables businesses like your tax firm to secure vital customer data from data breaches and cyberattacks by implementing multiple safeguards, be they physical or administrative.

A well-drafted WISP protects customer data from cybercriminals, minimizes the threat of breaches, and keeps businesses compliant with federal regulations. It also boosts client confidence by demonstrating that their personal data is safe.

Core Components of an Information Security Program

As directed by the FTC, tax firms can include the following in their security program to remain compliant:

1. Elect a Qualified Individual

You must designate an individual—internal or third-party—who will be responsible for managing your security program. This person will ensure that your data protection measures are up to par. They must also be adept enough to recognize possible vulnerabilities and implement the required security protocols.

Also, as these regulations may change over time, they must remain aware of evolving cybersecurity threats to maintain compliance and security.

2. Conduct Risk Assessments

Finding security anomalies before the cybercriminals do is critical. Regular risk assessments identify vulnerabilities so that they can be remediated before they become a risk.

It means assessing potential internal and external risks, studying previous security breaches, and keeping up with emerging cyber threats.

A well-executed risk assessment could help you address the risk before the breach occurs instead of responding to a breach after it occurs.

3. Enforcing Security Controls

The FTC Safeguards Rule mandates that businesses establish layers of protection to minimize the risk of unauthorized access, breaches, and cyber threats. Key measures include:

• Access Controls – Restrict access to sensitive customer data to only those employees who need access to perform their jobs. Deploy a role-based access control (RBAC) and periodically audit user permissions to keep your data secure.
• Encryption – Use new-age encryption tools to protect data stored and data in transit. It makes sure that intercepted data is incomprehensible to outsiders. If, in any case, you are unable to use encryption, the Qualified Individual is responsible for suggesting alternative methods of security.
• Multi-Factor Authentication (MFA) – Implement multiple methods of authentication (e.g., password + security token) for users to sign in before entering sensitive networks. It helps to ensure that there are no unauthorized logins.
• Cataloging Assets – Audit all data, devices, and systems that either store or process customer information. When you know where this data is stored, it becomes easy to secure it properly.
• Data Disposal – You must draft and implement proper procedures for securely disposing of critical customer information no later than two years after the most recent use to prevent unwanted access.
• Keeping Audit Logs—To trace suspicious activities, Maintain detailed logs of all data access, modifications, and transactions. Review logs regularly to identify potential security threats early.

4. Constantly Monitor and Test Your Security Measures

Cybersecurity is not a set-it-and-forget-it proposition. Regularly check and test your security systems to ensure their effectiveness. You must conduct periodic penetration testing of systems to ensure the loopholes are identified. Moreover, you must use automated monitoring tools to get alerts for any potentially suspicious activities, enabling rapid response when faced with threats.

5. Train Your Staff

The workforce of your tax firm is your first line of defense. Regular security training makes them adept at recognizing phishing emails, using secure passwords, and following data security best practices.

You can also conduct simulated cyber-attack exercises to make employees aware of potential threats. Furthermore, promoting a culture of security awareness will create a proactive approach towards dealing with sensitive client data.

6. Manage Third-Party Service Providers

If you share customer data with third parties, it is your responsibility to ensure they follow proper security protocols as well. Vendors and third-party contractors should be vetted for data protection policy considerations, and contracts should have security requirements.

7. Updating Your Security Program

As cyber threats transform, so should your security efforts. Review your security policies regularly and modify them as new threats or industry best practices evolve. These measures may involve revisiting risk assessments, updating incident response plans, and incorporating new security technologies. A proactive security program prepares your organization to combat new cyber challenges.

8. Having an Incident Response Plan

What do I do in case of a data breach? An incident response plan allows your tax firm to respond promptly to minimize the damage in the event of a breach. Your plan should mention details on how to identify, contain, and resolve security incidents. It should also incorporate communication strategies for notifying affected clients and stakeholders.

9. Update the Board of Directors

Your Qualified Individual must report to the Board of Directors (or similar governing body) regularly to ensure leadership is aware of potential security risks. Such reports must cover updates on risk assessments, security incidents, and the current state of the security program. This would help decision-makers to understand the cybersecurity landscape and allocate resources appropriately for compliance.

10. Notifying FTC of a Security Breach

If a major security incident occurs, you may need to report it to the FTC and other regulatory agencies to maintain transparency and accountability. Prompt reporting can help mitigate legal consequences and demonstrate your commitment to responsible data management. Your business should have a clear process for assessing when a breach meets the reporting threshold and follow proper notification protocols.

The Consequences of Non-Compliance

Non-compliance with the FTC Safeguards Rule carries severe repercussions, such as:

• High Fines & Legal Penalties – The FTC can levy significant fines for non-compliance.
• Loss of Trust & Business Reputation – Customers trust that their financials are safe. Your reputation could be dented by a data breach.
• Potential Lawsuits – Clients affected by a breach may take legal action against your business.
• Regulatory Scrutiny – Failing to comply may trigger stricter regulations and audits.

Ensure FTC Compliance: Opt for a Managed Security Service Provider

The FTC Safeguards Rule requires every financial institution to implement mandatory security protocols, such as encryption and access controls, to ensure data protection. However, for a small or mid-size tax firm, allocating dedicated funds and resources to data security can be unfeasible.

A better option is to go for the services of a managed security service provider (MSSP). An MSSP offers advanced security features on a subscription basis, enabling you to stay compliant with the FTC Rule while reducing the on-premise capital IT expenses.

Ace Cloud Hosting is a managed security service provider with over 15+ years of experience. Try our managed security service and get advanced security features like 256-bit AES data encryption, vulnerability assessment, 24/7 network monitoring, managed EDR, and more. Book a Consultation Today!