In 2003, the FTC released the FTC Safeguards Rule. A part of the Gramm-Leach-Bliley Act, the Rule established guidelines for safe handling of consumer records by financial institutions and other similar organizations. Updated in Oct. 2021, the definition of “financial institution” was broadened and specific requirements were added—most notably the requirement to create a formal Information Security Program designed to protect sensitive consumer data from falling into the hands of cybercriminals.
In Nov 2022, the penalty phase was moved to June 9, 2023, to give practitioners more time to comply, since many were unaware entirely of the requirement.
Most tax preparers are aware they need to comply with IRS Publication 4557, Safeguarding Taxpayer Data, since compliance has been required on their PTIN application and renewal forms since 2019. Still, many were caught off guard when the FTC Safeguards Rule went into the “penalty phase” in June 2023.
All tax preparers are required to comply with the FTC Safeguards Rule because they are specifically mentioned in the Rule. While the Rule is very clear in what is required to comply—this article in the CPA Practice Advisor gives a great general explanation—there has been a lot of confusion about whether the Rule applies to bookkeepers and accountants who do not prepare tax returns for their clients.
Probably the main thing that is confusing practitioners is that firms who hold records for “less than 5,000 consumers are exempt from certain requirements."
That sounds like a lot of consumers. But when you take a moment to think about how many consumers a bad actor could reach via the software you use to service your clients, it adds up quickly. And to further complicate things, the FTC Safeguards Rule specifically mentions “your clients’ customers” as one of the sensitive things you need to safeguard. This is because their names, emails, addresses, phone numbers, and perhaps even credit cards and bank account account numbers are accessible via your software. Bad actors love to get their hands on treasure troves of data; accounting, bookkeeping, and tax firms are among the best places to get this.
What you need to do
Here is the calculation you need to do in your firm. Gather and add up the following three numbers:
- Total number of clients (past and present) in your software and data banks.
- Total number of their employees (accessible through your software and data banks).
- Total number of their customers (accessible through your software and data banks).
For most firms, this total will exceed 5,000 because just one e-commerce client may have thousands of customers in their e-commerce solution. If you have access to that e-commerce solution via your software or a direct login, a bad actor could gain access to customer data through your firm.
What is the next step?
What do you do now that you realize you need to comply? This is where training can help. Look for a course that explains how to comply, instead of just what you need to have in place, and provides all sample policies, checklists and resource guides needed. The Grove is a good place to start; Firm of the Future readers get 20% off the “Complying with IRS Publication 4557 and FTC Safeguards Rule” Master Class. Use code fotf20 at checkout.
Alternatively, if you are in a position to do so, find a managed service provider to ensure your firm comes into compliance quickly with the FTC Safeguards Rule. If you have more money than time, this is a very effective option, and each company has multiple plans to choose from.
You’ve got this!