The FTC Safeguards Rule is not optional. If your firm handles consumer financial information — and most CPA practices, tax preparers, financial advisors, and boutique financial services firms do — you are required to implement a comprehensive information security program that meets specific federal standards.

The penalties for non-compliance reach up to $11,000 per violation per day (FTC). Beyond fines, enforcement actions can result in mandatory corrective measures, ongoing compliance monitoring, and public disclosure of your firm’s security failures. State attorneys general can bring parallel actions under their own consumer protection laws, compounding your exposure.

This is not a distant regulatory threat. The FTC has stepped up enforcement and in June 2025 issued updated guidance to clarify expectations for covered entities (FTC Press Release). Firms that have not taken action are already behind.

This guide explains who must comply, what the rule requires, and the specific elements your information security program must include. It is a preview of our complete FTC Safeguards Guide, which provides implementation checklists, documentation templates, and vendor evaluation criteria.

Who Must Comply with the FTC Safeguards Rule?

The Safeguards Rule applies to “financial institutions” as defined under the Gramm-Leach-Bliley Act (GLBA). This definition is broader than most firm owners expect. You do not need to be a bank or a brokerage to fall under this rule.

Covered entities include (FTC):

  • Tax preparation firms and enrolled agents
  • CPA practices that prepare tax returns, provide financial planning, or handle client financial data
  • Mortgage lenders and brokers
  • Private lenders (hard money, bridge loan, commercial real estate lending)
  • Loan servicers (mortgage servicers, commercial loan servicers)
  • Investment advisors not registered with the SEC (SEC-registered advisors have a separate but parallel cybersecurity framework)
  • Financial advisors and planners
  • Collection agencies
  • Credit counselors
  • Check cashers and wire transfer services
  • Finders (companies that connect buyers and sellers of financial products)
  • Account servicers
  • Non-federally insured credit unions

The common thread is handling “customer information” — personally identifiable financial data that a consumer provides to obtain a financial product or service.

The Critical Question for Your Firm

If your clients provide you with Social Security numbers, tax returns, bank account information, financial statements, or any data related to obtaining financial products or services, the Safeguards Rule almost certainly applies to you.

CPA and accounting firms are squarely within scope. So are most boutique financial services firms — private lenders, fund managers, investment bankers, and valuation firms that handle sensitive deal data and borrower information.

If you are unsure whether your firm qualifies, that uncertainty itself is a compliance risk. The FTC does not accept “we did not know it applied to us” as a defense.

What the FTC Safeguards Rule Requires

At its core, the Safeguards Rule requires covered financial institutions to develop, implement, and maintain a comprehensive information security program. The program must be written, it must be appropriate to the size and complexity of your firm, and it must address the specific risks you face.

The rule was significantly amended in 2021, with most updated requirements taking effect in June 2023. The amendments moved the rule from a principles-based standard to a more prescriptive set of requirements. General statements about “maintaining reasonable security” are no longer sufficient. You must now implement specific, documented controls.

The 9 Required Elements of Your Information Security Program

The amended Safeguards Rule identifies nine elements that your information security program must include. Each one carries specific requirements.

1. Designate a Qualified Individual

You must name a specific person responsible for implementing and supervising your information security program. This person is referred to as the “Qualified Individual” in the rule.

The Qualified Individual does not need to be an employee. They can work for an affiliate, a service provider, or a third-party firm — such as your managed IT provider. However, if you designate an outside party, your firm retains ultimate responsibility for compliance. You cannot outsource accountability.

The Qualified Individual must have the authority, resources, and access to manage the program effectively. This person reports directly to the firm’s board of directors or governing body (or a senior officer if no board exists).

2. Conduct a Risk Assessment

You must perform a written risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. The assessment must evaluate the sufficiency of any safeguards already in place.

This is not a one-time exercise. Your risk assessment must be updated periodically and whenever there are material changes to your operations, technology, or threat landscape.

A meaningful risk assessment for a professional services firm should evaluate:

  • How customer data enters your environment (email, file uploads, client portals)
  • Where customer data is stored (servers, cloud applications, laptops, mobile devices)
  • Who has access to customer data (staff, contractors, software vendors)
  • How customer data is transmitted (email, file sharing, client-facing portals)
  • What threats are most likely (phishing, ransomware, insider threats, device theft)

3. Implement and Test Safeguards

Based on the risks identified in your assessment, you must design and implement safeguards to control those risks. The rule then requires you to regularly test or monitor the effectiveness of those safeguards.

For firms that qualify, this can mean either:

  • Continuous monitoring of your information systems, or
  • Annual penetration testing combined with vulnerability assessments every six months

“We installed antivirus software” does not satisfy this requirement. Your safeguards must be appropriate to the risks you identified, and you must have evidence that they work.

4. Implement Access Controls

You must limit access to customer information to authorized individuals who need it for legitimate business purposes. This means:

  • Role-based access controls (not everyone has access to everything)
  • Periodic access reviews to revoke credentials when roles change
  • Restrictions on administrative access to only those who require it
  • Prompt de-provisioning when employees leave the firm

For law firms and CPA practices, this also means controlling access to specific client files — not just systems broadly. A staff accountant working on one client’s returns should not have unrestricted access to every client’s financial data.

5. Inventory and Classify Data

You must maintain an inventory of the customer information you hold, including where it is stored, where it is transmitted, and how it is classified by sensitivity.

Many professional services firms are surprised by the results of this exercise. Client data often resides in email inboxes, personal laptops, cloud storage accounts, and legacy systems that no one actively monitors. The inventory requirement forces you to confront where your data actually lives versus where you assume it lives.

6. Encrypt Customer Information

Customer information must be encrypted both at rest (stored on devices and servers) and in transit (transmitted over networks). If encryption is not feasible for a specific system, the Qualified Individual must document why and approve an equivalent alternative safeguard.

For most professional services firms, this means:

  • Full-disk encryption on all laptops and desktops
  • Encrypted email for transmitting client financial data
  • TLS encryption on all web-based client portals and file sharing
  • Encrypted backups

7. Implement Secure Development Practices

If your firm develops its own applications or systems that handle customer information, you must implement secure development practices. For most professional services firms, this element is more relevant to evaluating the software vendors and platforms you use than to internal development.

When selecting practice management systems, document management platforms, or client portals, assess whether the vendor follows secure development practices and can demonstrate them.

8. Implement Multi-Factor Authentication (MFA)

Multi-factor authentication is required for any individual accessing customer information. MFA requires users to provide at least two forms of verification — something they know (a password), something they have (a phone or hardware token), or something they are (biometric).

This is not discretionary. MFA must be implemented for:

  • Remote access to firm systems (VPN, remote desktop)
  • Cloud-based email and productivity tools
  • Client portals and file sharing platforms
  • Any system containing customer financial data

Firms that have not yet implemented MFA are non-compliant today. Implementation typically takes one to two weeks and costs $3 to $6 per user per month (MIS Solutions).

9. Implement Secure Disposal Procedures

You must develop procedures for the secure disposal of customer information no later than two years after the last date the information is used (unless retention is required by law or regulation).

For CPA firms, this intersects with IRS record retention requirements. For law firms, this intersects with state bar rules on file retention. Your information security program must account for these industry-specific retention obligations while ensuring that data past its required retention period is destroyed securely.

Breach Notification Requirements

As of May 2024, the Safeguards Rule requires financial institutions to notify the FTC of security breaches involving the customer information of 500 or more consumers. Notification must occur as soon as possible but no later than 30 days after discovery of the breach (FTC).

This is a federal notification requirement that exists alongside any state breach notification laws that may also apply. California, for example, has its own breach notification statute with separate requirements.

Penalties for Non-Compliance

The consequences of failing to comply with the Safeguards Rule are substantial and multi-layered:

  • FTC enforcement fines of up to $11,000 per violation per day (OnPay)
  • Mandatory corrective measures imposed by consent order
  • Ongoing compliance monitoring by the FTC for years after an enforcement action
  • Public disclosure of your firm’s security failures through published consent orders
  • State attorney general actions under parallel state consumer protection laws
  • Professional licensing consequences — state boards of accountancy and state bar associations may take separate disciplinary action
  • Civil litigation from affected clients whose data was compromised
  • Cyber insurance implications — non-compliance may void your coverage or result in claim denial

The average cost of a data breach reached $4.44 million globally in 2025, and $10.22 million in the United States specifically (IBM Cost of a Data Breach Report 2025). For a small firm, the reputational damage alone can be existential.

Timeline: Where You Should Be Right Now

The amended Safeguards Rule requirements have been in effect since June 2023. If your firm has not yet implemented a compliant information security program, you are already non-compliant.

Here is a realistic timeline for firms that need to act:

MilestoneTimeline
Designate a Qualified IndividualImmediately
Conduct initial risk assessmentWeeks 1-4
Implement MFA across all systemsWeeks 2-4
Encrypt all customer data at rest and in transitWeeks 2-6
Complete data inventory and classificationWeeks 4-8
Implement access controls and review processesWeeks 4-8
Deploy endpoint detection and response (EDR)Weeks 4-6
Document the full information security programWeeks 6-10
Conduct initial penetration testWeeks 8-12
Establish ongoing monitoring and testing scheduleOngoing

For most professional services firms with 10 to 50 employees, achieving initial compliance takes 60 to 90 days with dedicated focus and the right support. Maintaining compliance is an ongoing process, not a one-time project.

To learn more about the rule and how it applies to your firm, read our articles on What Is the FTC Safeguards Rule and FTC Safeguards Compliance.

Get the Complete Guide

This preview covers the requirements, the nine elements, and the penalties. The complete FTC Safeguards Compliance Guide goes further with:

  • A step-by-step implementation checklist mapped to each of the 9 elements
  • Documentation templates for your Written Information Security Program (WISP)
  • A risk assessment framework designed for professional services firms
  • Vendor evaluation criteria for selecting a Qualified Individual or managed security provider
  • A compliance maintenance calendar for ongoing testing, training, and documentation updates
  • Sample policies for access control, encryption, incident response, and data disposal

Download the Complete FTC Safeguards Compliance Guide — it is free and gives you a clear path from where you are today to documented compliance.

If your firm needs help implementing the Safeguards Rule requirements, One82 has served professional services firms in the Bay Area for over 26 years. We can act as your Qualified Individual, conduct your risk assessment, deploy the required technical controls, and maintain the documentation your firm needs. Schedule a 15-minute discovery call to discuss your compliance posture.

Frequently Asked Questions

Does the FTC Safeguards Rule apply to CPA firms?

Yes. CPA firms that prepare tax returns, provide financial planning, or handle client financial information are considered “financial institutions” under the Gramm-Leach-Bliley Act. The Safeguards Rule applies to them. This includes sole practitioners, small practices, and large firms. The FTC has specifically identified tax preparation firms as covered entities.

What happens if we do not comply with the Safeguards Rule?

Non-compliance can result in FTC enforcement fines of up to $11,000 per violation per day, mandatory corrective measures, ongoing compliance monitoring, and public disclosure of your security failures. State attorneys general can bring parallel enforcement actions. Beyond regulatory penalties, non-compliance increases your exposure to data breach liability, may void your cyber insurance coverage, and can trigger professional licensing consequences.

Can we outsource the Qualified Individual role?

Yes. The Safeguards Rule explicitly allows you to designate a Qualified Individual who works for a service provider or affiliate. Many professional services firms designate their managed IT provider or a cybersecurity consultant for this role. However, your firm retains ultimate responsibility for compliance. You must oversee the Qualified Individual’s work and ensure the program meets the rule’s requirements.

How is the FTC Safeguards Rule different from a WISP?

A Written Information Security Plan (WISP) is the document that describes your information security program. The FTC Safeguards Rule is the federal regulation that requires you to have that program and specifies the nine elements it must include. Think of the Safeguards Rule as the law and your WISP as the evidence of compliance. Many states also require a WISP independently of the federal rule, particularly for tax preparers.

Does the rule apply to law firms?

The FTC Safeguards Rule specifically applies to “financial institutions” as defined by the GLBA. Most law firms are not classified as financial institutions under this definition, unless they engage in financial activities like tax preparation, financial advising, or processing consumer financial transactions. However, law firms face parallel obligations under state bar rules requiring technology competence and the protection of client confidential information. Many of the same technical safeguards — encryption, MFA, access controls — are required regardless.

How often do we need to update our risk assessment?

The rule requires periodic updates to your risk assessment and whenever there are material changes to your operations, technology environment, or threat landscape. In practice, most compliance advisors recommend reviewing and updating the risk assessment at least annually, with interim updates triggered by events such as adding new systems, changing vendors, experiencing a security incident, or opening a new office location.

What is the difference between the FTC Safeguards Rule and the IRS WISP requirement?

The IRS requires all tax professionals to create and maintain a Written Information Security Plan as part of their obligations under Publication 4557. The FTC Safeguards Rule is a separate federal regulation under the GLBA with its own enforcement mechanism and penalties. There is significant overlap in what both require, but the FTC rule is more prescriptive (specifying nine elements) and carries its own penalty structure. Tax preparers must comply with both.