The FTC Safeguards Rule is a federal regulation that requires financial institutions — including CPA firms, tax preparers, and non-bank financial companies — to develop, implement, and maintain a comprehensive information security program to protect customer data. One82 is a managed service provider based in Los Gatos, California, specializing in IT, cybersecurity, compliance, and AI for professional services firms in the San Francisco Bay Area. We help CPA firms and financial services firms build security programs that meet the Safeguards Rule’s specific technical requirements.

Background and Recent Changes

The Safeguards Rule was originally issued in 2003 under the Gramm-Leach-Bliley Act (GLBA). In October 2023, the FTC’s significantly updated version of the rule took full effect, adding detailed technical requirements that transformed it from a principles-based regulation into a prescriptive cybersecurity mandate.

The 2023 updates were the most substantial changes to the Safeguards Rule in its 20-year history, reflecting the FTC’s recognition that general data security principles were insufficient to protect consumer financial data in the current threat environment.

Who Must Comply?

The Safeguards Rule defines “financial institution” broadly. It applies to:

  • CPA firms and tax preparers — Any firm that prepares tax returns or provides financial advisory services
  • Mortgage lenders and brokers — Including private lenders and loan servicers
  • Investment advisers not registered with the SEC
  • Real estate settlement agents — Title companies and escrow firms
  • Financial data processors — Firms that handle consumer financial information

According to the FTC, the updated rule applies to approximately 300,000 non-bank financial institutions in the United States (FTC Safeguards Rule Fact Sheet, 2023).

Key Requirements

The updated Safeguards Rule requires firms to:

Designate a Qualified Individual. Your firm must name one person responsible for overseeing the information security program. This can be an employee or an outsourced provider.

Conduct a risk assessment. Identify reasonably foreseeable internal and external risks to the security of customer information and assess the sufficiency of existing safeguards.

Implement specific technical controls:

  • Access controls limiting who can reach customer data
  • Data inventory identifying what customer information you hold and where
  • Encryption of customer data both at rest and in transit
  • Multi-factor authentication for anyone accessing customer information
  • Secure disposal procedures for customer data no longer needed
  • Change management procedures for your information systems
  • Monitoring and logging of authorized user activity and unauthorized access attempts

Develop an incident response plan. Document procedures for detecting, responding to, and recovering from security events.

Provide security awareness training. Train all personnel on the firm’s information security policies and procedures.

Report to the board or senior management. The Qualified Individual must report at least annually on the overall status of the security program, including risk assessment findings, security events, and management decisions.

According to the Ponemon Institute, the average cost of non-compliance with data protection regulations is 2.71 times higher than the cost of compliance (Ponemon/GlobalScape, 2023).

How One82 Helps Firms Comply

One82 addresses every technical requirement of the updated Safeguards Rule as part of our managed services:

  • Qualified Individual support — We serve as or support your designated Qualified Individual with the technical expertise needed to oversee your security program
  • Risk assessments — Annual risk assessments documented in a format the FTC would expect
  • Technical controls — MFA, encryption, access controls, monitoring, and logging deployed and maintained continuously
  • Incident response — Documented and tested incident response procedures
  • Training — Ongoing security awareness training for all staff
  • Annual reporting — Compliance documentation and board-level reporting on your security program’s status

Frequently Asked Questions

Does the FTC Safeguards Rule apply to CPA firms?

Yes. CPA firms and tax preparers are classified as “financial institutions” under the Gramm-Leach-Bliley Act and must comply with the FTC Safeguards Rule. This includes sole practitioners and small firms — there is no size exemption.

What are the penalties for non-compliance?

The FTC can impose civil penalties of up to $50,120 per violation under the Safeguards Rule. Additionally, the FTC can require corrective actions, independent security assessments, and ongoing compliance monitoring. In the event of a data breach, non-compliance also creates significant civil liability.

How is the FTC Safeguards Rule different from IRS Publication 4557?

IRS Publication 4557 is guidance that describes best practices for safeguarding taxpayer data. The FTC Safeguards Rule is a legally binding federal regulation with specific technical requirements and enforcement penalties. Publication 4557 references the Safeguards Rule and GLBA as underlying legal authorities — the two are complementary, with the Safeguards Rule carrying direct legal force.

Do I need to encrypt all customer data?

The updated Safeguards Rule requires encryption of customer information both at rest (stored on devices or servers) and in transit (sent via email or transferred over networks). This applies to all customer information your firm holds, not just selected records.