FTC safeguards rule explained: Accountant's guide to creating a data security plan

What is the FTC Safeguards Rule?

First things first, the Federal Trade Commission’s Standards for Safeguarding Customer Information, or Safeguards Rule for short, provides guidelines for businesses on how to keep safeguards in place that protect the security of customer information.

Background on the Safeguards Rule

The Safeguards Rule took effect in 2003, but it was updated in 2021 to keep up with the rapid pace of technology. Specifically, the 2021 update provides more concrete guidance for businesses and outlines compliance requirements for businesses handling financial data. It reflects core data security principles that all covered companies need to implement.

What is the purpose of the FTC Safeguards Rule?

The primary purpose of the FTC Safeguards Rule is to establish clear standards for the protection of customer information within financial institutions. By requiring these institutions to implement administrative, technical, and physical safeguards, the rule aims to maintain the security, confidentiality, and integrity of customer data.

How does this protect customers? It helps to prevent unauthorized access, data breaches, and identity theft, while also fostering trust between businesses and their customers. The rule’s guidelines also provide a framework for businesses to follow to ensure that they are taking appropriate measures to safeguard customer information effectively.

Next, let’s dig deeper into who the rule applies to.

Who does the new FTC Safeguards rule apply to?

The FTC Safeguards Rule outlines the range of its application, ensuring that it covers all financial institutions under the jurisdiction of the Federal Trade Commission (FTC). According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature”.

Although it casts a wide net, it is likely that consumers are familiar with one or more of the institutions on the list. You can see these institutions in the table below.

The key takeaway is that any entity engaged in financial activities falls under the purview of the rule to ensure the security and protection of customer information.

The rule aims to ensure that these entities implement necessary safeguards to protect customer information from breaches and misuse, promoting a secure environment for sensitive data.

FTC safeguards rule checklist

The checklist below can help you stay on top of all of the Safeguard rules and requirements.

• Designate a qualified individual to oversee their information security program
• Develop a written risk assessment
• Limit and monitor who can access sensitive customer information
• Encrypt all sensitive information
• Train security personnel
• Develop an incident response plan
• Periodically assess the security practices of service providers, and
• Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information

When was the deadline?

By June 9, 2023, financial companies were required to ensure compliance with all aspects of the Safeguards Rule to avoid potential penalties. If you have not already upgraded your cybersecurity program before the June 9, 2023, deadline, its a good idea to take a closer look at what’s required.

Are there firms that are exempt from the FTC Safeguards Rule?

For financial institutions with fewer than a total of 5,000 contact records, there is an exemption that exists within the Safeguards Rule. It’s important to note that this exemption is based on the total number of contacts, including the contacts held by those contacts in your records too.

That may be a lot to visualize, so let’s review an example.

• Let’s say your firm has a database size of 100 contact records.
• Within that group, you have a client record with an additional 4,901 contact records, each containing sensitive information that your firm is responsible for
• In this case, you would not be exempt because this adds up to 5,001 contact records.

The takeaway is that since the total number of contacts exceeds 5,000 —  the 100 contact records and the 4,901 records that belong to the client in the example above would add up over 5,000 records. In this scenario, the exemption would not apply.

Moving on, companies with fewer than 5,000 contact records are exempt from the following requirements:

• Risk assessment.
• Progress monitoring with a designated service provider.
• Incident response plan implementation.
• Regular reporting and documentation of progress.

However, these five requirements remain applicable:

• Appoint an organization or a qualified employee to oversee your cybersecurity program.
• Implement safeguards and take necessary measures to mitigate risks.
• Regularly assess the state of your infrastructure.
• Provide security awareness training to your staff.
• Keep your cybersecurity systems updated.

Following the FTC safeguards rule in your practice

What does your practice need to do?

In most cases, adhering to the FTC Safeguards Rule is as simple as applying a bit of common sense and keeping your company’s specific needs in mind. The FTC’s eight outlined requirements, which we discussed earlier in the article, are meant to be straightforward.

In the official documentation of the FTC Safeguards Rule, particular attention is given to the written information security plan (WISP).

This plan must be in writing and take into account the:

• Size and complexity of your business
• Nature and scope of your activities
• Information sensitivity

Question 11 on the IRS W-12 renewal form reinforces this. It can be a good idea to ask yourself, “Do I satisfy the requirements to tick off the Q11 box?”

Remember that the WISP needs to be not only documented but also tailored to suit your business’s individual context. It’s important to recognize that the information security plan will naturally vary between a large company with a team of 100 members and a small practice with only five team members. By considering these factors, your approach to the Safeguards Rule can be practical, effective, and uniquely suited to your business’s specific circumstances.

Next, let’s talk about the various components that a WISP usually consists of.

What does a written Information Security Plan (WISP) for an accounting firm generally include?

A comprehensive written information security plan for an accounting firm typically includes a range of measures aimed at safeguarding sensitive client data, maintaining data integrity, and preventing cyber threats. Here’s what it generally includes:

• Risk Assessment
• Policies and Procedures
• Access Controls
• Employee Training
• Incident Response Plan
• Data Encryption
• Regular Audits and Assessments
• Vendor Management
• Backup and Recovery
• Physical Security
• Continuous Monitoring
• Compliance and Regulations
• Security Awareness

Are there penalties for noncompliance?

Investigations have not been reported since the deadline. It’s important to note that while penalties for noncompliance have not made headlines, firms aren’t entirely exempt from the possibility of investigations.

Historically, the most common culprit leading to an investigation is a security breach. If there is a breach and it turns out that an organization did not have the proper security measures in place, that’s when the potential for less-than-positive outcomes increases.

In fact, we’ve observed cases where cyber insurance policies have been denied due to inadequate safeguards in place. This underscores the importance of proactive security measures. Currently, the trend leans more towards reactive investigations instead of proactive ones. To mitigate these risks, it makes good business sense to get acquainted with the guidelines we’ve covered, as following these measures significantly reduces the likelihood of a breach.

How is PracticeProtect assisting accounting firms with FTC compliance?

At Practice Protect, we’ve built our reputation as America’s most comprehensive data security platform serving over 23,000 accountants.

In order to help accountants navigate the FTC Safeguards Rule and PTIN renewal, we have put together a ready-to-use Information Security Pack (ISP). This includes templates for

• WISP
• Incident response plan
• Risk assessment matrix

These templates are tailored specifically for accountants and were designed to help  streamline your firm’s compliance efforts. In fact, this ISP pack is curated from hundreds of WISPs we have built for our accounting clients, and we hope it will help you save time and keep your firm safe from cybersecurity risks as well.