It’s easy to switch. We’ll even set you up for free

Updated: April 27, 2024

FTC safeguards rule explained: Accountant's guide to creating a data security plan

Published By:

Practice Protect

The Federal Trade Commission’s Standards for Safeguarding Customer Information, commonly referred to as the Safeguards Rule, plays a critical role in defining how businesses should protect the security of customer information.


But how do you know if the rules apply to your accounting firm and what steps you need to take to stay compliant? In this comprehensive guide, we’ll explore the FTC Safeguards rule’s purpose, its applicability, the deadline for compliance, and share a key checklist of requirements. In addition, we’ll cover some exceptions and provide insights on how to create a custom Written Information Security Plan (WISP) for accounting firms.


Keep reading to get a clear understanding of the Safeguards Rule’s significance and how it can protect both your client data and the reputation of your practice.

What is the FTC Safeguards Rule?

First things first, the Federal Trade Commission’s Standards for Safeguarding Customer Information, or Safeguards Rule for short, provides guidelines for businesses on how to keep safeguards in place that protect the security of customer information.


Background on the Safeguards Rule

The Safeguards Rule took effect in 2003, but it was updated in 2021 to keep up with the rapid pace of technology. Specifically, the 2021 update provides more concrete guidance for businesses and outlines compliance requirements for businesses handling financial data. It reflects core data security principles that all covered companies need to implement.


What is the purpose of the FTC Safeguards Rule?

The primary purpose of the FTC Safeguards Rule is to establish clear standards for the protection of customer information within financial institutions. By requiring these institutions to implement administrative, technical, and physical safeguards, the rule aims to maintain the security, confidentiality, and integrity of customer data.


How does this protect customers? It helps to prevent unauthorized access, data breaches, and identity theft, while also fostering trust between businesses and their customers. The rule’s guidelines also provide a framework for businesses to follow to ensure that they are taking appropriate measures to safeguard customer information effectively.


Next, let’s dig deeper into who the rule applies to.

Who does the new FTC Safeguards rule apply to?

The FTC Safeguards Rule outlines the range of its application, ensuring that it covers all financial institutions under the jurisdiction of the Federal Trade Commission (FTC). According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature”.


Although it casts a wide net, it is likely that consumers are familiar with one or more of the institutions on the list. You can see these institutions in the table below.


Financial institution examples
Mortgage lenders Wire transferors
Payday lenders Travel agencies associated with financial services
Finance companies Collection agencies
Mortgage brokers Credit counselors
Account servicers Tax preparation firms
Check cashers Non-federally insured credit unions
Entities acting as finders Investment advisors not required to register with the Securities and Exchange Commission


The key takeaway is that any entity engaged in financial activities falls under the purview of the rule to ensure the security and protection of customer information.


The rule aims to ensure that these entities implement necessary safeguards to protect customer information from breaches and misuse, promoting a secure environment for sensitive data.

FTC safeguards rule checklist

The checklist below can help you stay on top of all of the Safeguard rules and requirements.

  • Designate a qualified individual to oversee their information security program
  • Develop a written risk assessment
  • Limit and monitor who can access sensitive customer information
  • Encrypt all sensitive information
  • Train security personnel
  • Develop an incident response plan
  • Periodically assess the security practices of service providers, and
  • Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information


When was the deadline?

By June 9, 2023, financial companies were required to ensure compliance with all aspects of the Safeguards Rule to avoid potential penalties. If you have not already upgraded your cybersecurity program before the June 9, 2023, deadline, its a good idea to take a closer look at what’s required.

FTC Safeguards rule checklist – downloadable PDF

Above is a checklist you can download for reference and help you create your compliance plan.

Are there firms that are exempt from the FTC Safeguards Rule?

For financial institutions with fewer than a total of 5,000 contact records, there is an exemption that exists within the Safeguards Rule. It’s important to note that this exemption is based on the total number of contacts, including the contacts held by those contacts in your records too.


That may be a lot to visualize, so let’s review an example.

  • Let’s say your firm has a database size of 100 contact records.
  • Within that group, you have a client record with an additional 4,901 contact records, each containing sensitive information that your firm is responsible for
  • In this case, you would not be exempt because this adds up to 5,001 contact records.


The takeaway is that since the total number of contacts exceeds 5,000 —  the 100 contact records and the 4,901 records that belong to the client in the example above would add up over 5,000 records. In this scenario, the exemption would not apply.


Moving on, companies with fewer than 5,000 contact records are exempt from the following requirements:

  • Risk assessment.
  • Progress monitoring with a designated service provider.
  • Incident response plan implementation.
  • Regular reporting and documentation of progress.


However, these five requirements remain applicable:

  • Appoint an organization or a qualified employee to oversee your cybersecurity program.
  • Implement safeguards and take necessary measures to mitigate risks.
  • Regularly assess the state of your infrastructure.
  • Provide security awareness training to your staff.
  • Keep your cybersecurity systems updated.

Following the FTC safeguards rule in your practice

What does your practice need to do?

In most cases, adhering to the FTC Safeguards Rule is as simple as applying a bit of common sense and keeping your company’s specific needs in mind. The FTC’s eight outlined requirements, which we discussed earlier in the article, are meant to be straightforward.


In the official documentation of the FTC Safeguards Rule, particular attention is given to the written information security plan (WISP).


This plan must be in writing and take into account the:

  • Size and complexity of your business
  • Nature and scope of your activities
  • Information sensitivity


Question 11 on the IRS W-12 renewal form reinforces this. It can be a good idea to ask yourself, “Do I satisfy the requirements to tick off the Q11 box?”



Remember that the WISP needs to be not only documented but also tailored to suit your business’s individual context. It’s important to recognize that the information security plan will naturally vary between a large company with a team of 100 members and a small practice with only five team members. By considering these factors, your approach to the Safeguards Rule can be practical, effective, and uniquely suited to your business’s specific circumstances.


Next, let’s talk about the various components that a WISP usually consists of.


What does a written Information Security Plan (WISP) for an accounting firm generally include?

A comprehensive written information security plan for an accounting firm typically includes a range of measures aimed at safeguarding sensitive client data, maintaining data integrity, and preventing cyber threats. Here’s what it generally includes:

  • Risk Assessment
  • Policies and Procedures
  • Access Controls
  • Employee Training
  • Incident Response Plan
  • Data Encryption
  • Regular Audits and Assessments
  • Vendor Management
  • Backup and Recovery
  • Physical Security
  • Continuous Monitoring
  • Compliance and Regulations
  • Security Awareness


Are there penalties for noncompliance?

Investigations have not been reported since the deadline. It’s important to note that while penalties for noncompliance have not made headlines, firms aren’t entirely exempt from the possibility of investigations.


Historically, the most common culprit leading to an investigation is a security breach. If there is a breach and it turns out that an organization did not have the proper security measures in place, that’s when the potential for less-than-positive outcomes increases.


In fact, we’ve observed cases where cyber insurance policies have been denied due to inadequate safeguards in place. This underscores the importance of proactive security measures. Currently, the trend leans more towards reactive investigations instead of proactive ones. To mitigate these risks, it makes good business sense to get acquainted with the guidelines we’ve covered, as following these measures significantly reduces the likelihood of a breach.


How is PracticeProtect assisting accounting firms with FTC compliance?

At Practice Protect, we’ve built our reputation as America’s most comprehensive data security platform serving over 23,000 accountants.



In order to help accountants navigate the FTC Safeguards Rule and PTIN renewal, we have put together a ready-to-use Information Security Pack (ISP). This includes templates for

  • WISP
  • Incident response plan
  • Risk assessment matrix


These templates are tailored specifically for accountants and were designed to help  streamline your firm’s compliance efforts. In fact, this ISP pack is curated from hundreds of WISPs we have built for our accounting clients, and we hope it will help you save time and keep your firm safe from cybersecurity risks as well.

Following the FTC Safeguards Rule helps your firm stay ahead of security gaps

In an era where data security and customer trust are paramount, being familiar with FTC guidelines, particularly the Safeguards Rule, is imperative for accounting firms. Ensuring the confidentiality, integrity, and security of customer information not only protects your practice from potential breaches, but also maintains your clients’ trust in you. The key to compliance lies in a robust Written Information Security Program (WISP) that reflects the unique needs of your firm and clients. By acting promptly and proactively, accounting firms can navigate these guidelines effectively, bolster their cybersecurity, and secure both their clients’ sensitive data and their own professional reputation.

Talk to us and see how easy it is to offer payroll services your way.

This article was provided by Practice Protect, OnPay’s cybersecurity platform partner for CPAs, bookkeepers, and CAS firms.