FTC Safeguards Rule Compliance – A complete guide for Accountants

FTC Safeguards Rule Compliance Made Easy

The FTC safeguards rule has captured a lot of attention in recent years among the Accounting, Bookkeeping and Tax preparer community. With its complexities and implications, this regulation has left many practitioners pondering what it truly means for their practices and whether proactive steps are required. Working with over 24,000+ accountants, we have first hand experience with all these questions and hence we put together this simple and complete guide. 

In this guide, we’ll explore the FTC Safeguards rule’s purpose, its applicability, the deadline for compliance, and share a key checklist of requirements. In addition, we’ll cover some exceptions and provide insights on how to create a custom Written Information Security Plan (WISP) for accounting firms.

What is the FTC Safeguards Rule?

The Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is there to provide guidelines for businesses on how to maintain safeguards to protect the security of customer information.

The Safeguards Rule took effect in 2003, but it was updated in 2021. The 2021 update provides more concrete guidance for businesses, outlining compliance requirements for businesses handling financial data. It reflects core data security principles that all covered companies need to implement.

What is the purpose of the FTC Safeguards Rule?

The primary purpose of the FTC Safeguards Rule is to establish clear standards for the protection of customer information within financial institutions. By requiring these institutions to implement administrative, technical, and physical safeguards, the rule aims to maintain the security, confidentiality, and integrity of customer data.

How does this protect customers? It helps to prevent unauthorized access, data breaches, and identity theft, while also fostering trust between businesses and their customers. The rule’s guidelines also provide a framework for businesses to follow to ensure that they are taking appropriate measures to safeguard customer information effectively.

Next, let’s dig deeper into who the rule applies to.

Who does this apply to?

The FTC Safeguards Rule outlines the range of its application, ensuring that it covers all financial institutions under the jurisdiction of the Federal Trade Commission (FTC). According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature”.

Although it casts a wide net, it is likely that consumers are familiar with one or more of the institutions on the list. You can see these institutions in the table below.

  • Mortgage lenders
  • “Pay day” lenders
  • Finance companies
  • Mortgage brokers
  • Account servicers
  • Check cashers
  • Wire transferors
  • Travel agencies operated in connection with financial services
  • Collection agencies
  • Credit counselors and other financial advisors
  • Tax preparation firms
  • Non-federally insured credit unions
  • Investment advisors

What does this mean for Accounting firms? 

For accounting firms, compliance with the FTC Safeguards Rule is not just a regulatory requirement; it’s a crucial step in ensuring the security of sensitive customer information. Let’s break down what this means for your practice:

1. Legal Obligation: Accounting firms, like other financial institutions, must adhere to the Safeguards Rule as mandated by the Federal Trade Commission. Failure to comply can result in legal consequences, including fines and reputational damage.

2. Data Security: The Safeguards Rule places a strong emphasis on data security. This means that accounting firms need to implement robust security measures to protect client data. This includes safeguarding electronic and physical records, assessing risks, and ensuring secure access to sensitive information.

3. Client Trust: Compliance with these FTC rules not only safeguards customer data but also builds trust. Clients expect their financial information to be handled with the utmost care and security. Meeting the requirements of the Safeguards Rule demonstrates your commitment to client confidentiality.

4. Cybersecurity Awareness: As the rule evolves, so do cybersecurity threats. Staying compliant means staying informed about emerging threats and adjusting your security measures accordingly. Regular training and awareness programs for your team become vital.

When is the deadline for FTC Safeguards Rule?

The deadline for complying with some of the updated requirements of the Safeguards Rule is now June 9, 2023.

By June 9, 2023, such companies must ensure compliance with all aspects of the Safeguards Rule to avoid potential penalties. Upgrading your cybersecurity program before the June 9 2023 deadline is key.

What are the key requirements of the FTC Safeguards Rules? 

To simplify the mandatory rules, we have compiled a checklist of requirements:

  1. Designate a qualified individual to oversee their information security
  2. Develop a written risk assessment
  3. Limit and monitor who can access sensitive customer information
  4. Encrypt all sensitive information
  5. Train security personnel
  6. Develop an incident response plan
  7. Periodically assess the security practices of service providers, and
  8. Implement multi-factor authentication or another method with
    equivalent protection for any individual accessing customer

What firms are exempt from these FTC Safeguards Rule requirements? 

However, for firms with fewer than 5,000 contact records, there is an exemption within the Safeguards Rule for financial institutions in such cases. It’s important to note that this exemption is based on the total number of contacts including the contacts held by those contacts. For example, if you have a database size of 100 and one of those records such as a client for whom you hold sensitive data has 4901 contact records, you are not exempt.

Companies with fewer than 5,000 contact records are exempt from the following requirements:

  1. Risk assessment.
  2. Progress monitoring with a designated service provider.
  3. Incident response plan implementation.
  4. Regular reporting and documentation of progress.

However, these five requirements remain applicable:

  1. Appoint an organization or a qualified employee to oversee your cybersecurity program.
  2. Implement safeguards and take necessary measures to mitigate risks.
  3. Regularly assess the state of your infrastructure.
  4. Provide security awareness training to your staff.
  5. Keep your cybersecurity systems updated.

How to follow and comply with the FTC safeguards rule in your practice?

In most cases, adhering to the FTC Safeguards Rule is as simple as applying a bit of common sense and keeping your company’s specific needs in mind. The FTC’s eight outlined requirements, which we discussed earlier in the article, are meant to be straightforward.

In the official documentation of the FTC Safeguards Rule, particular attention is given to the written information security plan (WISP).

This plan must be in writing and take into account the:

  • Size and complexity of your business,
  • Nature and scope of your activities and
  • sensitivity of the information at issue

Question 11 on the IRS W-12 renewal form reinforces this. It can be a good idea to ask yourself, “Do I satisfy the requirements to tick off the Q11 box?”

Remember that the WISP needs to be not only documented but also tailored to suit your business’s individual context. It’s important to recognize that the information security plan will naturally vary between a large company with a team of 100 members and a small practice with only five team members. By considering these factors, your approach to the Safeguards Rule can be practical, effective, and uniquely suited to your business’s specific circumstances.

How to create your WISP or Data Security Plan?

At Practice Protect, we offer WISP template packs for all clients, as a part of our Practice Protect University (PPU). WE also, when you come onboard at Practice Protect create and customize these documents on your behalf.  We’ve consulted with top-tier attorneys to create an industry-standard data security plan so that you wouldn’t have to.

For who are not Practice Protect customers, here’s a list of what should go into your WISP –

  • A risk assessment must be completed
  • Identify the risks and impacts of unauthorized data use and access
  • Determine systems vulnerability of your firm
  • Highlight a list of actions to reduce vulnerability
  • Software and hardware safeguards in place
  • Responsible data security personnel
  • Annual review protocol
  • Download our guide below to get see the full list.

It should include self-assessment protocols and cadence for employees, privacy notices and practice policy disclosures for clients, written security policies of all service providers, facilities security protection and procedures in event of disaster, and more.

WISP & Data Security plan templates

Finding it overwhelming to create a WISP on your own? We are here to help you along the way. For non-Practice Protect clients, we offer free WISP template pack that will include accounting specific and ready-to-use templates for –

  • Information Security Plan
  • Incident Response Plan
  • Risk Assessment Matrix

This template pack will help you breeze through your WISP in 2 hours. Join our workshop to get access.

The Practice Protect Platform – 

Supporting over 23000 accountants and bookkeepers, Practice Protect is America’s largest cybersecurity platform. The Practice Protect portal offers comprehensive access management across everything an accounting practice uses. 

Here are 5 ways in which the Practice Protect platform is helping your firm stay compliant with the FTC Safeguards Rule – 

  • Limit and monitor access to sensitive information for your team across all the accounting apps from a single dashboard. 
  • With PP portal implemented across your firm, all your cloud app passwords are encrypted and secured.
  • MFA authentication setup & simplified – The PP portal has MFA setup and implemented, from there it’s a single click login to all your apps. For apps that require additional MFA, you can manage that from the PP portal itself without the need of an authenticator app. 
  • Our compliance hub – gives you access to ready to use WISP, risk assessment & incident response templates
  • We also have client trust packs and Compliance guideline docs to manage risk and give your clients peace of mind

Not sure where to go to from here? We can help! Book in a Security Consultation and we can take you through the steps you need to become compliant and secure.