Can your firm comply with the FTC Safeguards Rule checklist?
By June 2023, accounting firms were supposed to be in compliance with a revised set of security standards set forth by the Federal Trade Commission (FTC). Unfortunately, a lot of firm leaders don’t know the standards exist.
The FTC established its Safeguards Rule—actually more of a set of rules—over two decades ago as an enforcement measure for the Gramm-Leach-Bliley Act, which passed back in 1999. At a very high level, the Safeguards Rule establishes a set of cybersecurity standards that financial institutions must meet or face fines…or worse. As usual, the complexity is in the details.
Why an FTC Safeguards Rule checklist matters to accounting firms
What does this have to do with accounting firms, and why should your firm worry about following a set of rules that’s more than 20 years old? It’s likely that your firm qualifies as a financial institution according to the FTC. For starters, if your firm prepares tax returns of any kind and has access to more than 5,000 consumer records that aren’t publicly accessible, it must comply with the Safeguards Rule. To be clear, that’s not 5,000 clients; it’s 5,000 records.
For instance:
- If you can see non-public email addresses—private addresses not available on a website—for your clients’ customers or partners, each of those emails is a record.
- If you can see a receipt showing that one of your clients spent a certain amount of money with a business partner, that is a record.
- A statement showing a client’s incoming revenue from a specific customer is a record.
- An individual’s address on a 1040 return is a record.
Even the contact information of your own clients qualifies as records. That’s why all but the very smallest firms have more than 5,000 records, and some small firms might as well.
Firms that have the minimum number of records must follow the Safeguards Rule, and there are real consequences for non-compliance. Under Title 18 of the United States Code, firms can face fines of up to $100,000 per violation, while firm leaders can be personally liable for up to $10,000 per violation. There’s even the potential for a prison sentence of up to five years for non-compliance.
What firms need to do to comply with FTC regulations
So, the FTC, which is responsible for enforcement of the Safeguards Rule, isn’t messing around when it comes to requiring compliance. But why should firms concern themselves with a set of old rules that basically predates the modern internet? Because those rules change periodically—and they’re complex and not easy to follow.
In fact, the deadline to comply with the latest set of changes passed in June 2023. The detailed FTC Safeguards Rule checklist is long and complex, even in a relatively simplified format.
This is the overarching, non-detailed checklist from the FTC of what firms must do to comply:
- Designate a qualified person to oversee their information security program.
- Develop a written risk assessment.
- Limit and monitor who can access sensitive customer information.
- Encrypt all sensitive information.
- Train security personnel.
- Develop an incident response plan.
- Periodically assess the security practices of service providers.
- Implement multifactor authentication or another method with equivalent protection for anyone accessing customer information.
That’s already a lot, and the list above is far from comprehensive. The detailed FTC Safeguards Rule checklist list goes far deeper. In fact, under just one bullet point on risk assessment, there are eight additional requirements:
- Implement and periodically review access controls.
- Know what you have and where you have it.
- Encrypt customer information on your system and when it’s in transit.
- Assess your apps.
- Implement multifactor authentication for anyone accessing customer information on your system.
- Dispose of customer information securely.
- Anticipate and evaluate changes to your information system or network.
- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
And each of those has a longer explanation. There is, quite frankly, more to complying with the Safeguards Rule than most firms can handle on their own.
Firms can get help complying with the Safeguards Rule
Fortunately, firms don’t have to tackle compliance alone. Partnering with a provider of cloud-based services can check a lot of compliance boxes. And firms can also get help developing security plans. The qualified person overseeing security doesn’t have to be a firm employee; it can be someone who works for the firm’s cloud provider.
A cloud partner that offers a fully managed online experience can also provide cybersecurity training for employees. This is on top of handling all the technical details of compliance—including encryption, multifactor authentication and limiting access to client information. There is, in fact, very little on the list of requirements that a cloud provider with fully managed services can’t take care of for a firm. All the firm really has to do is periodically assess the performance of the cloud provider.
There are even providers of cloud services that can help firms develop written information security plans (or WISPs) and incident response plans (which are not the same thing). Compliance with the Safeguards Rule is full of potential pitfalls for firms that try to handle security in-house on their own. However, firms that trust a provider can rest assured that they’re following the rules as required.
With cyberattacks posing a constant risk to firms, letting a cloud services provider handle security is just good business practice. Trained security professionals can keep your data safe and available in enterprise-class facilities that virtually no accounting firm could match.
Stay in compliance with a cloud partner
Compliance with the Safeguards Rule isn’t simple for firms that try to manage security on their own. But for firms that trust a cloud provider to offer a fully managed online experience and security consulting, compliance can be simple. One thing is for sure, though: Compliance isn’t optional. The time to get in line with new elements of the Safeguards Rule has already passed—so firms need to take action now.
Stay on top of regulations and trends in the accounting profession. Subscribe to our blog below.