Tax preparers are likely already familiar with IRS Publication 4557, Safeguarding Taxpayer Data, and its application to professionals who practice before the IRS or hold a preparer tax identification number. However, there is another rule that tax preparers might not think applies to them — the Federal Trade Commission’s (FTC’s) Standards for Safeguarding Customer Information (the Safeguards Rule). While the Safeguards Rule has been around for decades, CPA firms may not have given it more than a passing thought. However, the latest amendments to the Safeguards Rule may require firms to think differently.
Originally promulgated in 2002 pursuant to the Gramm-Leach-Bliley Act, P.L. 106-102, the Safeguards Rule obligates covered financial institutions to “develop, implement, and maintain” an information security program (ISP) that includes specific “administrative, technical, and physical safeguards” designed to protect customer information. The ISP must be in writing and “appropriate to the size and complexity of the [covered] financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.”
In December 2021, the FTC amended the Safeguards Rule to expand its definition of a financial institution and to provide more concrete guidance regarding specific safeguards that covered financial institutions should have in place to help protect the security of customer information.
ARE CPA FIRMS REALLY FINANCIAL INSTITUTIONS?
The definition of “financial institution” is broader than one may think. Per the Safeguards Rule “an entity is a ‘financial institution’ if its business is engaging in an activity that is financial in nature or incidental to such financial activities.” Per federal regulations referenced in the Safeguards Rule, this includes any number of financial and investment advisory activities, including providing tax planning and preparation services to any person for personal, family, or household purposes.
WHAT DOES THE FTC SAFEGUARDS RULE REQUIRE?
The Safeguards Rule specifies certain elements that should be included in a covered financial institution’s ISP. Required ISP elements are as follows:
- Designate a qualified individual to implement and supervise the ISP. This person must have the requisite skill and experience to fulfill the role and may be a partner or employee of the firm or an outside service provider. If a service provider is used, the firm remains responsible and must identify a senior-level person to supervise the provider.
- Conduct a risk assessment to identify and inventory customer information, where it is stored, and foreseeable risks and threats to the “security, confidentiality, and integrity of [such] information.” The assessment must be in writing and updated periodically as operations change and as new threats to data security emerge.
- Design and implement the following specific safeguards to help control risks related to the security, confidentiality, and integrity of customer information:
- Implement access controls to determine and regularly reevaluate whether individuals’ access reflects legitimate business needs.
- Conduct a data inventory to identify all systems, devices, platforms, and personnel that access customer information and understand how information is collected, stored, and transmitted.
- Encrypt customer information in transit and when stored on your system.
- Assess internally developed and third-party applications used to store, access, or transmit customer information.
- Implement multifactor authentication to require at least two authentication factors for anyone accessing customer information.
- Securely dispose of customer information when it is no longer necessary for a legitimate business need or legal requirement.
- Build change management protocols into the ISP to anticipate and respond to changes in business, emerging threats, or lessons learned during risk assessments.
- Log user activity and monitor for unauthorized access of customer information.
- Test or otherwise monitor the effectiveness of safeguards, including continuous monitoring or periodic penetration testing and vulnerability assessments.
- Train personnel, as an ISP is only as strong as its weakest link.
- Select and monitor service providers to ensure they maintain appropriate safeguards to help protect customer information. Execute detailed contracts that specify security requirements and provide for monitoring and periodic reassessments of the service provider’s suitability. Though System and Organization Controls (SOC) 2 reports are not specifically addressed by the regulations, consider obtaining one from the service provider. Among other things, a SOC 2 report provides assurance on the safeguards that a service provider has implemented to help protect customer information.
- Keep the ISP current and updated as the business and threat landscapes evolve.
- Develop a written incident response plan to guide the response and recovery following a security event.
- Require the qualified individual to report to the company’s governing body at least annually regarding the company’s compliance with its ISP.
The Safeguards Rule provides an exception from certain requirements if the covered financial institution maintains customer information concerning fewer than 5,000 consumers. A consumer is defined in Section 314.2(b)(1) of the Safeguards Rule as “an individual who obtains or has obtained a financial product or service from the financial institution that is used primarily for personal, family, or household purposes, or that individual’s legal representative.” ISPs for such institutions need not address the following elements: risk assessment; testing and monitoring of safeguards; staff training; creating a written response plan; and reporting to the institution’s governing body. In addition, only the following safeguards are required of covered financial intuitions that maintain customer information for less than 5,000 consumers: encryption of data in transit and at rest, multifactor authentication, and secure disposal of information.
When considering whether they fall below the 5,000-consumer threshold, firms should consider the number of consumers for which they and their affiliates or service providers handle or maintain records that contain nonpublic personal information.
That said, it is important not to get distracted by the existence of a threshold. All of the above elements outlined in the Safeguards Rule are relevant to help protect the security of customer information and are worthy of consideration by all sizes of CPA firms, regardless of the number of consumers for which customer information is maintained.
Several provisions under the Safeguards Rule became effective Jan. 9, 2022, while others were set to be operative on Dec. 9, 2022. However, on Nov. 15, 2022, the FTC announced that it was extending by six months the deadline for companies to comply with some of the Safeguards Rule’s requirements, making June 9, 2023, the new deadline.
Without a doubt, the time, energy, and cost needed to comply with the Safeguards Rule will challenge many CPA firms, especially firms whose historical approach to protecting customer information has been more informal. It is important that CPA firms understand the data they collect from their clients and how that data is transmitted, stored, maintained, and, ultimately, destroyed. Starting with this understanding can help firms identify where data security safeguards are needed, regardless of whether the Safeguards Rule requires them. When gaining this understanding, do not overlook the activities of third-party service providers, including subcontractors and cloud-based providers, if customer information is shared with them.
Consult with your firm’s IT provider regarding data security risks and legal counsel regarding the Safeguards Rule’s application to your firm. Consider a specific cyber liability insurance policy. Most importantly, get an early start on your evaluation process so you are ready well before the implementation date.
Note: AICPA Tax Section members can access a Gramm-Leach-Bliley Act Information Security Plan Template.
Data breach costs continue to rise
$4.24 million: The average per incident cost of a data breach — the highest in IBM Cost of a Data Breach research history.
Source: IBM Security Cost of a Data Breach Report 2021.
Karen Nakamura, CPA, is a risk control consulting director at CNA. For more information about this article, contact firstname.lastname@example.org.
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.