How the FTC Safeguards Rule may affect your CPA firm

Professional liability spotlight

Tax preparers are likely already familiar with IRS Publication 4557, Safeguarding Taxpayer Data, and its application to professionals who practice before the IRS or hold a preparer tax identification number. However, there is another rule that tax preparers might not think applies to them — the Federal Trade Commission’s (FTC’s) Standards for Safeguarding Customer Information (the Safeguards Rule). While the Safeguards Rule has been around for decades, CPA firms may not have given it more than a passing thought. However, the latest amendments to the Safeguards Rule may require firms to think differently.

Originally promulgated in 2002 pursuant to the Gramm-Leach-Bliley Act, P.L. 106-102, the Safeguards Rule obligates covered financial institutions to “develop, implement, and maintain” an information security program (ISP) that includes specific “administrative, technical, and physical safeguards” designed to protect customer information. The ISP must be in writing and “appropriate to the size and complexity of the [covered] financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.”

In December 2021, the FTC amended the Safeguards Rule to expand its definition of a financial institution and to provide more concrete guidance regarding specific safeguards that covered financial institutions should have in place to help protect the security of customer information.

ARE CPA FIRMS REALLY FINANCIAL INSTITUTIONS?

The definition of “financial institution” is broader than one may think. Per the Safeguards Rule “an entity is a ‘financial institution’ if its business is engaging in an activity that is financial in nature or incidental to such financial activities.” Per federal regulations referenced in the Safeguards Rule, this includes any number of financial and investment advisory activities, including providing tax planning and preparation services to any person for personal, family, or household purposes.

WHAT DOES THE FTC SAFEGUARDS RULE REQUIRE?

The Safeguards Rule specifies certain elements that should be included in a covered financial institution’s ISP. Required ISP elements are as follows:

EXCEPTIONS AVAILABLE

The Safeguards Rule provides an exception from certain requirements if the covered financial institution maintains customer information concerning fewer than 5,000 consumers. A consumer is defined in Section 314.2(b)(1) of the Safeguards Rule as “an individual who obtains or has obtained a financial product or service from the financial institution that is used primarily for personal, family, or household purposes, or that individual’s legal representative.” ISPs for such institutions need not address the following elements: risk assessment; testing and monitoring of safeguards; staff training; creating a written response plan; and reporting to the institution’s governing body. In addition, only the following safeguards are required of covered financial intuitions that maintain customer information for less than 5,000 consumers: encryption of data in transit and at rest, multifactor authentication, and secure disposal of information.

When considering whether they fall below the 5,000-consumer threshold, firms should consider the number of consumers for which they and their affiliates or service providers handle or maintain records that contain nonpublic personal information.

That said, it is important not to get distracted by the existence of a threshold. All of the above elements outlined in the Safeguards Rule are relevant to help protect the security of customer information and are worthy of consideration by all sizes of CPA firms, regardless of the number of consumers for which customer information is maintained.

IMPLEMENTATION CONSIDERATIONS

Several provisions under the Safeguards Rule became effective Jan. 9, 2022, while others were set to be operative on Dec. 9, 2022. However, on Nov. 15, 2022, the FTC announced that it was extending by six months the deadline for companies to comply with some of the Safeguards Rule’s requirements, making June 9, 2023, the new deadline.

Without a doubt, the time, energy, and cost needed to comply with the Safeguards Rule will challenge many CPA firms, especially firms whose historical approach to protecting customer information has been more informal. It is important that CPA firms understand the data they collect from their clients and how that data is transmitted, stored, maintained, and, ultimately, destroyed. Starting with this understanding can help firms identify where data security safeguards are needed, regardless of whether the Safeguards Rule requires them. When gaining this understanding, do not overlook the activities of third-party service providers, including subcontractors and cloud-based providers, if customer information is shared with them.

Consult with your firm’s IT provider regarding data security risks and legal counsel regarding the Safeguards Rule’s application to your firm. Consider a specific cyber liability insurance policy. Most importantly, get an early start on your evaluation process so you are ready well before the implementation date.

Data breach costs continue to rise

$4.24 million: The average per incident cost of a data breach — the highest in IBM Cost of a Data Breach research history.

Source: IBM Security Cost of a Data Breach Report 2021.

Karen Nakamura, CPA, is a risk control consulting director at CNA. For more information about this article, contact specialtyriskcontrol@cna.com.

Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.

This article provides information, rather than advice or opinion. It is accurate to the best of the author’s knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.