Accounting firm cybersecurity, IRS Pub 4557 and the FTC Safeguards Rule

Tax preparers and accounting firms have been operating under a layered regulatory regime for years. The Gramm-Leach-Bliley Act Safeguards Rule applies. IRS Publication 4557 frames the operational expectation. IRC §7216 makes unauthorized disclosure of taxpayer data a federal offense. What changed materially is the FTC’s revised Safeguards Rule, which became fully effective June 9, 2023 and added a 30-day breach notification requirement effective May 13, 2024. Together they raised the floor for what a written information security program looks like for any firm preparing, holding or processing taxpayer information.

This post covers the regulatory layers, what the FTC’s revised Safeguards Rule actually requires, the new 30-day breach notification clock and how to build a Written Information Security Plan that survives an examination.

The regulatory layers

Four pieces of law and guidance combine for accounting firms and tax preparers:

• Gramm-Leach-Bliley Act (GLBA), 15 USC §6801: requires financial institutions to protect the security and confidentiality of customer records.
• FTC Safeguards Rule, 16 CFR Part 314 (revised December 2021, effective June 2023): the operational rule implementing GLBA for non-bank financial institutions, including tax preparers and accounting firms.
• IRS Publication 4557, Safeguarding Taxpayer Data: the IRS’s published guidance for tax preparers, mapping practical controls to the Safeguards Rule and IRC requirements.
• IRC §7216: makes the disclosure or use of taxpayer information for unauthorized purposes a criminal misdemeanor for return preparers.

The FTC has explicitly stated that tax preparers and accountants who prepare returns for compensation fall within the definition of “financial institution” under GLBA. The Safeguards Rule applies. There is no longer ambiguity here, and the FTC has begun enforcement action against firms that have not maintained a compliant program.

What the revised Safeguards Rule requires

The pre-2021 Safeguards Rule was thin: develop, implement and maintain a written information security program. The revised rule is specific. The nine elements at 16 CFR 314.4:

1. Designate a Qualified Individual responsible for overseeing the information security program. One named person, not a role label.
2. Base the program on a written risk assessment that identifies reasonably foreseeable risks to the security, confidentiality and integrity of Customer Information.
3. Implement specific safeguards designed to control the identified risks, including access controls, data inventory, encryption, MFA, secure disposal, change management and continuous monitoring or periodic testing.
4. Train staff to implement the information security program, on a documented cadence.
5. Oversee service providers that receive, maintain, process or otherwise are permitted access to Customer Information, with contractual obligations.
6. Evaluate and adjust the program in light of testing, monitoring, business changes or external circumstances.
7. Establish a written incident response plan with specific elements (goals, internal processes, roles, communications, post-incident review).
8. Require the Qualified Individual to report in writing at least annually to the firm’s board of directors, governing body or senior officer.
9. Implement specific technical safeguards (within element 3, but worth separating): access controls including MFA on any system that contains Customer Information, encryption of Customer Information in transit over external networks and at rest, secure disposal of Customer Information no later than two years after the last date it is used in connection with providing a product or service to the customer.

The “specific safeguards” list is what changed most substantively. Before the revision, the rule was principles-based. The revised rule names the controls. MFA is explicitly required. Encryption at rest is explicitly required. Data inventory is explicitly required. Continuous monitoring or periodic penetration testing is explicitly required (the rule requires one or the other).

The 30-day breach notification rule

In November 2023, the FTC added a notification requirement that became effective May 13, 2024. Under the new rule, a non-bank financial institution must notify the FTC of any “notification event” affecting 500 or more consumers no later than 30 days after discovery.

The 30-day window is shorter than the HIPAA 60-day window covered entities operate under. Operationally:

• Discovery starts on the date the firm first knew or had reason to know of unauthorized acquisition of unencrypted Customer Information.
• The notification path is the FTC’s online notification portal.
• The required content includes the nature and date of the event, the number of consumers affected and a general description of the incident and any law enforcement involvement.
• The 30-day clock runs even while the firm coordinates with law enforcement; in narrow cases involving criminal investigation, the Attorney General can request delay.

The 30-day rule landed during a period of increasing ransomware activity against accounting firms during tax season. The combination of compressed timing and seasonal pressure makes pre-incident readiness materially more important than it was under the older regime.

What a defensible WISP looks like

The Written Information Security Plan is the central document. IRS Publication 4557 calls it out specifically. The FTC Safeguards Rule requires it. A defensible WISP for a small-to-mid-size accounting firm typically runs 25-45 pages plus appendices and contains:

• Scope: who and what is covered, what data is in scope, what systems hold Customer Information
• Roles: the Qualified Individual, the workforce roles with access to Customer Information, the service providers in scope
• The risk assessment (referenced; the assessment itself is a separate document)
• The safeguards: access controls, MFA, encryption, data inventory, secure disposal, change management, monitoring
• Training program: cadence, content, completion tracking
• Service provider oversight: selection criteria, contractual obligations, periodic review
• Incident response plan: goals, roles, escalation, communication, the 30-day FTC notification path
• Annual reporting: format of the Qualified Individual’s report to leadership
• Document control: version, last updated, next review date

A WISP that contains all of these elements and reflects what the firm actually does is the document the FTC and the IRS would want to see. A WISP that is a generic template downloaded from a vendor portal is the pattern that produces findings during examination.

The audit-trail expectation

The Safeguards Rule and IRS Pub 4557 both expect that the program produces evidence over time. The expected artifacts:

• The written risk assessment, refreshed annually and on material change
• Training records with completion dates and content covered
• Access reviews documenting who has access to what, periodically reviewed
• Service provider risk reviews and contract files
• Incident logs, including non-breach security events
• The annual Qualified Individual report
• Configuration baselines for in-scope systems
• Penetration test or continuous monitoring evidence

The pattern in examination is consistent: the regulator asks for the WISP, then asks for the artifacts proving the WISP is operational. A binder full of policies with no operational evidence behind it does not survive review.

Where Atticus Rowan fits

Atticus Rowan supports accounting firms and tax preparers as the IT and cybersecurity partner that builds the Safeguards Rule program and operates the controls. The work model parallels how we engage with community banks and insurance agencies in the broader financial-services scope: build the written program, operate the technical safeguards, produce the audit trail and prepare the firm for examination. We do not perform formal Safeguards Rule examinations or act as the firm’s compliance officer; we build and operate the program the Qualified Individual oversees and the FTC or IRS reviews.

Our Insurance Agency IT post covers the parallel obligations on the insurance side of the financial-services tail. Our solutions page outlines the broader engagement model.

If your firm has not refreshed its WISP since the revised Safeguards Rule took effect, has not designated a Qualified Individual in writing or is not confident the 30-day notification path is in place, schedule a discovery call. We can scope the gap and the path to a defensible program inside one tax season cycle.