How many times have you thought, “I want to serve my clients, not write technical documents” when faced with a long list of things you must do to comply with an IRS or governmental regulation (like the FTC Safeguards Rule)?
The publications are written in as “friendly language as possible” and the writers attempt to be very clear, but they only tell you “what” you need to do. There is little to no guidance about “how.”
So, when approaching these regulatory requirements and seeing that laundry list of technical things related to firm-side and client-side security, it can be daunting to say the least. Your firm is full of experts, but chances are that not many (or none) of your staff would say they are an expert in IT-related matters.
Given this is a very common scenario, what can a busy firm owner do to manage these two seemingly incompatible truths? You know you need to comply and you also do not know how. And before you think you are the “only one” in this situation, rest assured—you are not alone.
Under IRS Publication 4557, tax practitioners have been required to have a Written Information Security Plan (WISP) in place since 2019 as a required element for PTIN renewal, yet the AICPA reports that many are not in compliance and may actually be unaware of the requirements.
Additionally, all tax professionals are required to adhere to the FTC Safeguards Rule under the Gramm-Leach-Bliley Act, and new penalties may be imposed after June 9, 2023, for non-compliance. Fines can exceed $43,000 per day. Yikes.
But what if you don’t do tax? Are you out of the woods?
Well, not quite. The FTC Safeguards Rule applies to “most” non-tax firms as well due to how the “5,000 target” threshold is calculated. In a nutshell, a “target” is a consumer. Your firm has access to thousands of consumers through your clients’ books. Think of it this way: If a bad actor somehow landed your logins to your clients’ QBO, Payroll and ecommerce files, how many consumer records would they gain access to?
The calculation is as follows: Take the number of current and past clients in your data banks, software and storage, then add the number of employees they have (the ones contained in the Payroll or HR records within the files you hold), then add the number of their clients as well (again, these are the ones contained in the accounting software and ecommerce sites you have access to in your firm).
The great news is that since there is considerable overlap between IRS Publication 4557 and the FTC Safeguards Rule, tax prep firms who already comply with Pub 4557 requirements and have their WISP in place will likely be in good shape and may only need to add a few additional measures to comply with the FTC Safeguards Rule.
The concern will be for firms who have been attesting they have a Written Information Security Plan (WISP) in place for their PTIN renewal but have not taken steps yet to get it in place. And, of course, for CAS and Bookkeeping firms who are only just learning about this now, this may come as a shock.
What can you do to ensure you are in compliance with each? Given that the best first step (for tax and non-tax firms alike) is to get your WISP in place, you will want to start there. It then is just a hop, skip and a jump to get into compliance with the FTC Safeguards Rule.
Here are three ways to get it done:
- Take training — The Grove is a great place to start. Randy Johnston, CPA; Dawn Brolin, CPA CFE; Steve Perkins, CIO, HoganTaylor LLP (a Top 100 firm); and Andrew Lassise, CEO, Tech4Accountants, have collaborated on a step-by-step Master Class that not only tells you “what” to do but teaches you “how.” You also get all the templates, sample policies, guidelines, checklists and staff training guides you need to quickly get your WISP done.
- “Vend it Out” — If you have more money than time, you may just want to push the easy button. If this is the case for your firm, you will want to sign on with a Managed Service Provider (like Tech4Accountants or TechGuru) to run your IT services for you. They also will ensure you have all policies and procedures in place as well.
- Hire a dedicated internal IT person —This is the costliest option but can be a great solution for a larger firm.
Now that you know what is involved, take steps to get into compliance now. You will not regret being in compliance because it is just good business. It may be a bit of work now, but you will be setting your firm up to prevent cybercrime and keep your solid reputation intact.
You got this.
Alison Ball is Director of Communications and Partnerships at Liscio.
Like what you’re reading?
Subscribe to our FREE newsletter and we’ll deliver content like this directly to your inbox.
This post originally appeared on