CPAs, Accountants, and Bookkeepers: You're Already Required to Comply with FTC Safeguards. Are You?

Tax season is here. So is the FTC.

If you're a CPA firm, accounting practice, or bookkeeping service handling client financial data, here's something that might surprise you — the revised FTC Safeguards Rule isn't coming. It's already here. The compliance deadline was June 9, 2023. That was almost three years ago.

And yet, many accounting professionals across Oregon and the Pacific Northwest are still operating as if this doesn't apply to them. It does.

Why does this apply to you?

The FTC classifies CPAs, accountants, bookkeepers, and tax preparers as financial institutions under the Gramm-Leach-Bliley Act. That means you're held to the same data security standards as banks and financial services companies. If your practice handles tax returns, financial statements, payroll, or any nonpublic personal information — Social Security numbers, bank account details, income records — you're covered.

this isn't optional. And the penalties are serious — up to $100,000 per violation and $43,000 per day for consent order violations.

What the Rule Actually Requires

The Safeguards Rule isn't just "have a firewall and antivirus." It requires a comprehensive, documented security program. Here's what the FTC expects:

A designated Qualified Individual responsible for your security program. A written information security plan (WISP) tailored to your firm. A documented risk assessment identifying threats to client data. Multi-factor authentication on any system accessing client information. Encryption of client data at rest and in transit. Access controls limiting who can see what. Employee security awareness training. Regular testing and monitoring of your safeguards. An incident response plan. Vendor oversight for any third party handling client data. Annual reporting to your firm's leadership on the status of your security program.

If you can't produce documentation for each of these items, you're not compliant — regardless of what tools you have in place.

"But We Have an IT Guy"

Having someone who manages your computers isn't the same as having a compliance program. The FTC doesn't ask whether your antivirus is up to date. They ask for your written risk assessment, your WISP, your MFA documentation, your restore test logs, and your vendor agreements.

Most general IT providers aren't building this for you. Not because they don't care — but because compliance documentation isn't what they do. It's a different discipline.

Tax Season Makes This Urgent

Right now, your firm is handling the highest volume of sensitive client data you'll see all year. Every tax return, every financial statement, every W-2 — that's all protected information under the Safeguards Rule.

If a breach happens during tax season and you can't demonstrate compliance, the consequences multiply. Client lawsuits, FTC investigation, reputational damage, and potential loss of your professional license.

This isn't about fear. It's about responsibility. Your clients trust you with their most sensitive information. The FTC Safeguards Rule is simply the standard for honoring that trust.

Where to Start

If you're not sure where your firm stands, that's okay — but it's time to find out. A compliance gap assessment can show you exactly what's in place, what's missing, and what needs to happen to get your firm compliant.

We work with CPAs, accountants, and bookkeepers to build and maintain FTC Safeguards compliance programs — from the initial risk assessment and WISP development to ongoing monitoring and annual reporting. It's what we do.

If you'd like an honest look at where your firm stands, we offer a free Technology Strategy Assessment. No pressure. Just clarity.

DirectLine-IT serves as your wayfinder — guiding businesses toward compliance, security, and strategic growth in the Columbia River Gorge and beyond.