In December 2023, the FTC finalized updates to the Safeguards Rule under the Gramm-Leach-Bliley Act that apply to tax preparers, accountants, and any business that handles consumer financial information. The rule now requires specific technical controls: encryption, multi-factor authentication, access controls, and an incident response plan. Not suggestions. Requirements. With potential enforcement.
Most of the CPA firms I’ve talked to either don’t know about this rule or assumed it only applied to banks. It doesn’t. If you prepare tax returns, you’re a financial institution under GLBA. The FTC has been very clear about this. And the updated rule has teeth that the old version didn’t.
Law firms aren’t off the hook either. The American Bar Association’s Model Rules of Professional Conduct require lawyers to make “reasonable efforts” to prevent unauthorized access to client information. What counts as “reasonable” keeps changing, and it’s starting to look a lot like the same technical controls in the FTC Safeguards Rule. MFA. Encryption. Access logging. Incident response.
The gap between “we’re careful” and “we’re compliant”
Being careful with client data and being compliant with data protection regulations are two different things. Every firm I’ve ever worked with believes they’re careful. Most of them are. They lock the office. They shred documents. They don’t leave files on the printer overnight.
But careful doesn’t satisfy a regulatory requirement. The FTC Safeguards Rule doesn’t ask if you’re careful. It asks if you have MFA enabled. It asks if data is encrypted at rest and in transit. It asks if you’ve done a risk assessment. It asks if you have a written incident response plan. It asks if you have a designated qualified individual overseeing your information security program.
The FTC has already taken enforcement action against tax preparation companies for failing to meet these requirements. The fines aren’t theoretical. And when a firm gets breached and regulators come asking questions, “we were being careful” isn’t the answer that keeps you out of trouble. “Here’s our documentation” is.
What the rules actually require
The specifics vary by regulation, but the core requirements across GLBA Safeguards, state privacy laws, and professional conduct rules are converging on the same list. It’s not long. It’s not unreasonable. Most of it is stuff you should be doing anyway.
Multi-factor authentication on every system that contains client data. This is explicitly required under the updated Safeguards Rule and increasingly expected under bar ethics opinions.
Encryption for client data at rest and in transit. That means disk encryption on laptops and workstations, and TLS for email when possible. If you’re emailing unencrypted tax returns or settlement documents, that’s a gap.
Access controls that limit who can see what. The paralegal working on a real estate closing doesn’t need access to every client file in the firm. The principle of least privilege isn’t just good security. It’s a compliance requirement.
A written risk assessment, reviewed annually. Not a novel. A document that identifies what data you have, where it lives, what the threats are, and what controls are in place. If you can’t describe your risks, regulators will assume you haven’t thought about them.
An incident response plan. What happens when something goes wrong? Who do you call? How do you notify affected clients? What’s the timeline? The IRS requires tax professionals to have a data breach plan and report breaches. Most state bars expect the same from attorneys.
This isn’t going away
The trend is unmistakable. Five years ago, a small CPA firm or law practice could reasonably argue that enterprise-grade security requirements didn’t apply to them. That argument is done. The regulations have caught up. Cyber insurance applications now ask about MFA, encryption, and incident response plans. If you answer no, you either don’t get coverage or you pay significantly more for it.
The firms that get ahead of this don’t treat compliance as a separate project. They treat it as the natural result of having their IT set up properly. MFA, encryption, access controls, backups, and monitoring. If those things are in place and documented, you’re compliant with most of what’s being asked. If they’re not, you’re exposed in ways that go beyond the technology. You’re exposed legally.
Getting compliant for a small firm is not a six-month project. It’s getting the basics right and documenting that you did it. The basics are the same things that protect you from ransomware, phishing, and data breaches. The compliance part is just proving you actually did the work.