Skip to content

CPA Firms & Tax Preparers

Legacy Professionals lost 216,752 records and faces 5 lawsuits. What would a breach cost your firm?

82% of denied cyber insurance claims had MFA gaps. The FTC can fine your firm up to $50,120 per violation per day under the Safeguards Rule (16 CFR Part 314). And if you checked the data security box on your PTIN renewal without a WISP in place, you're already exposed.

We protect your firm first — then prove it with the compliance documentation the FTC, IRS, and your insurance carrier require.

Get Your Free Security Score Book a Discovery Call

Two regulators. One security requirement.

CPA firms are classified as "financial institutions" under the Gramm-Leach-Bliley Act. The FTC Safeguards Rule (16 CFR Part 314) requires specific technical and administrative controls. IRS Publication 4557 adds tax-preparer-specific requirements. Non-compliance carries real penalties.

$50,120

FTC civil penalty per violation per day

FTC Safeguards Rule

$250

Per unauthorized disclosure of taxpayer data (max $10K/yr)

IRC § 6713

Penalties doubled when disclosure leads to identity theft

IRC § 6713(b)

EFIN

Revocation means your firm cannot e-file returns

IRS enforcement

FTC Safeguards Rule: what your firm must have

The 2021 amendments (effective June 2023) replaced vague "reasonable security" language with specific, enumerated controls. A 2023 amendment added mandatory breach notification for incidents affecting 500+ consumers.

Every element below is required. The question isn't whether your firm needs these controls — it's whether you can prove you have them when the FTC, your insurance carrier, or a plaintiff's attorney asks.

  1. 1

    Multi-Factor Authentication (16 CFR §314.4(c)(5))

    Required on all systems accessing client information — email, tax software, remote access, admin accounts. No size exemption.

  2. 2

    Encryption (at rest + in transit) (16 CFR §314.4(c)(3))

    All client data encrypted on laptops, servers, cloud storage, and in transit. Compensating controls require written Qualified Individual approval.

  3. 3

    Access Controls (16 CFR §314.4(c)(1))

    Role-based access, least privilege, periodic reviews, and documented off-boarding within 24 hours of termination.

  4. 4

    Security Awareness Training (16 CFR §314.4(e))

    Documented employee training mapped to risk assessment findings — with phishing simulations. Verbal reminders don’t count.

  5. 5

    Service Provider Oversight (16 CFR §314.4(f))

    Written contracts requiring every vendor with access to client data to maintain appropriate safeguards. Periodic vendor assessments.

  6. 6

    Secure Data Disposal (16 CFR §314.4(c)(6))

    Documented destruction procedures for client information no longer needed — 2-year maximum default retention.

  7. 7

    Designated Qualified Individual (16 CFR §314.4(a))

    A named person overseeing your information security program. Can be outsourced to an MSP — but your firm retains compliance responsibility.

  8. 8

    Monitoring & Logging (16 CFR §314.4(c)(8), (d))

    Continuous monitoring to detect actual and attempted attacks or intrusions into information systems.

  9. 9

    Data Inventory (16 CFR §314.4(c)(2))

    Identify and manage all data, devices, systems, and facilities that store or process client information.

  10. 10

    Change Management (16 CFR §314.4(c)(7))

    Documented procedures for evaluating and managing changes to information systems.

"We're too small to need security" is factually wrong under the FTC Safeguards Rule

Firms with fewer than 5,000 consumer records get a narrow exemption: they're not required to have a written risk assessment, formal incident response plan, annual penetration testing, or board reporting (16 CFR §314.6).

But that exemption doesn't cover what most firms assume it does. Even a solo CPA is still required to have:

  • Multi-factor authentication on all systems
  • Encryption at rest and in transit
  • Access controls and data inventory
  • Security awareness training
  • Service provider oversight with written contracts
  • Secure data disposal procedures
  • A designated Qualified Individual
  • Continuous monitoring and logging

What the <5,000 record exemption actually removes

  • Written risk assessment with prescribed criteria — but you must still base your program on a risk assessment
  • Written incident response plan — but IRS Pub 4557 effectively requires one through the WISP
  • Annual penetration testing / vulnerability assessments — but general monitoring (§314.4(d)(1)) still applies
  • Annual board/partner report — still recommended as best practice

IRS Publication 4557 fills the gap

Even where the FTC exempts small firms, IRS Pub 4557 requires a Written Information Security Plan (WISP) for all tax preparers. The WISP effectively includes a risk assessment and incident response plan. If you prepare tax returns, you need a WISP regardless of firm size.

You checked the box on your PTIN renewal

When you checked the data security box on your PTIN renewal, you confirmed your awareness of the WISP requirement. If you don't have one implemented, you're legally exposed — not just to the IRS but to FTC Safeguards enforcement.

A breach without a WISP means your EFIN gets inactivated and your insurer denies the claim. Your firm can't e-file returns, can't collect on insurance, and faces FTC penalties of up to $50,120 per violation per day.

The consequences stack: IRS enforcement (EFIN/PTIN suspension), FTC civil penalties, IRC § 6713 disclosure penalties ($250/violation, doubled for identity theft), state attorney general actions (~$150/record), and client litigation.

Check Your Security Score — Free, 60 Seconds

The FTC enforces against firms like yours

These aren't hypothetical risks. The FTC has a documented enforcement pattern: bring cases against egregious failures, codify consent order requirements into the Rule, then warn entire industry segments.

TaxSlayer (2017)

Credential-stuffing attack compromised nearly 9,000 customer accounts. Hackers filed fraudulent tax returns. TaxSlayer had no written security program, no risk assessment, and no MFA.

Outcome: The attack ended when TaxSlayer eventually required MFA. FTC consent order imposed a 20-year compliance program with biennial third-party assessments.

Takeaway: MFA alone would have stopped this attack.

Ascension Data & Analytics (2020)

Mortgage documents containing SSNs and financial data were shared with an unvetted vendor who stored them in plain text on an unprotected cloud server.

Outcome: 20-year consent order with biennial third-party assessments, annual executive certification, and mandatory breach reporting within 10 days.

Takeaway: Vendor oversight failures carry the same penalties as your own security failures.

H&R Block (2024)

$7 million FTC settlement for deleting consumer tax data when customers tried to downgrade from paid to free products, using dark patterns to make downgrading difficult.

Outcome: $7M settlement. Reinforces that data retention and deletion practices are FTC enforcement targets — not just security controls.

Takeaway: Data handling policies matter as much as firewalls.

Right-sized security for your firm

Whether you're a solo practitioner who needs a WISP or a 30-person firm that needs a full compliance program, we match the service to the regulatory requirements your firm actually faces.

1–3 employees (solo/micro)

One-Time WISP Package

$497

one-time

Written Information Security Plan aligned to IRS Publication 4557 and FTC Safeguards Rule. For solo practitioners who need the documentation but not ongoing managed security.

  • WISP document aligned to IRS Pub 4557
  • FTC Safeguards control mapping
  • Data security self-assessment checklist
  • Employee security awareness guide

4–10 employees

Starter

$50/endpoint/mo

Security foundation — meets the technical controls with 24/7 endpoint protection, MFA enforcement, and continuous monitoring.

  • 24/7 endpoint detection and response
  • MFA enforcement and monitoring
  • Automated patch management
  • Dark web credential monitoring
  • Monthly security reporting

10–30 employees

Essentials

Custom pricing

Full FTC Safeguards compliance for most CPA firms. Adds security awareness training, vendor oversight, WISP management, and compliance documentation.

  • Everything in Starter
  • Security awareness training with phishing simulations
  • WISP documentation and maintenance
  • Vendor risk management
  • Compliance evidence collection
  • Quarterly access reviews

15–30 employees

Complete

Custom pricing

Audit-ready compliance program covering all FTC Safeguards elements — including requirements for firms with 5,000+ consumer records.

  • Everything in Essentials
  • Annual penetration testing or documented continuous monitoring
  • Incident response plan with tabletop exercises
  • Annual board/partner compliance report
  • Full WISP management with annual review
  • Cyber insurance evidence package
Find the Right Fit — Book a Discovery Call

See where your firm stands — in 60 seconds

Our free security score scanner checks your firm's external security posture against the controls the FTC Safeguards Rule requires. No software to install. No sales pitch. Just a clear picture of where you stand.

If you're not ready for a full assessment, start here. You'll see exactly what an attacker sees when they look at your firm from the outside.

Get Your Free Security Score Book a Discovery Call