Are you ready for the FTC Safeguards Rule?

April 26, 2023 9:00 AM

Is your accounting firm ready to comply with the 2023 Federal Trade Commission Safeguards Rule? As an accountant, it's vital to understand and adhere to the Safeguards Rule, which mandates the creation and implementation of an information security program. Non-compliance can result in substantial fines, legal consequences and lost business.

The Safeguards Rule requires financial institutions, including accounting firms, to develop and maintain a comprehensive ISP to protect sensitive customer information from unauthorized access or misuse. Accountants handle confidential data like tax returns, financial statements and other financial records, making compliance with the Safeguards Rule crucial.

The deadline for accounting firms to comply with the rule requirements is June 9, 2023. This rule applies to firms of all sizes, with some reduced compliance standards for those handling fewer than 5,000 records. Keep in mind that 5,000 records includes your own clients' data. So if you have 500 clients each with 100 customers of their own that you can see (think QuickBooks Online or QuickBooks Desktop remoting in) that would give you 50,000 records of personal identifying information.

Penalties for noncompliance

Failing to comply with the FTC Safeguards Rule can result in civil penalties of up to $46,517 per violation.

Compliance with the rule offers several benefits for accountants:

Protects sensitive client information from unauthorized access and ensures data security;
Builds trust with clients, showcasing your commitment to security;
Helps avoid legal actions, hefty fines and reputation damage; and
Enhances your firm's reputation as a progressive, security-focused organization.

By implementing the measures outlined in the rule, your accounting firm will not only comply with legal requirements but also create a more secure and efficient work environment. This increased security will help to protect your clients' sensitive data and instill confidence in your firm's services, ultimately leading to stronger client relationships and business growth.

Taking action and achieving compliance

In summary, complying with the FTC Safeguards Rule is critical for accountants handling sensitive client information. Implementing a comprehensive information security program not only satisfies legal requirements but also demonstrates your commitment to client security and promotes sound business practices.

To assist you in achieving compliance, download our guide to easy FTC Safeguards Rule compliance for accountants.

In the meantime, below are the nine key components for accounting firms to comply with the rule.

1. Designate a qualified person to oversee the ISP

Woman focused on the future of technology.

Vasily Merkushev - Fotolia

"Qualified" is the key word in this requirement. Your qualified personnel (or a qualified vendor) should have real-world experience executing an ISP and be an expert in cybersecurity. This isn't something to pawn off to the millennial in the office that knows how to use a computer.

2. Develop a written risk assessment

trueffelpix.com

The risk assessment takes into account where your firm is vulnerable. This can be done through penetration testing, network scans and having a qualified vendor assess the holes in security. This also includes investigating third-party apps, which is where a lot of breaches occur.

3. Limit and monitor access to sensitive customer info

Duncan Andison/duncanandison - Fotolia

While it is easy to give everyone full administrative access to all of your data, it is similar to leaving your front door open at all times. Yes, it is convenient, but it is not secure. Give your vendors and employees access to everything they need, but nothing they don't.

4. Encrypt all sensitive data

J.R. Bale/JRB - Fotolia

Encryption changes words into a format that cannot be read or decrypted without having the decryption key. Only the owner will have access.

This comes in two forms, in transit and at rest. In transit, you have probably seen emails encrypted or portals to upload documents. This version has the content encrypted as it travels from one source to its final destination.

The other form is encryption at rest, which would come in the form of encrypting a hard drive, USB drive or computer. In this instance, data is protected if someone were to physically steal your devices. A large lawsuit happened from a stolen laptop that contained personally identifiable information that wasn't encrypted. Imagine being a victim of a crime and then getting a lawsuit because you were robbed.

5. Train security personnel

The first line of defense is the people in your organization. An estimated 92% of infections come through email — from someone clicking on something they shouldn't. If you can spot the threat before it occurs, you won't have to mitigate it. This can be done through security awareness training via emails, shared company chats and awareness brought to your firms' employees about the most recent cyber threats.

A recent phishing scam for tax preparers involved the hacker emailing the tax preparers acting as if they are a prospect. After a few emails back and forth, there will be a message saying, "Here is a ZIP file with my last year's returns." This is where they send a virus disguised as a PDF to the unsuspecting victim and take the entire company's data for ransom or steal the data to sell on the dark web.

6. Develop an incident response plan

An incident response plan is laying out the framework for how your firm will respond in the event of a cyber incident (usually a euphemism for data breach or being hacked). It ensures the firm can quickly and efficiently address any security incidents, mitigating potential damage to clients and the firm's reputation.

Second, it demonstrates the firm's commitment to maintaining a secure environment for sensitive client data, fostering trust and confidence in its services. Lastly, a robust incident response plan helps the firm comply with regulatory requirements and avoid potential legal and financial ramifications in the event of a data breach.

7. Periodically assess the security practices of service providers

Hold your vendors accountable. There have been multiple data breaches in the news as a result of third-party vendors having access to the main company and the third-party vendors getting breached. Having access to the larger firms' data is a backdoor entrance to unlimited resources and personally identifiable information. Make sure your service providers are taking data protection as seriously as you are.

8. Regularly update your ISP

Photographer: Markus Gann http://magann - Fotolia

Change is the only constant, and that couldn't be more true than with data security for accounting firms. What used to be a simple intake process has become tons of information that hackers want to attain. The amount of PII and financial information that is contained in each client's file is worth tons of money. As the landscape in the company changes, the ISP needs to be updated to address the new security measures as well as the vulnerabilities.

9. Require the qualified pro to report to the board

At least annually, the qualified professional needs to speak to the important people in your firm about the current cyber security status of your organization. This report will include incidents, responses, vulnerabilities and methods used to address.

As the organization changes over time, a good time to report is also after material changes in the firm. This can be adding new employees, managers, servers, computers or changing a security stack. Staying on top of these things and reporting to the board of directors is crucial to keep everyone on the same page.