This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?
The Federal Trade Commission amended the Safeguards Rule in 2021, which has a more expansive definition of “financial institutions.” It includes nonbanking institutions engaged in work incidental to financial activities, such as CPA firms and tax professionals that collect personally identifying information. CPAs need to be aware of these changes.
By Suzanne M. Holl, CPA
The Gramm Leach Bliley Act’s (GLBA) Safeguards Rule requires organizations defined as “financial institutions” to establish measures to keep their customers’ private information secure. In accordance with GLBA provisions, the Federal Trade Commission (FTC) has authority to issue regulations ensuring that financial institutions adopt these protections.
The FTC amended the Safeguards Rule in 2021 to address current technology, but it also included a more expansive definition of “financial institutions” and added new responsibilities for enhanced administrative, technical, and physical safeguards. Certain provisions of the updated rule were effective Dec. 9, 2022, with the remaining provisions becoming effective June 9, 2023.
Under the revised Safeguards Rule, the definition of “financial institutions” has a broader interpretation, likely impacting organizations across many industries. For example, nonbanking financial institutions engaged in financial activities or work incidental to such financial activities (such as CPA firms and tax professionals) that collect personally identifying information (PII) need to be aware of the changes that built on the original framework in key data security areas.
The primary objectives for an information security program under the rules include the following:
The Safeguards Rule applies to organizations of all sizes, with reduced compliance standards for entities maintaining fewer than 5,000 client/customer records. What constitutes client/customer records is somewhat unique for every organization, and that is certainly true for CPA firms and tax professionals. The revised Safeguards Rule applies to all the PII that organizations maintain, so for accounting firms this includes the PII maintained for former and current clients, and any ancillary contacts associated with the client that a firm maintains. This may include, but is not limited to, the PII of current and former clients’ owners, members, partners, employees, and customers.
For example, if a firm prepares K-1s for hundreds of partners of a partnership client, the personally identifiable records would include the PII of each partner. Since there is no business client exception, it would be unwise for most CPA firms to rely on the 5,000 client/customer records exception without performing due diligence to ensure they have adequate systems in place to accurately track the number of personally identifiable records maintained for current and former clients. Under the Safeguards Rule, if an organization exceeds 5,000 personally identifiable records at any point, the entity no longer qualifies for the exception and must comply with all of the Safeguard Rule’s requirements.
Under the Safeguards Rule, a firm is required to have a written information security plan that outlines the firm’s program for protecting client data. Information security plans should be individually crafted to be sufficient and appropriate for the firm’s size and complexity, nature and scope of activities, and the sensitivity of its client information.
To comply with the updated Safeguards Rule, a CPA firm’s information security plan needs to outline the physical, technical, and administrative safeguards used to protect its confidential client data from potential breaches and cyberattacks. The plan should appropriately incorporate the following:
A CPA firm’s efforts to comply with the Safeguards Rule are organization-specific. As such, CAMICO recommends that each firm work with its IT/cyber specialists and legal counsel to modify and tailor their security plan to ensure compliance with the Safeguards Rule and other applicable laws.
The FTC’s deadline for compliance may have passed, but it is never too late to assess and update the firm’s efforts to ensure compliance with the Safeguards Rule. Remember, developing an information security program is not a one-size-fits-all approach. Each firm needs to ensure that it has the required safeguards in place for its size (based on the number of personally identifiable records maintained), complexity, and the nature and scope of the services rendered.
From a risk management perspective, documentation is a critical first line of defense if your firm were ever alleged to have not complied with the Safeguards Rule. For example, if your firm is limiting its compliance efforts to the minimum required for firms with less than 5,000 personally identifiable records, be sure to have documentation of that determination and ensure that you have a mechanism in place to alert you if you ever exceed 5,000 or more personally identifiable records.
CAMICO strongly encourages firms to take the time needed to keep the firm’s Information Security Plan relevant and updated to showcase your ongoing efforts to ensure compliance with the spirit and intent of the Safeguards Rule.
For more risk management guidance on cyber and data security issues, access these additional resources for CPA firms:
Suzanne M. Holl, CPA, is senior vice president of loss prevention services with CAMICO. With more than 30 years of experience in accounting, she draws on her Big Four public accounting and private industry background to provide information on a wide variety of loss prevention and accounting issues and leads the risk management team at CAMICO. She can be reached at She can be reached at sholl@camico.com.
Sign up for PICPA's weekly professional and technical updates by completing this form.
Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of the PICPA's officers or members. The information contained herein does not constitute accounting, legal, or professional advice. For actionable advice, you must engage or consult with a qualified professional.