CPA Now Blog

Safeguards Rule Updates: Data Security a Must for CPAs

Technology has vastly changed since the Gramm-Leach-Bliley Act's Safeguard Rule was first established in 2003, so the Federal Trade Commission amended the rule in 2022 to keep up with the times. Some of the changes took effect in late 2022, with the remaining changes to be effective as of June 9, 2023. Accounting practices of every size need to be aware of the changes.

Feb 21, 2023, 22:31 PM

James VinocurBy James Vinocur, JD


In March of last year, I wrote about the Gramm-Leach-Bliley Act (GLBA), the federal law that regulates nonbanking financial institutions in the United States. In particular, the GLBA mandates that qualifying institutions take affirmative steps to protect the privacy of their clients and their clients’ personal information. As such, the GLBA’s Safeguards Rule requires that “any institution [whose business] is engaging in an activity that is financial in nature or incidental to such financial activities,” including accounting professionals that engage in tax preparation, develop and implement security protocols to protect their clients’ sensitive information.  

Recognizing that technology has vastly changed since the Safeguard Rule was first established in 2003, the Federal Trade Commission (FTC) amended the rule in 2022 to keep up with the times. Some of the new changes took effect on Dec. 9, 2022, with the remaining changes to be effective as of June 9, 2023. Accounting practices of every size need to be aware of the changes, which build on the framework established by the original rule in several key areas related to data security.  

Digital-looking padlock sitting on a circuit boardThe revised Safeguards Rule includes the following changes (except as otherwise noted for small businesses – those that maintain client information for fewer than 5,000 clients):  

  • Businesses now need to designate a single “qualified individual” to oversee and implement information security protocols and to be responsible for their enforcement, rather than designating any employee(s). The GLBA does define “qualified individual,” but this individual should be an information security professional whose qualifications are appropriate to the business’s size.  
  • There has been no change to the Safeguards Rule’s mandate that qualifying businesses engage in a written risk assessment of their information systems, however now required criteria must be included, including the following:  
    • Evaluation and categorization of identified security risks
    • Assessment of your information system and client information, within the context of identified risks
    • Mitigation of identified risks, based on the risk assessment (Risk assessments should be periodically re-examined to determine reasonableness.)  

These new changes do not apply to small businesses.  

  • The design and implementation of safeguards to control the risks identified via the risk assessment. This includes, but is not limited to:
    • Verifying who has access to information systems, including technical and physical controls, to both authenticate and limit access.
    • Identifying and managing all data, personnel, devices, systems, and facilities.  
    • Encrypting client information at rest or in transit.
    • Employing multifactor authentication to access any information system.
    • Implementing procedures to dispose of client information no later than two years after the data was last used.
    • Monitoring and logging authorized user activity, and unauthorized access, use, or tampering.  
  • The old rule required regular testing of the safeguards put into place, but the amended safeguards require either continuous monitoring or annual penetration testing of your information system and six-month vulnerability assessments. This new change does not apply to small businesses.
  • Qualifying institutions need to engage in security awareness training for their employees, particularly on risks identified via the risk assessment, and “qualified information security personnel” need to manage the information security program.  
  • Already-existing rules require oversight of third-party vendors by ensuring that the vendors maintain appropriate safeguards and that these safeguards are written into contracts. Now, businesses will have to periodically assess vendors based on their potential for risk and the quality of their safeguards.
  • Have a written incident response plan (which has seven specific requirements) to respond and recover from any incident that “materially” impacts client information. This new change does not apply to small businesses.
  • A business’s qualified individual will need to produce an annual written report on the status of the information security program, including compliance issues. This new change does not apply to small businesses.  

In short, the amendments to the Safeguards Rule are designed to prod a qualifying company into taking the necessary steps to mitigate the risk of client data incidents occurring in the first place. While many of the rules may appear daunting at first, their development and implementation with the aid of a privacy professional or adviser can drastically improve a company’s security system.  


James Vinocur, JD, is a partner at Goldberg Segalla in New York City, where he specializes in data privacy and cybersecurity issues. Prior to joining Goldberg Segalla, he served as deputy chief of the cybercrimes bureau of the Manhattan District Attorney’s Office. He can be reached at jvinocur@goldbergsegalla.com.


Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.



PICPA Staff Contributors

Disclaimer

Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of PICPA officers or members. The information contained in herein does not constitute accounting, legal, or professional advice. For professional advice, please engage or consult a qualified professional.

Stay informed about
PICPA blogs, upcoming events, and more

Subscribe to PICPA communications