Technology has vastly changed since the Gramm-Leach-Bliley Act's Safeguard Rule was first established in 2003, so the Federal Trade Commission amended the rule in 2022 to keep up with the times. Some of the changes took effect in late 2022, with the remaining changes to be effective as of June 9, 2023. Accounting practices of every size need to be aware of the changes.
By James Vinocur, JD
In March of last year, I wrote about the Gramm-Leach-Bliley Act (GLBA), the federal law that regulates nonbanking financial institutions in the United States. In particular, the GLBA mandates that qualifying institutions take affirmative steps to protect the privacy of their clients and their clients’ personal information. As such, the GLBA’s Safeguards Rule requires that “any institution [whose business] is engaging in an activity that is financial in nature or incidental to such financial activities,” including accounting professionals that engage in tax preparation, develop and implement security protocols to protect their clients’ sensitive information.
Recognizing that technology has vastly changed since the Safeguard Rule was first established in 2003, the Federal Trade Commission (FTC) amended the rule in 2022 to keep up with the times. Some of the new changes took effect on Dec. 9, 2022, with the remaining changes to be effective as of June 9, 2023. Accounting practices of every size need to be aware of the changes, which build on the framework established by the original rule in several key areas related to data security.
The revised Safeguards Rule includes the following changes (except as otherwise noted for small businesses – those that maintain client information for fewer than 5,000 clients):
These new changes do not apply to small businesses.
In short, the amendments to the Safeguards Rule are designed to prod a qualifying company into taking the necessary steps to mitigate the risk of client data incidents occurring in the first place. While many of the rules may appear daunting at first, their development and implementation with the aid of a privacy professional or adviser can drastically improve a company’s security system.
James Vinocur, JD, is a partner at Goldberg Segalla in New York City, where he specializes in data privacy and cybersecurity issues. Prior to joining Goldberg Segalla, he served as deputy chief of the cybercrimes bureau of the Manhattan District Attorney’s Office. He can be reached at jvinocur@goldbergsegalla.com.
Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.
Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of PICPA officers or members. The information contained in herein does not constitute accounting, legal, or professional advice. For professional advice, please engage or consult a qualified professional.