By Suzanne M. Holl, CPA

The Gramm Leach Bliley Act’s (GLBA) Safeguards Rule requires organizations defined as “financial institutions” to establish measures to keep their customers’ private information secure. In accordance with GLBA provisions, the Federal Trade Commission (FTC) has authority to issue regulations ensuring that financial institutions adopt these protections.

The FTC amended the Safeguards Rule in 2021 to address current technology, but it also included a more expansive definition of “financial institutions” and added new responsibilities for enhanced administrative, technical, and physical safeguards. Certain provisions of the updated rule were effective Dec. 9, 2022, with the remaining provisions becoming effective June 9, 2023.

Under the revised Safeguards Rule, the definition of “financial institutions” has a broader interpretation, likely impacting organizations across many industries. For example, nonbanking financial institutions engaged in financial activities or work incidental to such financial activities (such as CPA firms and tax professionals) that collect personally identifying information (PII) need to be aware of the changes that built on the original framework in key data security areas.

The primary objectives for an information security program under the rules include the following:

• Ensuring the security and confidentiality of client information.
• Implementing safeguards against anticipated threats to client information.
• Preventing unauthorized access to information systems linked to client information.

Is Your Firm Compliant?

The Safeguards Rule applies to organizations of all sizes, with reduced compliance standards for entities maintaining fewer than 5,000 client/customer records. What constitutes client/customer records is somewhat unique for every organization, and that is certainly true for CPA firms and tax professionals. The revised Safeguards Rule applies to all the PII that organizations maintain, so for accounting firms this includes the PII maintained for former and current clients, and any ancillary contacts associated with the client that a firm maintains. This may include, but is not limited to, the PII of current and former clients’ owners, members, partners, employees, and customers.

For example, if a firm prepares K-1s for hundreds of partners of a partnership client, the personally identifiable records would include the PII of each partner. Since there is no business client exception, it would be unwise for most CPA firms to rely on the 5,000 client/customer records exception without performing due diligence to ensure they have adequate systems in place to accurately track the number of personally identifiable records maintained for current and former clients. Under the Safeguards Rule, if an organization exceeds 5,000 personally identifiable records at any point, the entity no longer qualifies for the exception and must comply with all of the Safeguard Rule’s requirements.

Information Security Plan

Under the Safeguards Rule, a firm is required to have a written information security plan that outlines the firm’s program for protecting client data. Information security plans should be individually crafted to be sufficient and appropriate for the firm’s size and complexity, nature and scope of activities, and the sensitivity of its client information.

To comply with the updated Safeguards Rule, a CPA firm’s information security plan needs to outline the physical, technical, and administrative safeguards used to protect its confidential client data from potential breaches and cyberattacks. The plan should appropriately incorporate the following:

• Designation of a qualified person responsible for overseeing, implementing, and updating the information security program.
• Creation of a written risk assessment that identifies reasonably foreseeable internal and external risks and assesses the sufficiency of the safeguards in place to control those risks.
• Design and implement safeguards appropriate to the size and complexity of the organization to control its identified risks. The following are a few examples of safeguards that should be considered:
  – Encryption of data in transit and at rest
  – Firewalls
  – Password protection
  – Securing access to file rooms and file cabinets
  – Implementing and periodically reviewing access controls to client information and limiting access to those with legitimate business needs
  – Implementing multifactor authentication
• Regular monitoring and testing of the effectiveness of established safeguards (i.e., monitor and log activity to detect unauthorized access through continuous monitoring, annual penetration testing, or other appropriate vulnerability assessments).
• Security awareness training.
• Periodic assessment of third-party service providers.
• Keeping your information security program current.
• Written incident response plan.
• Periodic reporting to the firm’s governing body (e.g., the firm’s executive committee or managing partner).

A CPA firm’s efforts to comply with the Safeguards Rule are organization-specific. As such, CAMICO recommends that each firm work with its IT/cyber specialists and legal counsel to modify and tailor their security plan to ensure compliance with the Safeguards Rule and other applicable laws.

Risk Management Tips

The FTC’s deadline for compliance may have passed, but it is never too late to assess and update the firm’s efforts to ensure compliance with the Safeguards Rule. Remember, developing an information security program is not a one-size-fits-all approach. Each firm needs to ensure that it has the required safeguards in place for its size (based on the number of personally identifiable records maintained), complexity, and the nature and scope of the services rendered.

From a risk management perspective, documentation is a critical first line of defense if your firm were ever alleged to have not complied with the Safeguards Rule. For example, if your firm is limiting its compliance efforts to the minimum required for firms with less than 5,000 personally identifiable records, be sure to have documentation of that determination and ensure that you have a mechanism in place to alert you if you ever exceed 5,000 or more personally identifiable records.

CAMICO strongly encourages firms to take the time needed to keep the firm’s Information Security Plan relevant and updated to showcase your ongoing efforts to ensure compliance with the spirit and intent of the Safeguards Rule.

Resources

For more risk management guidance on cyber and data security issues, access these additional resources for CPA firms:

• FTC Safeguards Rule: What Your Business Needs to Know.
• IRS News Release (I.R. 2022-147), Security Summit Releases New Data Security Plan to Help Tax Professionals. This includes a link to IRS Publication 5708 (10-2022), Creating a Written Information Security Plan for Your Tax & Accounting Practice.
• IRS Publication 4557, Safeguarding Taxpayer Data (Rev. 7-2021).
• AICPA Tax Section’s Gramm-Leach-Bliley Act information security plan template.

Suzanne M. Holl, CPA, is senior vice president of loss prevention services with CAMICO. With more than 30 years of experience in accounting, she draws on her Big Four public accounting and private industry background to provide information on a wide variety of loss prevention and accounting issues and leads the risk management team at CAMICO. She can be reached at She can be reached at sholl@camico.com.

Sign up for PICPA's weekly professional and technical updates by completing this form.

Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of the PICPA's officers or members. The information contained herein does not constitute accounting, legal, or professional advice. For actionable advice, you must engage or consult with a qualified professional.