Your FTC Safeguards Rule technical controls, handled — before the FTC or IRS asks.
If your firm holds client financial information, the FTC Safeguards Rule already applies to you. It requires a written information security program, MFA, encryption, access controls, and a designated security lead — in writing. Most local firms don't have it. We put the technical safeguards in place, document them for audit, and keep them running.
If you hold customers' financial information, you're likely covered.
The FTC Safeguards Rule (16 CFR Part 314) reaches far beyond banks. It covers CPAs, accountants, tax preparers and bookkeepers (the IRS reinforces it with Publication 4557), insurance agencies, and mortgage brokers. In California there's no competing state insurance-data law, so the FTC Rule is the operative framework here.
This page describes the technical safeguards we implement; it is not legal or compliance advice and is not a guarantee of any regulatory outcome.
What the rule actually asks for.
Behind the acronyms, the Safeguards Rule wants the same thing every good security program does: make sure the right people can reach client data, the wrong people can't, you can prove it, and you can recover if something goes wrong. Here's the technical layer we own:
- Multi-factor authentication for anyone accessing customer information
- Encryption of nonpublic personal information at rest and in transit
- Access controls and least-privilege, reviewed periodically
- Logging & monitoring of access to customer data
- Backup and ransomware-resilient recovery
- Endpoint detection & response (EDR) and patch management
- Secure disposal of data you no longer need
- Vendor oversight for the services that touch client data
WISP, a security lead, and testing — sized to your firm.
Written Information Security Program (WISP)
The rule requires a written program — and the IRS expects tax firms to have a data security plan. We help build and maintain yours, mapped to the controls we actually run.
A designated "Qualified Individual"
The rule requires a named person to oversee the program. We operate the technical safeguards and support that role; your firm (or a partner) holds the formal designation.
The 5,000-record line
Firms holding information on 5,000+ consumers owe more — a written risk assessment, an incident-response plan, an annual report, and either annual penetration testing or continuous monitoring. We use continuous monitoring as the default so most firms avoid recurring pen-test costs. We'll check where you land at onboarding.
Incident-response readiness
Since 2025, breaches affecting 500+ consumers must be reported to the FTC within 30 days — and that notice is public. We help you be ready, not scrambling.
Where we stop — and who we partner with.
We deliver and operate the technical safeguards and help build the WISP. For formal compliance attestation, legal interpretation, and any required independent penetration testing, we work with specialist partners so you get complete coverage without us pretending to be your lawyer or your auditor. We'll be clear about which piece is which from day one.
Find out where your firm actually stands.
Book a free, 20-minute FTC Safeguards readiness check. No obligation, no scare tactics — and we never ask for client financial data.