If you run a CPA firm, an accounting or tax practice, or an insurance agency, there’s a federal rule you may not have heard much about — but it already applies to you: the FTC Safeguards Rule.
Here’s the plain-English version of what it is, who it covers, and what it asks for.
Who it applies to
The Safeguards Rule (part of the Gramm-Leach-Bliley Act) covers far more than banks. The FTC has explicitly said it includes tax preparers, CPAs, accountants, and bookkeepers, along with insurance agencies and mortgage brokers — essentially, businesses that handle customers’ nonpublic personal financial information.
For insurance agencies in California, there’s an extra wrinkle: California hasn’t adopted a separate state insurance-data-security law, so the FTC rule is the operative framework here.
What it requires
At its core, the rule asks you to protect client information with real, technical controls:
- A written information security program (WISP)
- A designated person to oversee security (a “Qualified Individual”)
- Multi-factor authentication for anyone accessing client data
- Encryption of that data, at rest and in transit
- Access controls, logging, and monitoring
- Backup and a plan to recover from an incident
Larger firms — those holding information on 5,000 or more consumers — take on a few more obligations, including a written risk assessment, an incident-response plan, and either annual penetration testing or continuous monitoring.
Why it matters now
Enforcement is real, the penalties are steep, and since 2025 firms must report certain breaches to the FTC within 30 days — and that notice becomes public. Meanwhile, cyber-insurance renewals increasingly require these same controls before they’ll cover you.
The encouraging part: most of this is the same security foundation we already build for medical practices. The acronym is different; the controls are the same.
What we do (and don’t)
We put the technical safeguards in place and help build the security plan behind them. For the formal legal and attestation side, we work with a compliance partner. We’ll always be clear about which piece is which.
Want to know where your firm stands? Book a free FTC Safeguards check — a 20-minute call, no obligation, and we never ask for client financial data.
This article is general information, not legal advice.