July 17, 2026
— ✦ —
Unlike the healthcare security rules that keep getting delayed, this one is already law. If your firm prepares tax returns or provides accounting services, the FTC Safeguards Rule applies to you right now, and it requires a Written Information Security Plan, usually called a WISP. The compliance deadline passed in June 2023. Many small firms still do not have one.
This is not an obscure technicality. The IRS asks every preparer renewing a PTIN to confirm they are aware of their data security responsibilities, and IRS Publication 5708 makes clear that a written security plan is part of those responsibilities. A firm that suffers a breach without one is exposed twice: once to the attackers, and once to the regulators and clients who ask why the required plan did not exist.
Why the Safeguards Rule Applies to Accounting Firms
The Gramm-Leach-Bliley Act treats businesses that are "significantly engaged" in financial activities as financial institutions. That includes tax preparers, CPAs, bookkeepers, and payroll providers, regardless of size. The FTC Safeguards Rule spells out exactly what these businesses must do to protect customer information, and tax and accounting data sits squarely in scope: Social Security numbers, income records, bank accounts, and everything else in a client file.
What a WISP Actually Requires
The rule is specific. A compliant program includes:
- A designated Qualified Individual responsible for the security program
- A written risk assessment identifying where client data lives and what threatens it
- Access controls so employees only reach the data their role requires
- Encryption of client data at rest and in transit
- Multi-factor authentication for anyone accessing client information
- Monitoring and testing of your safeguards
- Security awareness training for staff
- Oversight of service providers who touch your data
- A written incident response plan
- Since 2024, notification to the FTC within 30 days for breaches involving 500 or more consumers
If your firm has fewer than 5,000 consumers' records, a few of the formal reporting elements are relaxed, but the core plan is still required.
The Good News: This Is Very Achievable for a Small Firm
A WISP for a 10-person firm does not need to be a 100-page binder. The IRS publishes a plain-language template (Publication 5708), and most of the technical requirements, such as MFA, encryption, and monitored backups, are things a well-run firm should have anyway. They are also what stop the attacks we actually see against accounting firms: phishing during filing season, compromised email accounts, and ransomware timed for the worst possible week of the year.
The work is in doing it properly: mapping where client data actually lives, writing the plan to match reality instead of copying a template no one follows, and testing that the safeguards work.
What We Recommend Before Next Filing Season
Summer is the right time to do this. Get the risk assessment done, stand up MFA and encryption where they are missing, write the WISP against your real environment, and train your staff before the January crunch. Firms that wait until December end up choosing between compliance work and client work.
Get Your WISP Done Right
Simplicity IT helps accounting firms across San Diego County meet the Safeguards Rule with a practical approach: a real risk assessment, the technical safeguards implemented and monitored, and a WISP written for your firm instead of a generic template. Contact us to get compliant before filing season. Schedule your Discovery Call here.


