Under the Gramm-Leach-Bliley Act, the FTC's Safeguards Rule applies to all financial service providers, including CPA firms and tax preparers. The updated rule, which took full effect in 2023, sets specific requirements for how firms must protect client financial data.
IRS Publication 4557 adds further guidance specifically for tax preparers, including a strong recommendation to create and maintain a Written Information Security Plan (WISP). But the WISP is only the beginning. The real requirement is that the technical controls described in that document are actually implemented and working.
The technical controls required include:
Important: I am an IT technician, not a compliance auditor or attorney. I help firms set up and maintain the technical controls their compliance documents describe. For questions about legal interpretation of the Safeguards Rule or your specific compliance obligations, work with a qualified attorney or compliance professional.
The IRS Data Security Summit, run jointly by the IRS, state tax agencies, and the tax industry, has repeatedly found that many small firms downloaded a WISP template, filled it out, and filed it away. The document might say "we use multi-factor authentication" but MFA was never actually turned on. It might say "data is encrypted" but the laptops were never configured with encryption.
That gap matters. If your firm experiences a data breach and regulators find that your WISP described controls you never implemented, the liability exposure is significant. The IRS now requires tax professionals to report data thefts, and state attorneys general enforce the Safeguards Rule with real penalties.
The good news: most of the required technical controls are not complicated to set up. The problem is almost always that nobody got around to it, or the firm doesn't have an IT person who knew what to configure.
I work with CPA firms and tax preparation offices across Bonner County and North Idaho to get the technical side of their security program actually working:
Turn on and test multi-factor authentication for Microsoft 365, QuickBooks, Drake, Lacerte, UltraTax, and any cloud portal your staff uses.
Enable BitLocker or FileVault on every laptop and workstation, so a lost or stolen device does not become a reportable breach.
Set up encrypted, automated backups with monthly restore tests, so you have proof the backup actually works, not just that the job ran.
Set up individual user accounts and permission levels so each employee only reaches what they need, and former employees are removed immediately.
Deploy and manage business-grade antivirus and endpoint detection on every device, with alerts when something needs attention.
Automated patch management for Windows, macOS, and third-party software, with monthly reports showing what was updated and when.
I also maintain documentation you can point to during a review: patch logs, backup verification records, and a list of what controls are in place and when they were last checked. This is the kind of evidence that shows a regulator or auditor that your WISP isn't just a document.
Most IT services for small businesses are remote-only. That's fine for basic support, but when you need to physically configure a server, encrypt a device, or set up a new workstation for tax season, remote-only doesn't cut it.
I'm based in Sagle and cover Sandpoint, Ponderay, Dover, and surrounding Bonner County. When you need something done in person, I'm there the same day. When something breaks during tax season, you call my cell, not a help desk.
Talk to Sean About Your FirmFree 30-minute consultation. No pressure, no jargon, just an honest look at where things stand and what it would take to get your technical controls in place.