Evolving technology has created the need for advanced regulations regarding the safeguarding of customer data. In 2021, the Federal Trade Commission (FTC) updated the requirements of the Standards for Safeguarding Customer Information, known as the Safeguards Rule (16 C.F.R. Part 314) under the Gramm-Leach-Bliley Act, P.L. 106-102. A final rule issued on Dec. 9, 2022 (86 Fed. Reg. 70272) took effect retroactively to Jan. 10, 2022, but some provisions’ requirements (listed below) were postponed and will go into effect on June 9, 2023.
The Safeguards Rule applies to all businesses significantly engaged in providing financial services, notably including professional tax preparers and CPA firms. The revised rules provide more concrete guidance for businesses while keeping pace with current technology and emerging threats. As part of the Safeguards Rule, covered financial services institutions — even sole proprietors and small firms — must develop, implement, and maintain a written information security plan that describes how the business will safeguard and protect its clients’ nonpublic personal information. The plan must address administrative, technical, and physical safeguards to protect this information, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the financial services institution.
The scope of the information security plan should be tailored to the individual firm. The plan should be appropriate for the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information involved. The plan for a sole proprietor will look different from that of a 10-person firm and vastly different from that of a multi-office operation. Exceptions from some requirements apply to firms and other covered financial services institutions that maintain customer information concerning fewer than 5,000 customers, as noted below (see 16 C.F.R. §314.6). Regardless of the firm’s size and complexity, however, the objectives of the plan are the same: to ensure the security and confidentiality of customer information, to protect against anticipated threats to its security, and to protect against unauthorized access to it.
Nine elements of an information security plan
Creating an information security plan to meet these objectives is an involved, multistep process — more than filling out a standard checklist or boilerplate document. Section 314.4 of the Safeguards Rule prescribes nine elements that must be included when developing, implementing, and maintaining an information security plan:
Designated individual in charge
Firms must designate a qualified individual to be responsible for overseeing, implementing, and enforcing the information security program. This individual may be either an employee or someone outside the firm; however, responsibility for compliance with the Safeguards Rule remains with the firm, and a senior member of the firm should be designated to oversee any outside party. Smaller firms may need to rely heavily on their IT vendor for a plan to secure digital information and may designate the IT vendor as the qualified individual if an owner or manager is not an optimal or suitable option.
A risk assessment must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in its unauthorized disclosure, misuse, or other compromise. The risk assessment must assess the sufficiency of any safeguards in effect to control these risks and must be periodically performed and the safe-guards reassessed.
For firms maintaining information of at least 5,000 customers, the risk assessment must be in writing and address:
- Criteria for evaluating and categorizing identified security risks;
- Criteria for assessing the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of existing controls based on the identified risks; and
- How the identified risks will be mitigated or accepted based on the risk assessment and how the information security program addresses them.
The starting point for this assessment is to inventory where customer information is stored and then to assess the foreseeable risks to its security. Information storage may include physical files, data on local computers or local or remote servers, backups, and data stored in various applications used within the business. Risk assessments should include internal risks, such as the misuse of information by a staff member, and external risks, such as a breach that allows access to data by a third party, as well as the evaluation of those risks and any safeguards implemented for controlling them. Some specific risks may be tolerable if the potential for the threat is low and the potential harm or inconvenience it poses is low; each risk should be evaluated within the assessment.
A nonexhaustive list of security features and policies that firms may consider in the risk-assessment process would include:
- Password strength policies and their enforcement;
- Employee background checks;
- Inactivity locks on screens;
- File storage and locks on file cabinets and rooms;
- Encryption of data when it is transmitted electronically;
- Monitoring inbound and outbound transfers of data and its access;
- Shredding and disposal policies for documents and computer hardware;
- Software updates and virus protection;
- Password protection;
- Policies for removal of employees’ access to systems upon their termination from employment;
- Policies regarding data access, use, and transportation when working remotely;
- Access to data on public networks;
- Policies to verify identification for information requests from customers or third parties;
- Policies regarding nonmonitored personal devices for accessing customer information;
- Access by cleaning and building maintenance staff or other service providers not under direct contract; and
- Vendor engagement and monitoring.
Firms must next design and implement safeguards to control the risks identified through the risk assessment. These safeguards must include technical and physical controls to authenticate and permit access only to authorized users and limit the authorized users’ access to only the information they need to perform their duties. Data should be segregated, with stratified levels of access, according to the user’s needs. The scope of access and controls on it should be reevaluated periodically.
Firms should identify and manage the data, personnel, devices, systems, and facilities in accordance with their relative importance and the business’s risk strategy. Periodically inventory data and where it is collected, stored, and transmitted, including associated systems, devices, platforms, and personnel. Changes to any of the inventories should trigger reevaluation of and changes to risk management policies.
Encrypt all customer information the firm stores or transmits. Implement procedures for evaluating, assessing, and testing the security of the applications by which the firm transmits, accesses, or stores customer information. Implement multifactor authentication that requires at least two of the following types of authenticators to access any nonpublic customer information:
- A knowledge factor (such as a password);
- A possession factor (such as a token or key); or
- An inherence factor (such as a biometric characteristic).
Multifactor authentication should be established for all users, including customers accessing their own data through a firm’s client portal. Exceptions to multifactor restrictions can only be made if the designated qualified individual approves in writing the use of reasonably equivalent or more secure access controls.
Firms also should develop, implement, and maintain a disposal policy for customer information and review it regularly for any unnecessary data retention. Customer data must be disposed of no more than two years after its last access unless it is otherwise required to be kept by law or regulation or is for legitimate business purposes, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
Adopt procedures for monitoring and adapting to risks associated with changes made to the system that may undermine existing security measures. Such changes may include those of software or applications, vendors, access policies or protocols, or office location or personnel.
Implement policies, procedures, and controls to monitor and log the activity of authorized users and detect unauthorized access to or use of customer information. Software and applications may include audit log features that log all activity and can be checked periodically for suspicious activity; additional monitoring can be achieved with test controls such as fictitious customer accounts to monitor for unnecessary access of customer data.
Testing and monitoring
Firms maintaining information of at least 5,000 customers must regularly test or monitor the effectiveness of key controls, systems, and procedures. Controls on information systems should be continuously monitored; absent that, there should be periodic penetration testing and vulnerability assessments at least every six months and whenever changes or circumstances arise that may have a material impact on the information security program.
Ensure personnel can implement the information security program by providing adequate training, using qualified personnel, providing security and training updates, and verifying that key personnel maintain current knowledge of changing information security threats and countermeasures.
Assessing service providers
Oversee and monitor service providers by selecting those that can maintain adequate security measures. Require them to implement and maintain such safeguards through contract provisions and periodic assessment for risk and continued adequacy of their safeguards. Monitor vendor reviews and websites for indications of any incidents that require further investigation, and inquire into their policies regarding background and credit checks of their staff.
Evaluate and adjust the information security program for changes based on operation, risk-assessment findings, and other circumstances as needed.
Incident response plan
Firms with information of at least 5,000 customers must establish a written incident response plan to promptly respond to and recover from any security event that results in the unauthorized access to or misuse of customer information the firm maintains. The incident response plan must include or address:
- The plan’s goals;
- Internal responses for responding to a security event;
- Clear roles, responsibilities, and levels of decision-making authority;
- External and internal communications and information sharing;
- A process for remediating any identified weaknesses;
- Documentation and reporting regarding security events and incident response activities; and
- Evaluation and revision of the response plan following a security event.
Firms maintaining information of at least 5,000 customers must require the qualified individual responsible for overseeing the plan to report in writing to the board of directors or, if no such governing body exists, to a senior officer responsible for the information security plan. This report must be made at least annually and include the overall status of and compliance with the information security program and material matters related to it.
The report must also address risk assessments, risk management and control decisions, service provider arrangements, results of testing, security events or violations and responses to them, and recommendations for changes to the information security program. If the designated qualified individual is the sole member of the firm, it is prudent to keep a memorandum in the corporate file containing the required report information to ensure continued compliance.
The requirements under most of the Safeguards Rule’s provisions are already in effect. However, the compliance deadline for some provisions, as noted above, was extended six months to June 9, 2023. The extended provisions include the rules that require companies to:
- Designate a qualified person to oversee their information security program and require that person to report annually to the board of directors or their equivalent;
- Develop a written risk assessment;
- Limit and monitor who can access sensitive customer information;
- Encrypt all sensitive information;
- Train security personnel;
- Develop an incident response plan;
- Periodically assess the security practices of service providers; and
- Implement multifactor authentication for anyone accessing customer information.
As companies, especially smaller ones, achieve compliance with these last provisions by the deadline, it is a good time to reevaluate compliance with all the other provisions of the Safeguards Rule. In an effort to help sole proprietors and smaller financial institutions develop and right-size their information security programs, the FTC has published the FTC Safeguards Rule: What Your Business Needs to Know, which serves as the small-entity compliance guide under the Small Business Regulatory Enforcement Fairness Act of 1996, P.L. 104-121. This guide provides an overview of the obligations and compliance questions small businesses face, but it does not provide an outline for meeting the Safeguards Rule.
The AICPA has published an Information Security Plan Template to use to comply with the Safeguards Rule, which is an excellent starting point for smaller companies and firms to develop a plan. However, as the Safeguards Rule is designed to assess each company’s specific situation, the template cannot be used as a simple or quick fill-in-the blank form. Each step must be evaluated and considered with regard to the company’s practices and circumstances and completed accordingly. The company’s practices should be recorded and evaluated within the plan template, including evaluation methods and risk-control procedures.
IRS Publication 4557, Safeguarding Taxpayer Data, covers basic security steps for tax professionals and encompasses compliance with the Safeguards Rule. Publication 4557 describes measures a firm can incorporate into its information security plan and includes a checklist for creating a plan that complies with the Safeguards Rule.
These guides are a starting point for small firms that are new to the compliance rules or are unsure where to begin. Filling out a template alone, however, does not fulfill the spirit of the Safeguards Rule and will not place a firm in compliance. Actual risk-assessment and security measures must be put in place and continuously reevaluated for changes and developments. Additionally, the plan must address not only data stored electronically but also physical files.
Noncompliance can cause significant repercussions. In addition to enforcement action, such as penalties and fines, noncompliance can increase the risk of civil liability through private lawsuits. A data breach resulting from inadequate security measures can effectively close a firm due to loss of customer trust, prevent e-filing capability or preparer tax identification number (PTIN) certification, and cost time and money remedying the breach. Additionally, noncompliance may affect a firm’s malpractice coverage in the event of a loss; the malpractice insurance provider should be consulted for policy limitations and applicable data breach coverage.