FTC Safeguards Rule: A Plain-English Compliance Guide for Small Businesses

The FTC Safeguards Rule is a federal regulation that requires small businesses that handle customer financial data to maintain a written cybersecurity and data protection program. It applies to CPA firms, accounting practices, tax preparers, and other service providers that access nonpublic financial information. Businesses must document their security policies, perform regular risk assessments, protect data with technical safeguards like multi-factor authentication and encryption, train employees, and continuously monitor and update their security program. Compliance is mandatory regardless of business size, and failure to comply can result in penalties, client trust loss, and regulatory action.

---

If your business handles customer financial data, especially CPA firms, accounting practices, and professional services companies, you are likely subject to the FTC Safeguards Rule, whether you realize it or not.

Most small businesses do not learn about this rule until after a security incident, a client complaint, or a regulator inquiry.

This guide explains the FTC Safeguards Rule in plain English: who it applies to, what it requires, and what small businesses need to do to stay compliant without legal or technical overload.

What Is the FTC Safeguards Rule?

The FTC Safeguards Rule is a federal regulation that requires certain businesses to protect customer information.

In simple terms: if your business stores, processes, or transmits nonpublic customer financial information, you must have a documented security program that protects that data.

The rule is part of the Gramm-Leach-Bliley Act and applies to many organizations that do not consider themselves financial institutions.

Who the FTC Safeguards Rule Applies To

The rule applies to far more businesses than most owners expect, including:

• CPA firms and accounting practices
• Tax preparers and payroll providers
• Bookkeepers and outsourced finance teams
• Financial advisors and consultants
• Loan processors and finance companies
• Any business that handles consumer financial data for others

If you work with banking information, tax records, social security numbers, payroll data, or client financial statements, the rule likely applies.

Business size does not matter, even firms with one to ten employees must comply.

What the FTC Safeguards Rule Requires

The rule does not mandate specific products or vendors; instead, it focuses on outcomes.

At a high level, your business must implement three core elements.

A Written Information Security Program

You must maintain a written plan that explains how your business protects customer data. This includes administrative safeguards, technical safeguards, and physical safeguards.

Examples of technical safeguards include:

• Requiring multi-factor authentication for anyone accessing client files
• Encrypting sensitive data both in storage and when sent via email
• Automatically locking systems after periods of inactivity
• Maintaining access logs that show who viewed or modified client information

Physical safeguards might include locked filing cabinets for paper records, restricted access to server rooms, and secure disposal procedures for old hardware.

A Risk-Based Security Program

You must perform a formal risk assessment, identify where customer data exists, evaluate threats and vulnerabilities, and document how risks are mitigated or accepted.

This is not a one-time task; Your security plan must be reviewed and updated regularly.

A risk assessment might reveal issues such as:

• Client tax documents stored in a shared folder with no access restrictions
• Employees using personal devices without security policies
• Former staff who still have active login credentials
• Sensitive data being sent via unencrypted email
• No documented process for responding to a data breach

Each gap becomes a documented risk with a corresponding remediation plan or formal acceptance of the risk.

Ongoing Monitoring, Testing, and Improvement

Compliance is ongoing, not a one-time project. You must monitor systems for security issues, test controls, train employees on cybersecurity awareness, and regularly evaluate your program for effectiveness.

Practical examples of ongoing monitoring include:

• Quarterly reviews of who has access to sensitive systems
• Annual penetration testing or vulnerability scans
• Phishing simulations to test employee awareness
• Documented incident response drills
• Regular review of vendor security practices
• Updating policies when you adopt new software or change workflows

The Qualified Individual Requirement

The FTC Safeguards Rule requires you to designate a Qualified Individual who oversees the security program.

Key points:

• The Qualified Individual must have accountability for the program.
• You do not need a full-time CISO or dedicated security staff.
• You may use external partners for tools, guidance, and execution, but internal accountability remains.

Most small businesses assign this role to an owner, managing partner, operations lead, or IT lead.

What Happens If You Ignore the Rule

Failure to comply can result in:

• Regulatory penalties and fines from the FTC
• Forced remediation under regulatory supervision
• Client trust loss and damaged relationships
• Cyber insurance claim denial after an incident
• Public breach notification requirements
• Lawsuits from affected clients
• Long-term reputational damage

For CPA firms and financial service providers, a single incident can cost more than years of compliance investment would have.

Common FTC Safeguards Rule Myths

“We are too small to be targeted.” Small businesses are actually targeted more frequently because attackers know their security controls are typically weaker. Automated attacks do not discriminate by company size.

“Microsoft 365 makes us compliant.” Technology alone does not satisfy the rule. You still need documented policies, employee training, formal risk assessments, and governance processes. M365 is a tool—not a compliance program.

“Our IT provider handles security.” Your IT provider may manage technical controls, but compliance requires documentation, accountability, and oversight that only your business can provide. The FTC holds you responsible, not your vendors.

How Office Heroes Helps Small Businesses Comply

Office Heroes helps small and regulated businesses meet the FTC Safeguards Rule requirements without enterprise complexity.

Our approach includes:

• Co-developed Written Information Security Program (WISP) documentation tailored to your business
• Annual risk assessments with clear findings and remediation guidance
• Security controls mapped directly to FTC requirements
• Employee security awareness training
• Ongoing monitoring, testing, and reporting
• Clear responsibility boundaries so you know exactly what we handle and what stays with you

Learn more: FTC Compliance Assessment

Know Where You Stand in 30 Minutes

If you are unsure whether your business is compliant, the fastest first step is a baseline FTC compliance assessment.

Our FTC Compliance Assessment is a focused 30-minute conversation where we review your current security practices against the nine core requirements of the Safeguards Rule. You will walk away with:

• A clear picture of where you stand today
• Identification of gaps that need attention
• Prioritized recommendations on what to address first

This assessment is free and comes with no obligation—whether you work with us or not, you will have the clarity you need to make informed decisions.

Schedule Your Free Assessment

---

Not Sure Where to Start?

We’ve created a complete library of FTC Safeguards Rule resources for small businesses and CPA firms—including WISP templates, risk assessment worksheets, and employee training guides. Our FTC Safeguards Rule Compliance Guide walks through each requirement step-by-step, with downloadable checklists and implementation timelines designed for small teams.

Explore the Full Compliance Guide