Legacy Core™

Regulatory context

CPAs & Tax Preparers

Accounting firms and tax preparers handling client financial data

Binding framework

FTC Safeguards Rule (16 CFR Part 314) under the Gramm-Leach-Bliley Act

Federal law — the FTC Safeguards Rule — requires every CPA and tax preparer handling client financial data to maintain a written information security plan. Civil penalties can reach $43,792 per violation.

Key obligations (summary)

  • Written Information Security Plan (WISP) maintained and updated
  • Qualified individual overseeing the information security program
  • Multi-factor authentication on systems containing client nonpublic personal information
  • Encryption of sensitive data at rest and in transit
  • Access controls limiting data access by job function
  • Written incident response plan
  • Breach reporting to the FTC within 30 days when 500+ consumers are affected (effective May 2024)

How Legacy Core fits

A Legacy Core credential documents demonstrated readiness aligned with NIST CSF 2.0 and CIS Controls v8 — it does not certify WISP or FTC Safeguards compliance. It gives clients a verifiable readiness record alongside the federal obligations you already carry.

Do not claim

  • · Legacy Core credential equals FTC Safeguards or WISP compliance
  • · Any percentage of CPA firms out of compliance (not verified in published sources)

Primary sources

Confidence: HIGH. Last reviewed 2026-07-13.

Boundary

What a Legacy Core credential does not attest to

A Trust Badge documents demonstrated readiness against a dated Standards Release (assessment basis: NIST CSF 2.0 and CIS Controls v8). It is not a substitute for industry-specific legal or regulatory obligations.

  • FTC Safeguards Rule or WISP compliance (CPAs / tax preparers)
  • HIPAA compliance or OCR audit readiness (medical / dental)
  • ABA or State Bar ethics sign-off (attorneys)
  • SEC Regulation S-P compliance (investment advisers)
  • NAIC Insurance Data Security Model Law (including in California — not adopted)
  • CCPA cybersecurity audit certification (threshold-gated regulation)
  • Cyber insurance approval or claim guarantee
  • Penetration test, SOC 2, CMMC, or government endorsement

Legacy Core is aligned with NIST CSF 2.0 and CIS Controls v8. Legacy Core is not affiliated with, endorsed by, or accredited by NIST, CIS, or any government agency. Tracking a framework does not constitute a determination of legal or regulatory compliance.

Industry-specific obligations by vertical: Regulatory context guides

CPAs & Tax Preparers — Regulatory Context | Legacy Core | Legacy Core