CPAs & Tax Preparers
Accounting firms and tax preparers handling client financial data
Binding framework
FTC Safeguards Rule (16 CFR Part 314) under the Gramm-Leach-Bliley Act
Federal law — the FTC Safeguards Rule — requires every CPA and tax preparer handling client financial data to maintain a written information security plan. Civil penalties can reach $43,792 per violation.
Key obligations (summary)
- Written Information Security Plan (WISP) maintained and updated
- Qualified individual overseeing the information security program
- Multi-factor authentication on systems containing client nonpublic personal information
- Encryption of sensitive data at rest and in transit
- Access controls limiting data access by job function
- Written incident response plan
- Breach reporting to the FTC within 30 days when 500+ consumers are affected (effective May 2024)
How Legacy Core fits
A Legacy Core credential documents demonstrated readiness aligned with NIST CSF 2.0 and CIS Controls v8 — it does not certify WISP or FTC Safeguards compliance. It gives clients a verifiable readiness record alongside the federal obligations you already carry.
Do not claim
- · Legacy Core credential equals FTC Safeguards or WISP compliance
- · Any percentage of CPA firms out of compliance (not verified in published sources)
Primary sources
Confidence: HIGH. Last reviewed 2026-07-13.