Legacy Core™
All Trust Briefs

Legacy Core Trust Brief

July 2026High risk

FTC Safeguards Rule: Every Tax Preparer Needs a WISP Today

Federal law requires CPAs and tax preparers handling client financial data to maintain a Written Information Security Plan — with MFA, encryption, access controls, and breach reporting. This is current law, not a recommendation.

  • Regulation
  • Data Privacy

Most relevant to: Accounting / CPA, Professional Services

What Changed

The FTC Safeguards Rule (16 CFR Part 314) requires financial institutions — including tax preparers — to implement and maintain a WISP with designated oversight, MFA, encryption, logging, vendor oversight, and FTC breach notification when 500+ consumers are affected.

Why It Matters for Small Businesses

Chamber audiences in the Inland Empire include accounting firms that may assume cybersecurity is optional until a client or carrier asks for proof. The Safeguards Rule is already binding — with civil penalties up to $43,792 per violation.

What To Do This Month

  • Confirm you have a written WISP dated and reviewed within the last year.
  • Enable MFA on every system that stores or transmits client tax and financial data.
  • Document access controls by role — who can reach client files and why.
  • Maintain a written incident response plan and breach notification procedure.
  • Use Legacy Core readiness credentialing to show documented practices clients can verify — separate from WISP legal compliance.

Legacy Core Trust Tip

A WISP satisfies federal law; a Legacy Core credential gives clients a public, verifiable readiness record. See the CPA regulatory context guide for the full boundary.

Sources

Want your business to show customers you take trust seriously?

Start the Trust Readiness Review to turn everyday good practices into a credential your customers and partners can verify — or book a call to talk it through.

FTC Safeguards Rule: Every Tax Preparer Needs a WISP Today — Legacy Core Trust Brief | Legacy Core