Legacy Core Trust Brief
FTC Safeguards Rule: Every Tax Preparer Needs a WISP Today
Federal law requires CPAs and tax preparers handling client financial data to maintain a Written Information Security Plan — with MFA, encryption, access controls, and breach reporting. This is current law, not a recommendation.
- Regulation
- Data Privacy
Most relevant to: Accounting / CPA, Professional Services
What Changed
The FTC Safeguards Rule (16 CFR Part 314) requires financial institutions — including tax preparers — to implement and maintain a WISP with designated oversight, MFA, encryption, logging, vendor oversight, and FTC breach notification when 500+ consumers are affected.
Why It Matters for Small Businesses
Chamber audiences in the Inland Empire include accounting firms that may assume cybersecurity is optional until a client or carrier asks for proof. The Safeguards Rule is already binding — with civil penalties up to $43,792 per violation.
What To Do This Month
- Confirm you have a written WISP dated and reviewed within the last year.
- Enable MFA on every system that stores or transmits client tax and financial data.
- Document access controls by role — who can reach client files and why.
- Maintain a written incident response plan and breach notification procedure.
- Use Legacy Core readiness credentialing to show documented practices clients can verify — separate from WISP legal compliance.
Legacy Core Trust Tip
A WISP satisfies federal law; a Legacy Core credential gives clients a public, verifiable readiness record. See the CPA regulatory context guide for the full boundary.