Let's Be Honest — Most Accounting Offices Are Flying Blind on FTC Compliance

Here's something most consultants won't say out loud: the majority of small tax and accounting offices are not actually compliant with Federal Trade Commission (FTC) regulations — and most of them don't know it.

That's not a knock on you or your team. You got into this business to help people manage their money, file their returns, and build financial stability. You didn't sign up to become a cybersecurity expert. But the rules have changed, and the gap between "we think we're fine" and "we're actually protected" is wider than most practice owners realize.

The good news? You don't have to figure this out alone. But the first step is getting clear on what FTC compliance actually means for a practice like yours.

---

So What Does FTC Compliance Actually Mean for Your Practice?

When most people hear "FTC compliance," they think of big corporations getting fined for shady advertising. But the FTC also has direct authority over how financial services businesses — including tax and accounting offices — protect customer data.

The rule you need to know is called the Gramm-Leach-Bliley Act (GLBA). It requires financial institutions, including tax preparers, to protect the personal financial information of their clients. The FTC enforces this through what's known as the Safeguards Rule. [You can read the FTC's official guidance here: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know]

In plain English: if you collect, store, or process financial data for clients — and you do — you are legally required to have a formal plan for protecting it.

---

The Safeguards Rule Isn't Just a Tech Problem — It's Your Problem

A lot of practice owners hear "cybersecurity" and immediately think, "That's an IT thing." And while technology is part of the equation, the Safeguards Rule is fundamentally a business responsibility.

The FTC's updated Safeguards Rule, which took effect in 2023, requires you to have a written information security program. That program needs to cover things like who has access to client data, how you respond if there's a breach, and how you manage any outside vendors who touch that data.

This isn't optional, and it doesn't have a carve-out for small offices. Whether you have two employees or twenty, the rule applies to you.

The National Institute of Standards and Technology (NIST) has developed a widely used cybersecurity framework that maps directly to what the Safeguards Rule requires. [You can explore it here: https://www.nist.gov/cyberframework]

---

Your Clients Trust You With More Than Their Numbers

Think about what a typical client hands you during tax season. Their Social Security number. Their bank account details. Their investment records. Their business revenue. Sometimes their medical expense documentation.

This is some of the most sensitive personal information a person has. And they give it to you because they trust you — not just with their money, but with their identity, their privacy, and in many ways, their security.

That trust is your most valuable business asset. And right now, cybercriminals know that small accounting offices are a goldmine. You hold high-value data, and you often have far fewer protections than a large financial institution.

The Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly flagged small professional services firms as high-priority targets. [See their resources for small businesses here: https://www.cisa.gov/resources-tools/resources/small-business-cybersecurity-corner]

---

Where Most Tax and Accounting Offices Drop the Ball

After twenty years in enterprise information technology (IT), I've seen the same gaps show up again and again in small practices. And they're almost never about malicious intent — they're about not knowing what you don't know.

The most common problems I see are using personal email accounts for client communications, storing sensitive documents in unsecured cloud folders, never testing whether backups actually work, having no written policy for what happens when an employee leaves, and working with outside bookkeepers or software vendors without any formal data-sharing agreement in place.

Each one of these is a vulnerability. And under the Safeguards Rule, each one is also a compliance gap.

The Department of Health and Human Services (HHS) has useful guidance on data handling that applies broadly to professional services, even outside the healthcare space. [See: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html] The principles are the same: know what data you have, know who can access it, and know what happens if something goes wrong.

---

What a Real Compliance Framework Looks Like for a Small Practice

Here's the thing about compliance — it doesn't have to be complicated to be effective. For a small tax or accounting office, a real framework comes down to six core areas.

First, you need to designate someone responsible for your information security program. That person doesn't have to be technical, but they need to be accountable. Second, you need a written risk assessment that identifies where your client data lives and what threats exist.

Third, you need technical safeguards — things like multi-factor authentication (MFA), encrypted file storage, and strong password policies. Fourth, you need to train your staff. Your team is often your biggest vulnerability, not because they're careless, but because they haven't been taught what to watch for.

Fifth, you need a vendor management process. If a third-party tool or contractor touches your client data, you need a written agreement that holds them to the same standards. Sixth, you need an incident response plan — a clear, written procedure for what you do if something goes wrong.

None of this requires a massive budget. It requires intention, documentation, and the right guidance.

---

The Cost of Getting This Wrong Is Higher Than You Think

Let's talk about what's actually at stake. An FTC enforcement action can result in significant fines. A data breach can trigger state notification laws, civil liability, and reputational damage that takes years to recover from. And in a relationship-driven business like tax and accounting, reputation is everything.

The average cost of a data breach for a small business now runs into six figures when you factor in forensics, notification, legal fees, and lost clients. That number tends to come as a shock to practice owners who assumed their general liability insurance would cover it.

It usually doesn't.

Beyond the financial exposure, there's a personal cost. The stress of managing a breach while trying to keep your practice running and retain client trust is something no business owner should have to go through. Especially when prevention is genuinely within reach.

---

Compliance Isn't a Checkbox — It's a Client Promise

Here's the mindset shift that matters most: FTC compliance isn't something you do to avoid a fine. It's something you do because your clients deserve it.

When someone trusts you with their financial life, they're extending a level of confidence that most people only give to a handful of professionals. Their doctor. Their attorney. And you.

Living up to that trust means more than filing an accurate return or giving solid tax advice. It means protecting the information they've given you with the same care and seriousness you bring to everything else in your practice.

Compliance, done right, is a promise you make to every client who walks through your door.

---

Where Do You Go From Here?

If you've read this far and you're thinking, "I'm not sure where we actually stand," that's a completely normal place to be — and it's exactly the right question to be asking.

The best next step is an honest, structured look at your current practices. Not a sales pitch. Not a list of things to buy. Just a clear-eyed assessment of where you are, where the gaps are, and what it would take to close them.

That's exactly what a Gap Assessment is designed to do. At Streamlined Technology Services, we offer a free Gap Assessment for tax and accounting offices that want to understand their true compliance posture under the FTC Safeguards Rule.

No jargon. No pressure. Just answers.

Ready to find out where you actually stand? [Schedule your free Gap Assessment with STS today.]

‍