Protecting client data: A guide to FTC Safeguards for accountants

By Kent Iler, President & CEO of ILER Networking & Computing 

 In recent months, a series of high-profile cyberattacks has left a significant mark on organizations throughout Ohio, underscoring the urgent need for robust cybersecurity measures. Notable incidents include:  

• City of Columbus: Hit by a significant cyberattack in July that targeted the city’s IT infrastructure, leading to the compromise of sensitive data, including personal and financial information of thousands of residents. City IT systems were shut down for over a week, and over 3 terabytes of stolen data were leaked onto the dark web.  

• City of Cleveland: Suffered a crippling ransomware attack in June, leading to a 10-day shutdown of critical systems.  

• Ohio Lottery: In May, a ransomware attack resulted in the theft of over 500,000 records, highlighting vulnerabilities in data protection.  

• CDK Global: Also in June, this attack affected over 15,000 auto dealerships nationwide with ransomware, disrupting business operations.  

These breaches highlight the vulnerability of all organizations, including accounting firms, to cyber threats. As custodians of sensitive client data, accountants must prioritize cybersecurity to protect this critical information from potential attacks.  

To help protect consumer information, the Federal Trade Commission (FTC) has established the Safeguards Rule. This rule mandates that financial institutions, including accounting firms, implement robust security measures to safeguard client data.  

Understanding and complying with these safeguards is critical for meeting legal requirements, protecting your clients and maintaining your firm’s reputation.  

The FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to develop, implement, and maintain a comprehensive information security program. The primary goal of this rule is to ensure that firms handling sensitive financial information take adequate measures to protect it from unauthorized access, use, or disclosure. The rule is designed to be flexible, allowing each firm to tailor its security program to its specific size, complexity, and nature of activities. The GLBA was enacted in 1999, with the latest update going into effect on May 13.  

 
The FTC defines “financial institutions” broadly, covering not only traditional banks and lenders but also accounting firms that provide financial advisory services. As an accountant, you fall under the scope of this rule, making it essential that you understand and comply with its requirements. Compliance is not optional; it’s a legal obligation that protects both your clients and your firm. 

 
The nine key steps of the FTC Safeguards Rule  

1. Designate a qualified individual: The first step in complying with the FTC Safeguards Rule is to designate a qualified individual who will be responsible for overseeing and implementing your firm’s information security program. This person, often referred to as a Chief Information Security Officer (CISO), will ensure that all security measures are effectively managed and maintained. They will also be the point of contact for addressing any security-related issues that may arise. This individual may work for your firm or be a 3rd party that you hire to handle your compliance needs.  

2. Conduct risk assessments: To protect client data effectively, you must first understand the risks your firm faces. A comprehensive risk assessment involves identifying both internal and external threats to the security of customer information. This includes evaluating your firm’s processes, systems, and employee behavior to pinpoint vulnerabilities. By assessing these risks, you can determine which areas need the most attention and prioritize your security efforts accordingly.  

3. Design and implement safeguards: Based on the findings from your risk assessment, the next step is to design and implement appropriate safeguards to control the identified risks. These safeguards should be comprehensive, addressing administrative, technical, and physical aspects of your firm’s operations. For example, you might implement strong encryption for electronic data, establish clear policies for handling sensitive information, and secure physical files in locked cabinets.  

4. Monitor and Test Safeguards: Once safeguards are in place, it’s crucial to regularly monitor and test them to ensure they are functioning as intended. This involves continuous oversight of your security measures, including reviewing access logs, testing the effectiveness of your encryption protocols, and conducting regular audits. Monitoring and testing allow you to identify and address any weaknesses before they can be exploited.  

5. Train staff: Your employees play a critical role in maintaining data security. Without proper training, even the best safeguards can fail. Ensure that all staff members are educated on your firm’s security policies and understand their roles in protecting client information. Training should cover best practices for handling sensitive data, recognizing phishing attempts, and responding to potential security incidents.  

6. Monitor service providers: Many accounting firms rely on third-party service providers for various tasks, such as IT support or cloud storage. It’s essential to ensure that these providers maintain appropriate safeguards for any customer information they handle on your behalf. You should assess their security practices, include data protection requirements in contracts, and monitor their compliance regularly. 

7. Keep your program current: The cybersecurity landscape is constantly evolving, with new threats emerging regularly. To stay ahead of these threats, your information security program must be dynamic and adaptable. Regularly review and update your safeguards to address new risks and incorporate technological advancements. This proactive approach ensures that your security measures remain effective over time.  

8. Create an incident response plan Even with the best safeguards in place, incidents can still occur. That’s why it’s essential to have a well-developed incident response plan. This plan should outline the steps your firm will take in the event of a data breach or other security incident, including how to contain the breach, notify affected clients, and recover compromised data. Having a clear, actionable plan can minimize the impact of a security incident and facilitate a swift recovery.  

9. Oversee the program’s operation The designated individual responsible for your security program should regularly report to your board of directors or governing body. These reports should cover the status of the program, including the results of risk assessments, the effectiveness of safeguards, and any security events that have occurred. Ongoing oversight ensures that the program is operating as intended and that any necessary improvements are made promptly.  

Implementing the FTC Safeguards Rule can seem daunting, but starting with a risk assessment is a practical first step. This assessment will guide the development of your security program by highlighting the areas that need the most attention. Once you have identified the risks, you can begin prioritizing the implementation of safeguards that address the most critical vulnerabilities.  

For safeguards to be effective, they must be integrated into the daily operations of your firm. This means making data security a part of your firm’s culture. Encourage employees to be vigilant about security, from using strong passwords to being cautious about sharing sensitive information. By embedding security practices into your firm’s routine, you can create a more secure environment overall.  

The benefits of compliance  

One of the most immediate benefits of complying with the FTC Safeguards Rule is legal protection. By adhering to these regulations, your firm can avoid penalties, fines, and potential lawsuits that could arise from a data breach. Compliance demonstrates your firm’s commitment to protecting client information, which can be a significant advantage in the event of legal scrutiny.  

Conclusion  

The FTC Safeguards Rule is not just a regulatory requirement; it’s a necessary step in protecting the sensitive information your clients entrust to you. By understanding and implementing these safeguards, you can help ensure that this information remains secure, preserving your clients’ trust and your firm’s reputation.