The FTC Safeguards Rule and IRS Publication 4557 are not optional best practices. They are federal requirements — with real penalties, including FTC investigation and loss of e-file authorization. Find out where you stand before enforcement does.
What's at stake
FTC investigation and civil penalties for failure to maintain a written information security program
Loss of IRS e-file authorization — your ability to file returns electronically
$8,900 average compliance fine per violation for non-compliant SMBs (2025)
Client trust and liability — a breach of client financial data carries serious reputational and legal risk
The Legal Requirements
These aren't new rules — but enforcement has intensified in 2025–2026. Small tax practices and accounting firms are no longer below the radar.
FTC Safeguards Rule
The FTC Safeguards Rule, updated in 2023 and actively enforced in 2026, requires financial institutions — including tax preparers and accounting firms — to implement and maintain a comprehensive written information security program.
This isn't a suggestion. Failure to comply is subject to FTC investigation, civil penalties, and public enforcement action.
The rule requires
IRS Publication 4557
IRS Publication 4557 requires all tax return preparers to create and implement a data security plan. The IRS treats this as a condition of e-file authorization — meaning non-compliance can result in losing the ability to file returns electronically on behalf of clients.
The IRS has made this a priority. The Security Summit initiative actively works to identify preparers without adequate protections in place.
The IRS requires
Most small tax practices and accounting firms do not have a compliant written information security program. This isn't because they don't care — it's because no one has made it clear what's actually required or where to start. The Security Snapshot does exactly that.
How the Snapshot Helps
The Security Snapshot won't write your WISP for you — but it gives you the foundation you need to build one, by showing you exactly what you have, what's missing, and what matters most.
01
We check your external exposure, email security, website posture, account practices, device hygiene, and backup readiness — and tell you in plain English what the FTC and IRS would find if they looked.
02
Not every compliance requirement applies equally to every practice. We identify which gaps are most urgent for your size, your tools, and the type of client data you handle — so you're not chasing phantom risks.
03
Every finding comes with plain-English recommendations. High-priority items — the ones that directly affect your compliance posture or create the most client data risk — are clearly flagged and explained.
04
Your Snapshot report serves as a baseline assessment — something you can share with a compliance consultant, your cyber insurance provider, or your attorney as evidence that you've taken reasonable steps.
05
Compliance language is dense and confusing. We translate what the FTC and IRS actually require into plain English — and map our findings to those requirements so you know exactly what you're addressing.
06
Most practices aren't in hopeless shape — they just haven't looked. The Snapshot shows you where you already do things well, which makes the gaps clearer and the action plan more manageable.
Enforcement Timeline
FTC Safeguards Rule updated — small firms included
The FTC updated the Safeguards Rule to explicitly include non-bank financial institutions, including tax preparers and accounting firms with under 5,000 customers.
Now lawIRS Security Summit intensifies outreach to small preparers
The IRS Security Summit specifically targeted small and solo tax preparers, identifying that the majority lacked written data security plans as required by Publication 4557.
Enforcement activeFTC begins enforcement actions against non-compliant firms
The FTC moved from guidance to enforcement, with investigations and actions against financial service firms — including small practices — that lacked compliant security programs.
Enforcement activeBoth requirements fully in force — no grace period remaining
There is no longer a phase-in period or enforcement grace period for either rule. Small practices are expected to be compliant. The question isn't whether the rules apply to you — it's whether you're ready.
Act now