COMPLIANCE
Illustration: © iStock/Vitalii Gulenok
Compliance with the Federal Trade Commission 'Safeguards Rule' Suzanne M. Holl, CPA The Gramm-Leach-Bliley Act (“GLBA”) was passed by Congress in 1999 with bi-partisan support. A component of the GLBA, its Safeguards Rule, was first established in 2003, and required organizations defined as “financial institutions” to establish measures to keep their customers’ private information secure. In accordance with GLBA provisions, the Federal Trade Commission (“FTC”) has authority to issue regulations ensuring that financial institutions protect the privacy of consumers’ personal financial information. In late 2021, the FTC amended the Safeguards Rule to make changes to address current technology. The changes included a more expansive definition of “financial institutions” and added new responsibilities requiring enhanced administrative, technical, and physical safeguards designed to protect customer information. Certain provisions of the updated rule were effective December 9, 2022, and the remaining provisions became effective June 9, 2023. The revised Safeguards Rule specifies safeguards covered organizations must implement as part of their information security program. Under the guidance, the definition of “financial institutions” has a broad context — which can impact organizations across many industries. For example, nonbanking financial institutions engaging in financial activities or incidental to such financial activities (e.g.,
22
The Washington CPA Fall 2023
CPA firms, tax professionals) that collect Personally Identifying Information (“PII”) need to be aware of changes that build on the original Safeguards Rule framework in key data security areas. The overarching primary objectives for an information security program under the rules include: •
Ensuring the security and confidentiality of client information.
•
Implementing safeguards against anticipated threats to client information.
•
Preventing unauthorized access to information systems linked to client information.
Is your firm fully compliant with the revised Safeguards Rule? The Safeguards Rule applies to organizations of all sizes, with reduced compliance standards for entities maintaining fewer than 5,000 client/customer records. What constitutes client/ customer records is somewhat unique for every organization, and that certainly holds true for CPA firms and tax professionals. As the revised Safeguards Rule applies to all PII organizations maintain, for accounting firms this includes the PII maintained for former and current clients, and any ancillary contacts associated with the client that a firm maintains including, but not limited to, the PII of current and former clients’ owners, members, partners, employees, and customers. For example, if a firm prepares K-1s for hundreds of partners of a partnership client, the personally identifiable records would include the PII of each partner. Since there is no business client exception, it would be unwise for most CPA firms to rely on the 5,000 client/customer records exception without performing due diligence to ensure they have adequate systems in place to accurately track the number of personally identifiable records maintained for current and former clients. Under the Safeguards Rule, at any point an organization exceeds 5,000
www.wscpa.org
