Tech Guru
Resources

FTC Safeguards and Section 7216: what firms commonly get wrong.

Two rules govern how your firm protects taxpayer data. Both are widely misunderstood. Here are the five misconceptions we hear most, corrected against the actual text.

Brand-toned imagery representing federal data security rules for accounting firms

Ask ten firm owners about the FTC Safeguards Rule and IRC Section 7216 and you will hear ten different versions of what they require. Most of those versions are wrong in ways that matter. These two rules carry real teeth, including criminal exposure under Section 7216, so the details are worth getting right. Here are the five misconceptions we correct most often, with the primary sources linked so you can check our work.

1. “We're too small for the Safeguards Rule.”

The rule's definition of financial institution (16 CFR 314.2) says it plainly: an accountant or other tax preparation service in the business of completing income tax returns is a financial institution. A solo preparer working from a home office is covered. There is no small-firm exit.

There is a small-firm accommodation, and it is narrower than people think. Under 16 CFR 314.6, firms maintaining customer information on fewer than 5,000 consumers are exempt from exactly four items: the written form of the risk assessment, continuous monitoring or scheduled penetration testing and vulnerability assessments, the written incident response plan, and the annual written report to leadership. Everything else in the rule still applies, including the safeguards in the next section.

2. “We have antivirus, so we're compliant.”

The rule does not ask for a product. It asks for a program. 16 CFR 314.4 requires a designated qualified individual to run it, a risk assessment to drive it, and specific safeguards: access controls limited to what each person needs, an inventory of data and systems, encryption of customer information in transit and at rest, multi-factor authentication for system access, secure disposal of customer information no later than two years after last use unless retention is justified, change management, and monitoring of user activity. Add employee training, regular testing of the safeguards, and ongoing evaluation of the whole program. Antivirus addresses a sliver of one item on that list.

3. “The WISP is a one-time document.”

A written information security program is required, but writing it is the start, not the finish. The rule requires you to evaluate and adjust the program based on testing results, changes to your operations, and anything else with a material impact. Staff training has to stay current. Vendors have to be reassessed. And the IRS now puts the question in front of every preparer annually: Form W-12, the PTIN application and renewal, includes a Data Security Responsibilities item where you attest that you are aware preparers are required by law to create and maintain a written information security plan. A WISP dated three years ago that nobody follows is evidence of the problem, not the solution.

4. “Our software vendor's security is our compliance.”

Your tax software, cloud storage, and portal vendors matter, but their security programs do not substitute for yours. The rule makes service provider oversight your job: select providers capable of maintaining appropriate safeguards, require those safeguards by contract, and periodically reassess the relationship. The obligation, and the accountability, stay with your firm. That includes breach reporting. Under the rule, a notification event involving the information of at least 500 consumers must be reported to the FTC within 30 days of discovery. Your vendor's SOC 2 report is useful evidence for your oversight file. It is not your compliance.

5. “Section 7216 only matters if you offshore.”

Offshore staffing is where most firms first meet IRC Section 7216, but the statute is much broader. It criminalizes knowing or reckless disclosure of tax return information, and also any use of that information for a purpose other than preparing the return, unless an exception or a valid consent applies. Using return data to market advisory services, sharing it with a third party for a non-preparation purpose, feeding it into an unvetted tool: all of that is 7216 territory, with zero overseas staff involved.

The exposure is real. A violation is a misdemeanor punishable by a fine of up to $1,000 per violation, or $100,000 where the identity-theft provision of Section 6713(b) applies, up to one year of imprisonment, or both, plus the costs of prosecution. Separately, IRC Section 6713 adds a civil penalty of $250 per improper disclosure or use, capped at $10,000 per calendar year, rising to $1,000 per violation and a $50,000 cap in identity-theft cases, applied separately from the standard cap.

What to do with this

Treat the two rules as one discipline. The Safeguards Rule tells you how to protect taxpayer data. Section 7216 tells you what you may do with it. A firm that maps both into one written program, then configures its systems to enforce that program, has answered the question regulators and clients actually ask: not whether a document exists, but whether the firm follows it. That is the work we do at Tech Guru. We write WISPs aligned to the FTC Safeguards Rule and IRS Publication 4557, then configure firms' systems so the policies actually run.

This article is educational content, not legal advice. Rules change and facts differ by firm. Have your attorney review any firm-specific policy or consent language before you rely on it.

Get a WISP your firm actually follows.

Book a discovery call and we will map the Safeguards Rule and Section 7216 to your firm, write the program, and configure your systems to enforce it.

Talk to a guru now

No long-term contract. No hour caps. No minimums. 60-day cancellation any time. We earn it every month.  ·  (800) 692-6096