Compliance
What IRS Publication 4557, IRS Publication 5708, the FTC Safeguards Rule, AICPA SSTS Section 1.3, and the state breach laws actually require of CPA firms in 2026 — the technical safeguards, the documented program, and where most firms get it wrong.
Most CPA firm owners we meet in 2026 have heard of the FTC Safeguards Rule, have downloaded the IRS sample WISP at some point, and have a folder somewhere they would describe as their information security program. Very few can produce, on demand, the documentation a Stakeholder Liaison, FTC investigator, state attorney general, or cyber-insurance underwriter would accept as evidence of a current, working program.
That is not a moral failure. It is structural. The CPA cybersecurity obligation in 2026 is not a single rule. It is a four-layer stack — IRS guidance, FTC regulation, AICPA professional standards, and state law — and almost nothing in the day-to-day life of a tax practice surfaces the whole picture in one place.
This guide walks through what each layer requires, where firms most consistently fall short, and what a defensible 90-day path looks like.
A note up front: we operate the technical safeguards side. We are not your Qualified Individual under § 314.4(a) — that role lives inside the firm. We are not a CPA firm and we do not opine on AICPA SSTS interpretation.
Every CPA firm preparing returns or providing tax services in the United States is subject to all four of these regimes simultaneously. They overlap. They do not replace each other.
Most firms we audit are partially aware of layer 1, vaguely aware of layer 2, surprised by layer 3, and unaware of which parts of layer 4 apply to them. The technical program that satisfies the strongest layer tends to satisfy the others. Very few firms have built that program.
Publication 4557, "Safeguarding Taxpayer Data," is the umbrella document. It has required every paid preparer with a PTIN to maintain a Written Information Security Plan since 2008 and cross-references the FTC Safeguards Rule. It is IRS guidance rather than regulation, but the Return Preparer Office treats it as an operating expectation, and a current WISP is the first thing an IRS Stakeholder Liaison asks about after a suspected data theft.
Publication 5708, "Creating a Written Information Security Plan for your Tax & Accounting Practice" (2022) is the operational companion — a sample WISP and a fillable template. Two failure modes: firms that never downloaded it, and firms that filled in their letterhead once and never touched it again.
IRC § 7216 makes unauthorized disclosure or use of taxpayer return information a federal misdemeanor, with civil penalties under IRC § 6713 — the hook that turns sloppy data handling into a federal exposure for the preparer personally.
IRS Stakeholder Liaison reporting. The IRS expects a preparer who suspects a data theft involving tax-related information to contact their assigned Stakeholder Liaison promptly — within 24 hours is the operating expectation in Publication 4557 and Security Summit guidance. This is in addition to, not in place of, FTC, state, and client notifications.
PTIN consequences. The Return Preparer Office can suspend or revoke a PTIN for misconduct, and serious data-handling failures fall inside that authority. PTIN actions tied to data-security failures are real, and the loss of a PTIN ends a tax practice.
This is the layer most CPA firms underestimate. The Gramm-Leach-Bliley Act defines a "financial institution" broadly enough to include any business "significantly engaged" in providing financial products or services. The FTC's interpretation, reaffirmed in the 2021 and 2023 amendments, places CPA firms preparing tax returns squarely inside that definition. The Safeguards Rule at 16 CFR Part 314 applies to your firm directly, regardless of whether you think of yourself as a "financial institution."
The 2023 amendments, with most substantive requirements live by June 9, 2023, sharpened the rule into specific named controls.
Designated Qualified Individual — § 314.4(a). One named individual responsible for the program. Not a committee. The role can be supported by an outside provider, but the named person must be inside the firm — typically a partner or firm administrator.
Written risk assessment — § 314.4(b). Identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, with periodic reassessment required.
Multi-factor authentication — § 314.4(c)(5). Required for any individual accessing any system containing customer information, subject to a narrow exception for equivalently strong controls approved in writing by the Qualified Individual. In a CPA firm: MFA on Microsoft 365 or Google Workspace, on the tax-prep software login itself (Lacerte, Drake, UltraTax, ProConnect, CCH Axcess, ATX), client portal, document management, every remote-access path, every administrator account.
Encryption — § 314.4(c)(3). Customer information must be encrypted in transit over external networks and at rest, with a similar narrow exception.
Access controls and least privilege — § 314.4(c)(1). Limited to authorized users with periodic reviews. Shared "FrontDesk" or "TaxAssistant" accounts are not consistent with this requirement.
Continuous monitoring or periodic penetration testing — § 314.4(d). Continuous monitoring, or annual penetration testing plus biannual vulnerability assessments. Most small firms cannot run continuous monitoring in-house, which makes managed detection and response the practical path.
Service provider oversight — § 314.4(f). Select providers capable of maintaining safeguards, contract with them to do so, and periodically assess them based on risk.
Written incident response plan — § 314.4(h). Roles, communication, remediation, documentation, and post-incident evaluation.
Annual report to the board or equivalent — § 314.4(i). The Qualified Individual reports in writing at least annually to the board or, in firms without one, to a senior officer.
The 2023 amendments added a notification trigger that surprised many firms. For breaches affecting 500 or more consumers, the firm must notify the FTC within 30 days through the FTC's electronic portal — in addition to all state and IRS notification duties.
Effective January 1, 2024, the AICPA's revised Statement on Standards for Tax Services brought data protection inside the professional standards framework. SSTS § 1.3 makes confidentiality and safeguarding of taxpayer information an explicit professional obligation for AICPA member CPAs providing tax services.
The standard uses a "reasonable steps" framework that parallels the ABA's Model Rule 1.6(c) sliding scale. It does not list specific controls. It does require the practitioner to consider the sensitivity of the information, the likelihood of unauthorized disclosure, the cost and difficulty of safeguards, and the impact on the engagement. A CPA who has taken no demonstrable steps is at risk under the standard regardless of whether a breach has occurred.
The disciplinary mechanism is the AICPA Professional Ethics Executive Committee, working through joint enforcement with state CPA societies — a different forum than IRS Office of Professional Responsibility or a state attorney general, and CPAs can be exposed to all three concurrently.
The fourth layer is the one most likely to produce a surprise enforcement letter. A few specific states matter to most firms:
New York — 23 NYCRR 500 (NY DFS). Covered financial services entities, including many accounting firms that hold DFS licenses or meet the rule's coverage tests, must maintain a written cybersecurity program, designate a CISO, conduct risk assessments, implement MFA, encrypt non-public information, and file an annual certification. The November 2023 amendments tightened these requirements significantly.
Connecticut — Public Act 21-119, as amended in 2024. Provides a safe harbor from tort damages in certain data-breach litigation for organizations conforming to a recognized framework.
Massachusetts — 201 CMR 17.00. Any business that owns or licenses personal information about a Massachusetts resident is in scope. Most CPA firms with even a single MA client qualify. Requires a written information security program, encryption of personal information transmitted over public networks and stored on portable devices, and specific computer-system requirements.
California — CCPA/CPRA. Disclosure and consumer-rights obligations attach to firms meeting the revenue or processing thresholds.
The 50-state breach notification patchwork. Every state has a breach notification law. Notification windows range from "without unreasonable delay" to specific day counts. A CPA firm whose client list crosses state lines is, after a breach, looking at parallel notifications under each state's law.
When the FTC, the IRS, an AICPA panel, a state attorney general, or a cyber-insurance underwriter looks at a CPA firm in 2026, the controls they expect to see converge:
None of these is exotic. The challenge in a CPA firm is rarely technical capability; it is designated ownership and consistent execution.
The failure modes cluster predictably:
The IRS has not built a public enforcement docket for CPA-firm cybersecurity failures, but state attorneys general have. Two recent matters are useful reference points.
The October 20, 2025 New York Attorney General settlement with Wojeski & Company, an Albany-area CPA firm, covered two separate incidents — a July 2023 ransomware attack and a May 2024 third-party access incident. The 2023 ransomware event affected 5,881 individuals in total, of whom 4,726 were New York residents; the 2024 incident affected 351 individuals (267 NY residents). Settlement: $60,000 penalty plus a corrective security program. A clean example of how layer-4 state enforcement reaches a small CPA firm that did not have the layer-2 controls in place. (NY AG press release, 2025-10-20)
The Sax LLP disclosure, filed with the Maine Attorney General, involved approximately 228,876 individuals nationwide (244 Maine residents) notified by a top-100 accounting firm based in Parsippany, NJ. Sax detected unusual activity on August 7, 2024, completed its data review on December 1, 2025, and began notifying affected individuals on December 16, 2025. The filing characterizes the incident as an external system breach (hacking); Sax has not publicly stated that a ransom was paid. Firm size does not insulate against the incident profile, and state notification filings have become the de-facto public record for CPA-firm breaches. (Maine AG breach notice)
The pattern across both: the technical compromise is rarely novel. The exposure is built from delayed notification, missing documentation, and program gaps that pre-date the incident.
When a CPA firm suspects a data theft involving taxpayer or customer information, the sequence we run with firm leadership and breach counsel:
The post-incident documentation is not for the file cabinet. It is the evidentiary base that the next investigator, underwriter, or AICPA panel will work from.
For a firm starting from behind, the most useful framing is a 90-day program with milestones the Qualified Individual can actually report against.
Days 1-30 — foundation.
Days 31-60 — program.
Days 61-90 — operationalize.
At day 90 a firm that started from a static WISP has a current, defensible program. It will not be perfect. It will be defensible — which is the operative standard under all four layers.
We deliver the technical safeguards side — MFA enforcement, managed detection and response, identity threat detection on Microsoft 365 and Google Workspace, security awareness training with phishing simulations, encryption attestation, centralized logging, and a documentation package that maps controls to FTC § 314.4 subsections and to the Publication 5708 WISP outline.
We are not your Qualified Individual. The named role at § 314.4(a) lives with a firm partner or executive. We are not your CPA, and we do not interpret AICPA SSTS § 1.3 — that conversation belongs to your firm and to the AICPA Professional Ethics Executive Committee.
What we bring is the practitioner side that lets your Qualified Individual report to firm leadership with confidence, lets your cyber-insurance carrier renew without arguing about controls, and lets your IRS Stakeholder Liaison have the conversation they expect to have.
The CPA cybersecurity obligation in 2026 is no longer optional and no longer aspirational. The penalty stack now includes professional standards (AICPA SSTS § 1.3), federal regulation (IRS Publication 4557, FTC Safeguards Rule), state law (NY DFS 23 NYCRR 500, MA 201 CMR 17.00, the 50-state breach-notification patchwork), and cyber-insurance non-renewal. The technical and documented program that satisfies the strongest of those layers will satisfy the others.
Build it once. Maintain it. Review it annually. Be a firm the IRS Stakeholder Liaison is glad to talk to, and a firm whose cyber underwriter renews without a phone call.
If you are a CPA firm trying to map your current posture against the four-layer stack, the fastest start is a structured briefing — a working conversation that produces a concrete gap list against FTC § 314.4 subsections, Publication 4557, and the state requirements that apply to your client footprint. The accounting industry overview describes the engagement model in more detail.
Last updated
May 16, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Every paid tax return preparer with a PTIN is expected by the IRS to maintain a Written Information Security Plan under Publication 4557. Every CPA firm that prepares tax returns, advises on tax matters for compensation, or otherwise offers a 'financial service' is a financial institution under the Gramm-Leach-Bliley Act and is directly subject to the FTC Safeguards Rule at 16 CFR Part 314. There is no headcount exemption — a sole practitioner with one client is in scope. The 2023 amendments carve out only a narrow set of relief for firms with fewer than 5,000 consumers, and only from a few of the more demanding documentation requirements, not from the substantive controls.
Yes. Publication 4557 has required any preparer with a PTIN to maintain a Written Information Security Plan since 2008, and the FTC Safeguards Rule applies to a one-person CPA firm exactly as it applies to a 100-person firm. The IRS Stakeholder Liaison program treats the WISP as the first piece of evidence it asks for after a suspected data theft. Solo firms in 2026 are not flying under the radar — they are the demographic that state attorneys general and cyber-insurance carriers are now actively examining.
Publication 4557 is IRS guidance, originally aimed at taxpayer-data confidentiality under IRC § 7216 and at the practitioner's PTIN obligations. The FTC Safeguards Rule at 16 CFR Part 314 is a federal regulation under the Gramm-Leach-Bliley Act and applies to CPA firms as 'financial institutions.' Publication 4557 tells you to have a WISP. The Safeguards Rule tells you specifically what has to be in it — designated Qualified Individual, written risk assessment, MFA, encryption, access controls, vendor oversight, incident response plan, and an annual report. The two regimes overlap but are not interchangeable. A WISP that satisfies Publication 4557 will not by itself satisfy the 2023-amended Safeguards Rule.
The Qualified Individual is the single person designated to oversee, implement, and enforce the firm's information security program. The rule does not require a specific certification or title — it requires that the person actually be qualified to do the job, and that responsibility be assigned to one named individual rather than diffused across the firm. In a CPA firm, the Qualified Individual is typically a partner, the firm administrator, or a chief operating officer. The role can be supported by an outside provider, but it cannot be outsourced — the named person must remain within the firm and must report at least annually to the board or equivalent governing body.
Yes. FTC § 314.4(c)(5) requires MFA for any individual accessing any information system containing customer information, with limited exceptions for equivalently strong controls reviewed and approved in writing by the Qualified Individual. In a CPA firm in 2026 that means MFA on Microsoft 365 or Google Workspace, the tax-prep software login itself, the client portal, the document management system, any remote-access path, and any administrator account. MFA on email alone is not sufficient. The tax software login is the single most commonly overlooked control.
At least annually, and again on any material change — new tax software, new payroll system, an acquisition, an office move, a significant staffing change, a new vendor that touches customer information, or a security incident. The Qualified Individual must report to the firm's leadership at least annually under FTC § 314.4(i). Treating the WISP as a one-time download of the IRS Publication 5708 sample is the single most common documentation failure we encounter.
FTC § 314.4(f) requires the firm to select service providers capable of maintaining appropriate safeguards, to contract with them to do so, and to periodically assess them based on the risk they present. For a CPA firm in 2026 this means a written inventory of every vendor that touches customer information — tax software, e-signature vendor, client portal, cloud storage, payroll, bookkeeping, AI assistants — paired with contracts containing data-handling and breach-notification clauses, and a documented review on a cadence appropriate to risk.
Yes. The IRS Return Preparer Office has authority to suspend or revoke a Preparer Tax Identification Number for misconduct, which under published guidance includes serious failures of taxpayer-data safeguarding. The IRS has not built a public name-and-shame program for CPA firms the way OCR has done in healthcare, but PTIN actions tied to data-handling failures are real, and a Stakeholder Liaison report of a suspected data theft is a moment at which prior compliance posture becomes very visible.
Related reading
What cyber insurance for CPA and tax firms actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read articleA CISSP-led walkthrough of cyber insurance for first-time SMB buyers in 2026 — what the policy covers, what the questionnaire asks, the four controls that move premiums the most, and how to pass the application without overspending.
Read articleThe 22 cyber-insurance underwriting controls that move premiums in 2026 — what each one asks, why carriers care, and how to answer without overcommitting your stack.
Read article