Does the GLBA Safeguards Rule apply to solo tax preparers?

Yes. The FTC has consistently held that any paid tax return preparer is a financial institution under GLBA, regardless of firm size, revenue, or whether the preparer works from a home office. A solo PTIN holder has the same Safeguards Rule obligation as a multi-partner CPA firm.

What is the difference between GLBA and the FTC Safeguards Rule?

GLBA is the underlying federal statute passed in 1999. The FTC Safeguards Rule (16 CFR Part 314) is the regulation the Federal Trade Commission issued to implement GLBA's security requirements for the non-bank financial institutions it oversees. In practice, when tax and accounting firms talk about 'GLBA compliance' they almost always mean compliance with the FTC Safeguards Rule.

What is the 5,000-customer threshold under GLBA?

Firms that maintain information on fewer than 5,000 consumers are exempt from a few documentation requirements — specifically the written risk assessment, the written incident response plan, and the annual report to the governing body. The other Safeguards Rule elements, including MFA, encryption, training, and vendor oversight, still apply in full.

Is a Written Information Security Plan (WISP) required by GLBA?

Yes. Section 314.4(a) of the Safeguards Rule requires every covered financial institution to develop, implement, and maintain a comprehensive, written information security program. That document is commonly called a WISP. IRS Publication 5708 provides a tax-preparer-specific template that satisfies the requirement.

What kind of MFA does the GLBA Safeguards Rule require?

16 CFR 314.4(c)(5) requires multi-factor authentication for any individual accessing any information system that contains customer information. SMS one-time codes are technically allowed but disfavored; the FTC, NIST, and CISA all recommend phishing-resistant factors such as authenticator apps, hardware security keys (FIDO2/WebAuthn), or biometrics tied to a trusted device.

What is the FTC's 30-day breach notification rule?

Effective May 13, 2024, covered financial institutions must notify the FTC within 30 days of discovering a security event involving the unencrypted customer information of 500 or more consumers. Notification is made through the FTC's online portal and must include the institution name, contact, a description of the event, and the number of consumers affected.

Do I need a Qualified Individual if I'm a solo preparer?

Yes. The rule requires designating one person responsible for overseeing and implementing the information security program. For a solo practitioner, that person is you. The designation must be documented in the WISP and the responsibility cannot be delegated to a vendor without retaining accountability.

What penalties can the FTC impose for Safeguards Rule violations?

FTC enforcement actions can include consent decrees lasting up to 20 years with mandatory third-party security audits, injunctive relief, and civil penalties currently set at up to $51,744 per violation. State attorneys general can also bring independent actions, and individual consumers may sue under state-level analogues like California's CCPA.

Does cyber insurance replace GLBA compliance?

No. Cyber insurance can transfer some financial risk after an incident, but it does not satisfy a regulatory obligation. In fact, carriers increasingly require GLBA Safeguards Rule compliance — including a current WISP, enforced MFA, and a documented incident response plan — as a condition of coverage. Misrepresenting controls on an application can void the policy.

How often do I have to update my GLBA-compliant WISP?

At least annually, and any time there is a material change to your operations, technology stack, or risk environment. The Qualified Individual must report at least annually to the governing body (for firms above the 5,000-customer threshold). Most firms tie the annual review to PTIN renewal season so the timing is predictable.

Wolf Academy · Resources & Guides

Wolf Academy: compliance, explained clearly

Plain-English compliance and cybersecurity resources for tax professionals, accounting firms, insurance agencies, and small businesses handling sensitive client data.

FeaturedCompliance

FTC Safeguards Rule WISP Checklist for Tax Preparers (2025)

A complete plain-English checklist of every administrative, technical, physical, vendor, and annual-review control your WISP must address — plus how to auto-verify with Microsoft 365.

11 min readRead guide

Compliance

IRS WISP Requirement for PTIN Holders: What Every Tax Preparer Must Do in 2025

If you hold a PTIN, you're required to have a Written Information Security Plan. Here's what the IRS requires, what your WISP must contain, and what happens if you don't have one.

8 min readRead

Templates

Free WISPWolf Compliance Starter Kit

Download the free WISPWolf Compliance Starter Kit — IRS WISP starter template, FTC Safeguards Rule checklist, GLBA checklist, risk assessment worksheet, cyber insurance guide, and tax preparer compliance checklist. Identify your compliance gaps before PTIN renewal.

14 min readRead

Compliance

WISP Requirements 2026: What Tax Preparers Need to Know

What changed in 2026 across IRS Pub 5708, the FTC Safeguards Rule, and cyber insurance — and the minimum WISP every tax preparer should have.

9 min readRead

Fundamentals

Tax Preparer Security Plan Guide: Building a Compliant WISP

A step-by-step guide to scoping, writing, implementing, and maintaining a Written Information Security Plan for a tax practice.

10 min readRead

Compliance

GLBA Safeguards Rule for Tax Preparers and Small Businesses

The nine required elements of the GLBA Safeguards Rule and how they map to your WISP and IRS Pub 5708.

8 min readRead

Fundamentals

What Is a Written Information Security Plan and Why You Need One

A clear primer on the Written Information Security Plan (WISP): what it covers, who must have one, and why it matters in 2025.

6 min readRead

Strategy

Why a One-Time WISP Template Will Fail Your Next IRS Audit

Static PDFs fail under audit and insurance review. Here's why a Living WISP is now the standard for tax and accounting firms.

6 min readRead

Integrations

How Microsoft 365 Integration Automates Your WISP Compliance

Turn your Microsoft 365 tenant into live WISP evidence — MFA, conditional access, and audit logs verified continuously.

8 min readRead

Checklists

Annual WISP Review Checklist Every CPA Firm Needs

Use this annual WISP review checklist to keep your CPA firm audit-ready, insurer-friendly, and ahead of FTC requirements.

5 min readRead

Cyber Insurance

How to Answer Your Cyber Insurance Questionnaire as a Tax Preparer

What insurers actually look for, how a WISP maps to NetGuard Plus and ransomware supplementals, and how documentation lowers your premium.

8 min readRead

Comparisons

EasyWisp.ai Alternative: A More Affordable Living WISP Platform

Compared EasyWisp.ai? See how WISPWolf delivers a continuously-monitored Living WISP starting at $39/month with live evidence.

7 min readRead

Comparisons

Rightworks WISP vs WISPWolf: One-Time vs Ongoing Compliance

Rightworks bundles a static WISP. WISPWolf is a Living WISP. Here's the side-by-side for tax and accounting firms in 2025.

8 min readRead

Monthly Compliance Brief

One short email a month. No fluff.

New FTC & IRS guidance, fresh checklists, and lessons from real audits — written for firm owners.