
“We’re a four-person tax office in Spring. We’re not a bank — why would a federal financial regulation apply to us?”
We hear some version of that on the discovery call about once a week. The owner is genuinely surprised. And that surprise is exactly the problem, because under the FTC Safeguards Rule, that four-person tax office in Spring is a “financial institution” — and so is the CPA in the Heights, the independent auto dealer off the Gulf Freeway, and the mortgage broker working out of a strip-center suite in Katy.
You checked the box that said you protect client data. On paper, you’re fine. In reality, most of you are missing nearly every control the rule actually requires. Let’s fix the gap between what you think you’re doing and what the law expects.
The surprise: you might be a “financial institution”
The FTC Safeguards Rule lives under the Gramm-Leach-Bliley Act (GLBA). When people hear “Gramm-Leach-Bliley,” they picture Wells Fargo, not a bookkeeping practice. But the FTC defines “financial institution” broadly — it covers any business significantly engaged in activities that are financial in nature. In plain English, that sweeps in a lot of Houston businesses who’ve never thought of themselves this way:
- Tax preparers — from the seasonal storefront to the year-round firm.
- Accountants and CPAs handling clients’ financial data.
- Auto dealers — especially anyone arranging or facilitating financing or leases.
- Mortgage brokers and lenders.
- Finance companies and payday lenders.
- Collection agencies.
And more beyond that list. The amended rule’s key data-security provisions became enforceable on June 9, 2023. That’s not a future deadline you’re racing toward — it’s a line you’ve already crossed. If you’ve been operating since then without a real security program, you’ve been out of compliance the entire time.
What a compliant program actually requires
The rule doesn’t ask you to “be secure” in the abstract. It spells out specific elements of a written information security program. Here’s the plain-English version of what you’re responsible for.
Put one accountable person in charge
You must designate a Qualified Individual to run the program. This is the person responsible for security — not a vague “everybody pitches in” arrangement. For most small firms, that role is filled by an outside provider, which is a perfectly legitimate option as long as someone is genuinely accountable.
Know your risks and your data
- Written risk assessment — documented, not in your head. What client data do you hold, where could it leak, and how likely is each scenario?
- Data inventory — you can’t protect what you can’t name. SSNs, bank details, W-2s, loan applications, credit files: know exactly where they live.
Lock down access and the data itself
- Access controls — people get access to client data only to the extent their job requires. Your front-desk hire shouldn’t reach every tax return on the server.
- Encryption of customer data both at rest (sitting on drives and in databases) and in transit (moving across the internet or email).
- Multi-factor authentication (MFA) — a password alone is not enough for anyone touching client information.
- Secure development and change practices — controlled, deliberate changes to the systems holding the data.
Watch, train, and oversee
- Logging and monitoring — the ability to detect unauthorized access, not discover it months later when a client calls.
- Vendor and service-provider oversight — vet the outside parties who touch your data and hold them to security requirements in writing.
- Written incident response plan — a documented playbook for what happens the day something goes wrong.
- Security awareness training — your staff are your largest attack surface, so they get trained.
- Periodic reporting to ownership or the board — the Qualified Individual reports up regularly so leadership actually knows where things stand.
Read that list again and ask honestly how many you can produce documentation for today. For most firms we meet, the honest answer is one or two. That’s the gap between compliant on paper and exposed in reality, and closing it is exactly what our compliance services are built to do.
“My software vendor handles security” — no, they don’t
This is the most common and most dangerous misunderstanding we run into. The owner says their tax software, their CPA platform, or their dealer management system is “secure,” so they’re covered.
Here’s the reality: your software vendor secures their product. They do not secure your environment. The Safeguards Rule obligation falls on your business — your whole environment, end to end:
- The laptops your staff carry home and check email on.
- The office Wi-Fi, the firewall, the network nobody’s patched in two years.
- The shared drive where last season’s returns are sitting in plain files.
- The personal Gmail someone “just for a second” forwarded a client’s W-2 to.
- The vendors, contractors, and cloud apps you’ve connected over the years.
A breach almost never happens inside the well-defended software platform. It happens in the soft, unmonitored spaces around it — the very spaces the vendor doesn’t touch and you may not be watching. Real protection means securing the environment those tools run in, which is the work behind our network security and managed IT services.
Tax pros: the IRS is watching too
If you prepare tax returns, you have a second obligation stacked on top of the FTC rule. The IRS requires tax professionals to maintain a Written Information Security Plan (WISP) as a condition of holding a PTIN and keeping e-file privileges.
Sit with what that means: your ability to legally prepare returns and e-file is tied to having a real, written security plan. No plan, no compliance — and your professional credentials are the thing on the line. A WISP isn’t a one-page template you download and forget; done right, it overlaps heavily with the Safeguards Rule elements above, which is why building both together is far more efficient than treating them as separate fire drills.
What it costs to fake it
We’re not here to scare you, so let’s be factual about the consequences we actually see.
FTC enforcement
The FTC enforces the Safeguards Rule. “We didn’t know it applied to us” is not a defense for a regulator, and the data-security requirements have been enforceable since June 9, 2023. We won’t quote penalty figures — for what enforcement could mean for your specific situation, that’s a conversation for your attorney.
The breach cascade
The regulator is only one piece. The bigger pain is what happens when client data actually walks out the door:
- The data itself. Tax preparers, accountants, and dealers hold the crown jewels — Social Security numbers, bank accounts, income, full financial profiles. It’s everything an identity thief needs in one file.
- Reputation. A small firm runs on trust. “They lost my financial information” travels fast in a tight Houston business community, and it doesn’t come back cheap.
- Liability and notification. A breach can trigger client notification obligations, contractual fallout, and exposure your attorney and insurance carrier will want to walk you through — long before you can get back to actually running the business.
To be clear about our lane: Aspendora is not a law firm or an auditor. We don’t give legal opinions or sign off on your audit. What we do is make compliance real — we implement the technical controls, build the documentation, and run the monitoring the rule requires, then point you to your attorney, carrier, or auditor for the questions that are theirs to answer.
Stop checking the box. Start closing the gap.
If you’re a Houston-area tax preparer, accountant, or auto dealer and you just realized this rule applies to you — good. That realization is the hard part, and you’re ahead of the firms still assuming their software vendor has it covered. The next step is turning “we should probably look into this” into a documented, monitored security program you can actually stand behind.
Start with a free 15-minute discovery call at /discoverycall/. We’ll talk through where you stand against the Safeguards Rule and what real implementation looks like for a shop your size. That call is the only free thing we offer — Aspendora charges professional rates for the actual work, and there’s no free setup or support. But fifteen honest minutes now is a lot cheaper than finding out the hard way. When you’re ready to see how we build and document these controls, our compliance services are where it gets real, and you can review our rates any time.
Aspendora Technologies provides cybersecurity, managed IT, and expert on-premise & open-source solutions to Houston-area small businesses since 2010.
