Tax Season Warning: CPAs are Now Under the FTC Microscope

Threat Intelligence

Tax Season Warning

As tax season ramps up, CPAs and accounting firms are handling more sensitive PII (Personally Identifiable Information) than at any other time of year. What many firms still do not realize is that they are officially classified as “financial institutions” under the FTC Safeguards Rule, and the IRS is now actively enforcing that classification.

You Are a Financial Institution. Period.

Under 16 CFR 314.2(h), the FTC defines “financial institution” as any entity whose business involves engaging in activities that are “financial in nature or incidental to such financial activities.” The rule explicitly lists tax preparation firms as covered entities. If you complete income tax returns as a business, you fall under the Safeguards Rule. There is no ambiguity, no carve-out, and no grace period.

This means every solo practitioner, every regional CPA firm, and every seasonal tax preparation office must maintain a written Information Security Program that meets all requirements of 16 CFR Part 314.

The High Stakes of Tax Data

Tax returns contain the ultimate identity theft kit: Social Security numbers, bank account details, employer information, dependent data, and income history. The IRS flagged approximately 2.1 million tax returns for potential identity theft in 2024, up from 1.1 million in 2023. The FTC received over 1.1 million identity theft reports through IdentityTheft.gov in 2024, a 9.5% increase over the prior year. Consumers reported losing more than $12.5 billion to fraud in 2024, a 25% increase over 2023.

Tax professionals are high-value targets precisely because they concentrate so much sensitive data in one place during a predictable window.

The IRS MFA Mandate: IR-2024-201

On August 6, 2024, the IRS released IR-2024-201, reinforcing that Multi-Factor Authentication is a mandatory federal requirement for all tax professionals. The release makes clear that opting out of MFA features in tax preparation software is a direct violation of the FTC Safeguards Rule. This applies to all firms regardless of size, including solo practitioners.

The IRS defines MFA as requiring at least two of the following: something you know (password or PIN), something you have (hardware or software token), or something you are (biometric like fingerprint or facial scan). This aligns directly with 16 CFR 314.4(c)(5), which requires financial institutions to “implement multi-factor authentication for any individual accessing any information system” containing customer data.

Immediate Requirements

1. Multi-Factor Authentication (MFA): If you are accessing client data without MFA, you are in direct violation of 16 CFR 314.4(c)(5). Per IRS IR-2024-201, disabling MFA in your tax software is itself a violation. No exceptions.

2. Encryption: Data must be encrypted both at rest on your servers and in transit when being sent to clients or the IRS. This includes email attachments containing returns, portal uploads, and any stored electronic files.

3. Data Disposal: Under 16 CFR 314.4(c)(6), you must implement procedures for secure disposal of customer information no later than two years after the last date the information was used, unless retention is required for business operations or by law. You cannot simply toss old client documents in a recycling bin. Shredding, degaussing, and certified electronic destruction are the standard.

4. Designated Qualified Individual: You must have a named person responsible for your Information Security Program. For small firms, this can be outsourced to a qualified service provider.

5. Written Risk Assessment: Identify the specific threats to the customer data you hold: returns on laptops, files in cloud storage, paper documents in filing cabinets.

The Small Firm Exception (and Its Limits)

Under 16 CFR 314.6, firms that maintain customer information concerning fewer than 5,000 consumers are exempt from four specific requirements: the written risk assessment format (314.4(b)(1)), continuous monitoring or periodic penetration testing (314.4(d)(2)), a written incident response plan (314.4(h)), and the annual board report (314.4(i)).

However, this exemption does not remove the core obligation. You must still have an information security program. You must still use MFA. You must still encrypt data. You must still train your staff. The exemption narrows the documentation burden; it does not eliminate the security requirement.

Action Checklist for Tax Season

  • Confirm MFA is enabled on all tax software, email accounts, and cloud storage
  • Verify encryption at rest for all devices storing client data (laptops, external drives, NAS)
  • Verify encryption in transit for all client communications (TLS 1.2 or higher)
  • Review and document your data disposal procedures with a two-year retention policy
  • Ensure your Qualified Individual is named and aware of their obligations
  • Review IRS Publication 4557, “Safeguarding Taxpayer Data,” for additional IRS-specific guidance
  • Train all staff on phishing awareness before the April filing rush

Do not wait until after tax season to address your compliance. A single data breach during the April rush will not only end your firm’s reputation but also bring federal fines that far exceed your seasonal revenue.

Scott Sailors
Scott Sailorshttps://www.hiredhackers.com
Principal Security Consultant with over 20 years of experience in security architecture, engineering, and executive leadership. Holds CISSP, OSCP, CISM, CRISC, Master's and Bachelor's degrees in Cybersecurity with expertise bridging technical teams and senior management to communicate complex security challenges in actionable terms.

Latest articles

Previous article
The ‘Qualified Individual’ Myth: Why Your IT Manager Can’t Wear This Hat
Next article
The 30-Day Clock: New FTC Breach Notification Rules

Related articles