How Exposed Is Your Firm?

Answer a few questions to see your FTC and IRS compliance obligations, state breach notification deadlines, and what documentation you need.

Free Compliance Calculator

What You Don't Know About Your Compliance Obligations

Answer 4 simple questions about your firm. No compliance knowledge needed — we'll show you the specific obligations you may not know about.

No signup required · Instant results · No data stored

Important Compliance Notice

Think You're Too Small? Think Again.

FTC & IRS requirements apply to ALL tax preparers who handle client data—regardless of firm size or client count.

MYTH

"I only have 200 clients, so the FTC Safeguards Rule doesn't apply to me."

FACT

The 5,000-record threshold applies to only 2 specific requirements. Core compliance applies to ALL firms.

Requirement

Small
<5K

Large
5K+

Covered by SafeGuardGRC

Written Incident Response Plan (IRP)

FTC 16 CFR 314.4(h)

Annual IRP Review & Updates

FTC 16 CFR 314.4(h)

Written Information Security Policy (WISP)

FTC 16 CFR 314.4 & IRS Pub 4557

Annual Risk Assessment

FTC 16 CFR 314.4(b)

Employee Security Training

FTC 16 CFR 314.4(d)

Service Provider Oversight (Vendor Management)

FTC 16 CFR 314.4(g) & IRS Pub 4557

Secure Data Disposal Procedures

FTC 16 CFR 314.4(e)

Technical & Operational Controls

Multi-Factor Authentication (MFA)

FTC 16 CFR 314.4(c)

Access Controls & Least Privilege

FTC 16 CFR 314.4(c)(4)

Annual Penetration Testing

FTC 16 CFR 314.4(f)

Qualified Individual (QI)

FTC 16 CFR 314.4(a)

*1

Risk Assessment: While a written risk assessment is not required for firms with under 5,000 records, conducting one is highly recommended. Without a risk assessment, your firm won't identify compliance gaps or understand areas requiring attention.

*2

Qualified Individual: ALL firms, regardless of size, must designate a Qualified Individual to oversee their information security program (FTC 16 CFR 314.4(a)). This can be the firm owner, an office manager, or any designated person — a vCISO or formal CISO title is not required. However, for larger firms or those seeking expert guidance, engaging a vCISO is recommended to help manage compliance complexity and ensure proper governance.

Free Assessment

Could Your Firm Survive a Data Breach?

Walk through a realistic breach scenario and see your firm's readiness score, state-specific obligations, and FTC exposure in 3 minutes.

Take the Breach Readiness Quiz

No signup required · Instant results · 3 minutes

⚠️ Your firm size doesn't exempt you from core compliance

SafeGuardGRC helps firms of all sizes meet these requirements—from solo practitioners to multi-partner firms.

Get StartedSee How It Works

Starting at $99/mo · Billed annually

Ready to Get Compliant?

Plans starting at $99/mo for firms of every size

See Plans & Pricing

Starting at $99/mo · Billed annually

30-day money-back guarantee
Cancel anytime

Core compliance modules in every plan · Professional adds IRP, tasks & more →

We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy