• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
  • (713) 662-3994
  • Support
CloudTop Office

CloudTop Office

Application Cloud Hosting

  • Home
  • Hosting
    • QuickBooks Desktop Hosting
    • QuoteWerks Hosting
    • ACT! Hosting
    • Sage Hosting
    • Virtual Server
    • QuickBooks Online with Intuit
  • Consulting
    • Zoho Consulting
    • QuoteWerks Consulting
    • Act! CRM Consulting
    • Avalara Consulting
  • About Us
  • Get a Quote
  • Book a Consultation

The FTC Safeguards Rule and QuickBooks: What Accounting Firms Must Do in 2026

July 15, 2026 by Stacy Wanjiku
Category: Accounting, General

The FTC Safeguards Rule applies to accounting firms, and most owners underestimate how directly. Under the rule, tax preparers, bookkeepers, and CPA firms count as financial institutions because they hold clients’ financial information, which means your firm is legally expected to run a written security program with specific controls. This guide covers what the rule requires, what your firm needs to do in 2026, and where hosting your QuickBooks and data can carry part of the load. It is written in plain English, not legalese.

Applies to
Tax preparers, accountants, and CPA firms
In force since
June 2023, with breach reporting added in 2024
Breach reporting
Within 30 days for events affecting 500+ people

Does the FTC Safeguards Rule apply to your firm?

Almost certainly, yes. The rule sits under the Gramm-Leach-Bliley Act, and the FTC has made clear that firms handling consumer financial data, including tax and accounting practices, fall within its definition of a financial institution. Size does not get you out of it. There is a partial break for smaller firms: a practice that maintains information on fewer than 5,000 consumers is exempt from a few specific duties, such as the written risk assessment, continuous monitoring or annual penetration testing, a written incident response plan, and the annual report to leadership. The core safeguards still apply to everyone. So the question is not whether the rule touches your firm, but how much of it you have put in place.

The stakes are real. The FTC can investigate and penalize firms that ignore the rule, and a breach at a tax or accounting practice usually costs far more in lost client trust than in fines. Clients hand you their most sensitive financial details, and a single exposed return can end a relationship. Treating the rule as basic client care, rather than red tape, is the healthier way to see it.

The nine things the rule asks for

Stripped of the legal language, the Safeguards Rule comes down to nine building blocks of a written information security program.

1Name a Qualified Individual to run your security program.
2Write a risk assessment of where client data could be exposed.
3Put safeguards in place to control the risks you find.
4Use encryption for client data at rest and in transit.
5Require multi-factor authentication to reach systems with client data.
6Test and monitor your safeguards on a regular basis.
7Train your staff and keep your policies current.
8Oversee your service providers, the vendors that touch client data.
9Keep an incident response plan and report qualifying breaches within 30 days.

Two of those, encryption and multi-factor authentication, are no longer optional under the amended rule. And since May 2024, a security event involving the unencrypted information of 500 or more people has to be reported to the FTC as soon as possible, and within 30 days at the latest.

Documentation is the part firms forget. The rule is not satisfied by good habits alone, it expects the program to be written down, so that what you do can be shown, reviewed, and updated over time. If a client, an insurer, or the FTC ever asks how you protect data, that written program is the answer you point to.

The gaps that trip firms up

Most firms are not starting from zero, but they are rarely finished either. The common holes are the same ones the rule targets: antivirus and a firewall in place, but no written program tying it all together; passwords without multi-factor authentication on remote access; client data that is backed up but never test-restored; and a list of software vendors nobody has documented or reviewed. None of these is hard to fix on its own. The risk comes from assuming that having some protection means having a program, which is exactly the distinction the Safeguards Rule draws.

What your firm must do in 2026

If you are starting from scratch, work through it in this order. If you already have pieces in place, use the same list to find what is missing rather than starting over.

1
Appoint your Qualified Individual
One named person accountable for the program. It can be a staff member or an outside provider.
2
Run a written risk assessment
Map where client data lives, who can reach it, and how it could be lost or stolen.
3
Close the gaps
Turn on MFA, encrypt client data, tighten access controls, and set reliable backups.
4
Train the team and plan for incidents
Security awareness for staff, plus a written plan for what happens if data is exposed.
5
Document vendors and review yearly
List the providers that handle client data, keep the paperwork, and revisit the whole program at least once a year.

Where hosting fits in

Hosting your QuickBooks and data will not make your firm compliant on its own, and any provider that promises otherwise is overselling. What a serious host does is carry several of the technical safeguards for you. A hosted environment can provide encryption at rest and in transit, enforced multi-factor authentication, access controls, activity monitoring, and managed daily backups in a U.S. data center. It also gives you a service provider you can name and document, which helps directly with the vendor-oversight requirement.

What stays with your firm is the program itself: the Qualified Individual, the risk assessment, staff training, and your incident response plan. Hosting is the technical foundation, not the finished house. For a small firm without a full-time IT person, it shifts a real chunk of the technical burden onto a provider whose job is to keep those controls current. It also simplifies your paperwork, since several of your safeguards then point to one provider you can describe in a sentence. CloudTop Office has secured accounting software on Microsoft Azure since 2000, with encryption, MFA, and managed backups as standard, and you can read more about our approach on our About page or run your QuickBooks Desktop hosting in an environment built with these controls in mind. Common setup questions are covered in our hosting FAQ. To talk through where your firm stands, book a consultation.

This article is general information, not legal advice. Confirm your firm’s specific obligations with a qualified security or legal advisor.

Straight answers on the Safeguards Rule

Does the FTC Safeguards Rule really apply to accountants?

Yes. The FTC treats firms that handle consumer financial data, including tax preparers and accounting practices, as financial institutions under the rule. Being small does not exempt you, though very small firms are excused from a few specific requirements.

Do small firms get any exceptions?

A firm that maintains information on fewer than 5,000 consumers is exempt from a few duties: the written risk assessment, continuous monitoring or annual penetration testing, a written incident response plan, and the annual report to leadership. The core safeguards, including encryption and MFA, still apply.

Does hosting QuickBooks make my firm compliant?

No. Hosting provides several technical safeguards, such as encryption, MFA, access controls, and backups, and gives you a vendor you can document. It does not replace your written security program, your Qualified Individual, your risk assessment, or your training. Treat it as the foundation.

When does a breach have to be reported?

Since May 2024, a security event involving the unencrypted information of 500 or more people must be reported to the FTC as soon as possible, and no later than 30 days after you discover it.

How does this relate to the IRS WISP requirement?

They overlap. The IRS expects tax professionals to keep a written information security plan, and the FTC Safeguards Rule is the legal backbone behind it. Building a Safeguards program also satisfies much of what the IRS asks for.

Previous Post:QuickBooks hosting for accountants
Next Post:Windows Server 2016 Retires January 2027: A Plan for Firms Running QuickBooks or Sage In-House

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Posts

  • Windows Server 2016 Retires January 2027: A Plan for Firms Running QuickBooks or Sage In-House
  • The FTC Safeguards Rule and QuickBooks: What Accounting Firms Must Do in 2026
  • QuickBooks hosting for accountants
See more

Service Areas

  • ACT! Hosting
  • QuoteWerks Hosting
  • Virtual Server
  • Sage Hosting
  • QuickBooks Online with Intuit
  • QuickBooks Hosting

Quote Links

  • Home
  • About Us
  • Quickbooks FAQ
  • Blog

Contact Us

  • Contact Us
  • Support

Ready to Get Started?

Talk to a member of our team today

Get a Personalized Quote

Or call: (713) 662-3994

Toll-Free: (866) 710-4228

Privacy Policy | Terms & Conditions

Copyright © 2026 · CloudTop Office · All Rights Reserved