By Jamil Akhtar
Sagenext Infotech
If you’re a professional at a CPA firm, a bookkeeper, or a tax preparer, the FTC’s Safeguards Rule almost certainly applies to you. The rule defines “financial institution” broadly enough to capture tax preparation firms and financial advisors directly, not just banks and lenders. What matters isn’t how your firm describes itself; it’s what activities you actually perform.
If you handle client Social Security numbers, bank account details, or tax return data on behalf of customers, you meet the rule’s definition of a covered entity, and that obligation now includes the 2023 breach-notification amendment, which took effect in 2024, on top of the original 2003 framework.
The compliance guidance that’s easy to find online stays at 30,000 feet: do a risk assessment, map your data flows, designate someone to own it. True, but it skips the part that actually matters for a firm running QuickBooks, Drake, Lacerte, or UltraTax: what does the infrastructure underneath those programs need to look like in practice? Where does a hosting provider’s responsibility end and your firm’s begin? Most guidance treats “compliance” as a paperwork exercise and never gets specific about servers, login screens, or backup schedules, which is exactly where most small firms are actually exposed. That’s the gap this post fills.
The Rule, in plain terms
The Safeguards Rule requires covered firms to maintain a written information security program with administrative, technical, and physical safeguards appropriate to the size and complexity of the business. It’s built around nine required elements, and most firms’ actual exposure comes down to a handful of them — the ones tied directly to how client tax data is stored, accessed, and moved.
What the Rule requires, and what that looks like inside a hosted environment
- Encryption, at rest and in transit. The Rule requires encrypting customer information on your system and in transit unless your Qualified Individual approves an alternative control in writing. In a properly configured QuickBooks hosting environment, this isn’t optional or DIY — it’s part of what the hosting provider’s infrastructure handles: encrypted storage volumes at the disk level, encrypted RDP or remote-session traffic, and TLS for any data movement between the hosted server and your office or home network. If your current setup involves emailing client tax returns as unprotected PDF attachments, or storing scanned W-2s and 1099s on a local drive “for convenience” during tax season, that’s the first gap to close, and it exists independent of where the QuickBooks file itself lives.
- Multi-factor authentication for anyone accessing customer information. This is non-negotiable under the 2021 amendments: the Rule requires at least two of three factor types something you know (a password), something you have (a token or authenticator app), or something you are (biometrics) for anyone accessing systems containing customer information. A hosting environment should enforce MFA at the login layer for every user accessing the server, not leave it as a setting each employee can individually skip. If your current remote-access setup is a single shared password into a desktop that five people use during busy season, that’s a direct, specific Safeguards Rule violation not a minor inconvenience to fix eventually.
- Access controls, reviewed periodically. Not every employee needs access to every client file. A hosted environment should support role-based access segmenting who can open which company files or which client folders and your firm should be the one periodically reviewing who still needs that access, since headcount and roles change faster than IT permissions get updated.
- Secure disposal. Customer information must be disposed of securely no later than two years after it’s no longer needed to serve that customer, absent a legitimate business or legal reason to retain it. This is a firm policy decision how long you keep closed-client files — but the hosting environment needs to actually support secure deletion, not just file deletion that leaves recoverable data on a shared volume.
- Monitoring, logging, and vulnerability testing. The Rule requires either continuous monitoring of your information systems, or, if that’s not feasible, annual penetration testing plus vulnerability scans at least every six months. It also requires keeping a log of authorized-user activity so unauthorized access can be detected. This is squarely an infrastructure question, and one most small firms have no real answer to. A firm running QuickBooks on a local server or an unmanaged VPS rarely has logging, scanning, or testing in place at all it’s not on anyone’s calendar. It’s a standard expectation of a properly run hosting environment, and worth asking any provider directly, in writing: do you log access to client data, who reviews those logs, and do you run scheduled vulnerability scans, or is that left for us to arrange separately?
- Change management. Every time a server is patched, a new application installed, or a network setting changed, that’s a potential new risk the Rule requires you to evaluate. This is one of the more overlooked elements in most compliance checklists and one place a managed hosting provider can carry real, measurable weight, since patch management and change control are part of running the infrastructure day to day, not an annual project a firm has to remember to schedule during an already-busy season.
- A written incident response plan. If there’s a security event, the Rule requires a plan that already exists covering goals, internal processes, roles and decision authority, communication both internally and externally, remediation steps, documentation, and a post-mortem not something assembled after the fact, under pressure, mid-breach. The hosting provider should be able to tell you, in writing, what their own incident response process looks like if their environment is affected. Your firm still needs its own plan for client communication and any state or federal notification obligations that apply to you directly; one plan doesn’t substitute for the other, and a provider’s security incident isn’t automatically your compliance program.
- Vendor i.e., hosting provider oversight. This is the piece that’s easy to miss: the Rule explicitly requires you to monitor your service providers, with contracts that spell out security expectations and allow for periodic reassessment. Hiring a hosting company doesn’t transfer your compliance obligation to them. It means you now also have a contract to manage, and a provider whose own security program you’re on the hook for vetting.
Where the line actually falls
This is the honest part most vendor content skips: hosting handles the technical infrastructure encrypted servers, MFA-gated access, monitored networks, patched systems, audited data centers. It does not write your firm’s risk assessment, designate your Qualified Individual, draft your incident response plan, or decide your data retention policy. Those stay with the firm, because they require judgment about your clients, your staff, and your business not server configuration.
A firm that assumes “we pay for hosting, so we’re covered” is exposed on the administrative half of the Rule. A firm that writes a great policy document but runs QuickBooks on an unpatched local machine is exposed on the technical half. Both halves are required.
Practical starting point
If you’re a small or mid-sized firm trying to figure out where you actually stand, start with three questions: where does client tax data physically live right now, who can access it without MFA, and when was the last time anyone tested whether your systems could actually be breached. If you don’t have confident answers to all three, that’s your risk assessment’s first entry — not a hosting upgrade pitch, just the actual starting point the Rule requires you to document before anything else.
Worth naming directly: none of this is about whether you “feel” secure. The Safeguards Rule is enforced through a written program with specific, checkable elements, and the FTC’s own breach-reporting requirement means gaps surface publicly if something goes wrong your report can become part of a public listing. A firm that’s been running the same setup since 2018 without revisiting MFA, encryption, or logging isn’t unusual, but it is exposed, and tax season is exactly when that exposure gets tested in practice, since it’s when the largest volume of sensitive client data moves through your systems at once.
For firms running QuickBooks on infrastructure that doesn’t natively support encryption, MFA, and monitored access, that’s where the technical half of the Rule and the hosting decision intersect. Sagenext provides authorized QuickBooks hosting to US CPA firms, bookkeepers, and tax preparers, with multi-user access, automated backups, bank-grade security, and 24×7 support operating this category since 2011, on SOC-2 audited infrastructure built around exactly these controls.
Sign in to get access to this free resource, and all of our whitepapers and reports.
Download this content today!
Register Now Already registered? Click here to Log In
