CPA and tax firms hold the data criminals want most — and the FTC Safeguards Rule now legally requires you to protect it. Here is the 2026 IT and security playbook for Texas accounting practices.
If you run a CPA firm, a bookkeeping practice, or a tax-preparation office in Texas, you are holding the most concentrated pile of sensitive data most criminals will ever find: Social Security numbers, bank account details, full financial histories, and the login credentials to your clients' payroll and banking portals. That combination makes accounting firms one of the highest-value targets in the SMB world — and since 2023 it also puts you squarely under the FTC Safeguards Rule, a federal regulation that many Texas firms still do not realize applies to them.
This guide explains what the Safeguards Rule requires, why accounting firms are targeted, and the specific IT and security controls a Texas practice needs in place before the next busy season — and before a client's stolen refund lands your firm in an IRS data-loss investigation.
The Safeguards Rule is part of the Gramm-Leach-Bliley Act, and its definition of a "financial institution" is far broader than banks. The FTC has explicitly stated that tax preparers, accountants, and CPA firms are covered financial institutions. The IRS reinforces this: every firm with a Preparer Tax Identification Number is required to maintain a written information security plan, and that requirement is now checked at the point of PTIN renewal.
The rule stopped being aspirational in June 2023, when the amended version took effect with concrete, technical mandates. If your "security plan" is a one-page document your prior IT vendor wrote and nobody has opened since, you are not compliant — and worse, you are not protected.
The Safeguards Rule spells out specific elements every covered firm must implement. In plain English:
Criminals target accounting firms for reasons unique to the profession:
The threat is compounded by increasingly convincing AI-powered phishing that mimics a partner's writing style and a real client's prior emails.
If you do one thing after reading this, enable MFA everywhere client data can be reached — email, your tax software, remote access, the client portal, and cloud storage. The Safeguards Rule requires it, cyber insurers now require it, and it single-handedly defeats the credential-theft attacks that cause most firm breaches. Push-based or app-based authenticators are strongly preferred over SMS codes, which can be intercepted. For your most privileged accounts — the admin logins and the partner accounts that can move money — layer on the tighter controls we describe in our guide to privileged access management.
The busy season is your highest-risk window. More people, more data movement, more fatigue, and more urgency for attackers to exploit. Prepare before January:
Encryption is explicitly required, and it is also your last line of defense: an encrypted laptop stolen from a car is a lost asset, not a reportable breach. Encrypt endpoints, encrypt backups, and encrypt data in transit to and from your tax software. Then make sure your backups are immutable and tested — ransomware crews specifically target accounting firms in the weeks before a filing deadline because the pressure to pay is highest. A backup you have never restored from is a hope, not a plan.
Moving to QuickBooks Online, a hosted tax package, or a cloud document portal shifts where the data lives, but it does not shift the Safeguards obligation off your firm. Under the rule you remain responsible for vendor oversight — you must confirm your providers protect the data you entrust to them, and you must configure their security features rather than assuming the defaults are enough.
Consolidating this oversight is one of the clearest arguments for a single managed IT partner who can hold every vendor to one standard rather than leaving each software choice to police itself.
The IRS provides a WISP template, but a template is a starting point, not a finished program. Your WISP has to reflect how your firm actually handles data: which software you use, where files are stored, who has access, and how you respond to an incident. It must be a living document, reviewed at least annually and updated when your systems change. Firms pursuing broader assurance often align their WISP with a recognized framework — our guide to SOC 2 readiness and our SOC 2 compliance resources show how a formal control framework maps onto these requirements and reassures larger clients.
The amended Safeguards Rule added a breach-notification requirement: certain incidents involving 500 or more consumers must be reported to the FTC within 30 days. Texas has its own breach-notification statute on top of that. The practical takeaway is that you need a written, rehearsed incident response plan before an incident, because the clock starts the moment you discover the problem — not the moment you finish investigating it. Rehearse it the way we describe in our guide to tabletop exercises, and remember that adopting a recognized framework can also provide an affirmative defense under Texas SB 2610.
Accounting firms and law firms face nearly identical pressures — high-value client data, professional-responsibility obligations, and money-movement workflows that attract fraud. If your firm shares office space or referral relationships with attorneys, the security expectations are converging, and the same managed-security foundation serves both. Our companion guide to Texas law firm IT and cybersecurity covers the parallel obligations, and a qualified IT consultant can build one program that satisfies both professions' standards.
Begin with an honest gap assessment against the nine Safeguards elements: do you have MFA everywhere, a current written risk assessment, least-privilege access, tested encrypted backups, and an incident response plan? Most Texas firms find three or four gaps, and the highest-impact fix — turning on MFA across every client-data system — can be done in days, not months. LayerLogix helps accounting and tax practices build and operate a compliant program through our compliance-focused cybersecurity and managed IT services. Start with a free IT assessment that measures your firm against the Safeguards Rule and the threats aimed at your profession, or review our full compliance services to see how the pieces fit together.
LayerLogix provides FTC Safeguards support, WISP development, and managed security for accounting and tax firms across Texas, with local, Texas-based teams. We serve CPA and bookkeeping practices in Houston, Austin, Dallas, Fort Worth, and Sugar Land. With 20+ years of experience and 100% Texas-based support, we help firms protect client data through tax season and every season after it.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.