CCPA, GLBA & IRS Pub 4557 Compliance Checklist for US CPA Firms

The four overlapping frameworks every US CPA firm faces

Privacy and data-security compliance for accounting firms in the US isn't one law — it's a stack of federal, state, and IRS-specific frameworks that mostly point at the same set of safeguards but with slightly different scope. Understanding the overlap helps you build one program that satisfies all of them.

IRS Publication 4557 — Safeguarding Taxpayer Data

The IRS's specific guidance for tax practitioners. Pub 4557 is technically guidance, not a statute, but the IRS makes it operationally binding by referencing it in PTIN renewal attestations, in the Security Six recommendations, and in the e-file application. Pub 4557 cross-references GLBA and explicitly says: every paid tax preparer must have a written data-security plan that aligns with the FTC Safeguards Rule.

GLBA — Gramm-Leach-Bliley Act (Safeguards Rule)

Enacted in 1999, dramatically tightened in 2023. The FTC's Safeguards Rule applies to "non-bank financial institutions," and the FTC has explicitly named tax preparers and CPAs as covered entities. After the 2023 amendments, requirements jumped from "reasonable safeguards" to specific technical controls including multi-factor authentication, encryption, and continuous monitoring. Breach reporting to the FTC is required within 30 days for events affecting 500+ consumers.

CCPA / CPRA — California Consumer Privacy Act

Operative January 2020, expanded by CPRA in 2023. Applies to any for-profit business that collects California-resident personal information and meets one of three thresholds (revenue, volume of consumer data, or revenue from data sales). For accounting firms: annual gross revenue over $25M, or 100,000+ California consumers, or 50%+ of revenue from selling/sharing California data. Many small-to-mid CPA firms are not subject — but mid-sized firms with significant California client bases should evaluate annually.

State privacy laws beyond California

Virginia (VCDPA, 2023), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Tennessee, Iowa, Indiana, and others have all enacted similar comprehensive privacy laws — and the count keeps growing. Most follow the CCPA template (consumer rights to access, delete, correct, opt-out) with their own thresholds and definitions. Firms serving multi-state clients need to track this expanding patchwork.

The compliance checklist (every US CPA firm needs each item)

The gaps every firm we've audited has at least one of

1. The "we have a WISP" without an actual WISP

Half the firms we've talked to say they have a WISP. About a third can produce one when asked. Of those, most are templates downloaded years ago that were never customized to the firm. The IRS PTIN attestation is a binding statement — having a WISP that doesn't match your actual practice is worse than not having one. Audit yours: does the document name your firm? Does it list your actual systems? Is it signed and dated within the past 12 months?

2. No designated qualified individual

Post-2023 amendments, GLBA requires one named person responsible for the security program. At a 1-person firm, that's the principal. At a 5-person firm, it should be the managing partner or a named senior. "We all kind of handle it" is a non-answer the FTC will treat as no answer.

3. Multi-factor authentication that doesn't cover everything

Most firms have MFA on email and the practice management platform. Few have it on the tax-prep software, the document storage, or the file-sharing tool. The 2023 GLBA amendments require MFA for all individuals with access to customer information. That includes the bookkeeper accessing QuickBooks Online, the contractor logging into the firm's Dropbox, and the client portal where clients themselves log in.

4. Vendor contracts that say nothing about safeguards

Tax-prep software, document storage, e-signature, payroll processor, even the cleaning service that has key access — every vendor that touches customer information is supposed to be contractually bound to equivalent safeguards. Most firms have whatever the vendor's standard agreement says, never reviewed for adequacy. This is the easiest item for a regulator to find a gap on.

5. No tested incident response plan

The plan exists in a binder. Nobody has practiced what happens at 11 PM on a Tuesday when a partner notices ransomware on a workstation. The plan should answer: who do we call? Who calls the IRS? Who notifies clients? Which authority gets notified within 24 hours, which within 30 days? A 30-minute tabletop exercise once a year reveals more gaps than reading the document does.

How to build the program in three steps

Step 1: Build the WISP first

The WISP is the spine of everything else. Start with the IRS-published WISP template (Publication 5708) and customize it specifically to your firm. Include: the named qualified individual, your actual systems and where data lives, your specific safeguards, your incident response plan, and your vendor list. Sign it, date it, give a copy to every employee.

Step 2: Layer technical safeguards onto your existing tools

Audit your stack: tax-prep software, practice management, email, document storage, file-sharing, e-signature, payroll, accounting. For each one, confirm: encryption at rest, encryption in transit, MFA available and enforced, audit logging available, vendor agreement covers GLBA-equivalent safeguards. The gaps you find go on the remediation list.

Step 3: Operationalize the controls

The plan is only worth its operational habits. Onboarding training. Termination checklist. Annual security training. Quarterly access reviews. Annual vendor review. Annual tabletop exercise. Without these recurring rituals, the WISP slowly drifts out of sync with reality, and the firm is back where it started.

Where MyCPACRM fits

MyCPACRM is a piece of the technical safeguards layer — the practice management platform that holds your client information. The platform implements encryption at rest (AES-256), encryption in transit (TLS 1.3), strict tenant isolation, multi-factor authentication for staff and clients, role-based access controls, complete audit logging of every access to customer information, and field-level encryption for SSN and EIN. Security and Compliance pages document the controls in detail. Privacy practices align with PIPEDA in Canada, CCPA / CPRA / VCDPA in the US, GLBA Safeguards, and IRS Publication 4557. Data hosted on Microsoft Azure with regional residency options — US firms can elect US Azure regions for IRS Pub 4557 alignment.

The platform is one component of your overall WISP, not a substitute for it. You still need the written plan, the named qualified individual, the vendor matrix, the training cadence, and the incident response plan. What MyCPACRM gives you is a defensible technical-safeguards baseline so the controls layer is solved by construction rather than configured firm by firm.

Frequently Asked Questions

Does CCPA apply to my CPA firm if I don't operate in California?

It can. CCPA / CPRA applies to any for-profit entity that collects personal information about California residents and meets one of three thresholds: (1) annual gross revenue over $25 million, (2) buys, sells, or shares personal information of 100,000+ California residents or households, or (3) derives 50%+ of annual revenue from selling or sharing California residents' personal information. A CPA firm in any state with even a few California-resident clients should review the thresholds annually.

Is every US CPA firm covered by GLBA?

Most are. The FTC Safeguards Rule applies to non-bank financial institutions under GLBA, and the FTC has explicitly named tax preparers and CPAs as covered. Even small firms with no employees handle non-public personal financial information of clients and are covered. The 2023 amendments tightened requirements significantly — including written information security plans, designated qualified individuals, and breach reporting.

What is a WISP and do I need one?

A Written Information Security Plan (WISP) is a documented set of administrative, technical, and physical safeguards that protect customer information. It is REQUIRED of every paid tax preparer under IRS Publication 4557, the GLBA Safeguards Rule, and several state laws (Massachusetts 201 CMR 17, New York Department of Financial Services). The IRS specifically cross-references WISP requirements during PTIN renewal questions. Yes — every US CPA firm needs one in writing.

What is IRS Publication 4557?

Publication 4557, "Safeguarding Taxpayer Data," is the IRS's specific data-security guidance for tax practitioners. It outlines required safeguards (encryption, access controls, employee training, vendor management, breach response), references GLBA, and lists best practices. While Pub 4557 itself is guidance rather than a statute, compliance is implicit in PTIN renewal — preparers attest to having a WISP that aligns with these standards.

What does the GLBA Safeguards Rule require beyond a WISP?

After the 2023 amendments: (1) designate a "qualified individual" to oversee the program, (2) conduct a written risk assessment, (3) implement specific safeguards including access controls, encryption of sensitive data in transit and at rest, multi-factor authentication, change management, and continuous monitoring, (4) train staff annually, (5) oversee service providers contractually, (6) test the safeguards regularly, (7) provide a written incident response plan, and (8) report security events affecting 500+ consumers within 30 days.

What are the penalties for a tax preparer breach?

FTC Safeguards Rule violations can run to $51,744 per violation per day (2026 indexed amount). California CCPA imposes $2,500 per unintentional violation, $7,500 per intentional. Many states also have separate breach notification laws with their own penalty structures. The IRS can revoke or suspend PTINs and EFINs, effectively ending the firm's ability to e-file. Reputational damage typically exceeds direct fines.

How fast must I notify clients of a data breach?

It varies by jurisdiction. The FTC Safeguards Rule requires reporting to the FTC within 30 days for breaches affecting 500+ consumers. California requires notice "in the most expedient time possible and without unreasonable delay," often interpreted as 60 days. Some states (Connecticut, Florida) explicitly require 30 days. The IRS expects notification of the agency itself within 24 hours of confirming taxpayer data was compromised. The safe practice: have a written incident response plan that targets 24-hour internal escalation, 72-hour preliminary notification, and 30-day formal reporting.