{"id":6539,"date":"2026-05-19T15:14:36","date_gmt":"2026-05-19T19:14:36","guid":{"rendered":"https:\/\/verito.com\/blog\/?p=6539"},"modified":"2026-05-19T15:14:36","modified_gmt":"2026-05-19T19:14:36","slug":"wisp-for-bookkeepers-ftc-safeguards-requirements-2026","status":"publish","type":"post","link":"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/","title":{"rendered":"WISP for Bookkeepers: FTC Safeguards Requirements 2026"},"content":{"rendered":"<h2 id=\"h-federal-law-treats-bookkeepers-like-banks\" class=\"wp-block-heading\"><span id=\"federal-law-treats-bookkeepers-like-banks-heres-what-that-means-for-your-practice\"><span id=\"federal-law-treats-bookkeepers-like-banks\"><strong>Federal Law Treats Bookkeepers Like Banks. Here&#8217;s What That Means for Your Practice.<\/strong><\/span><\/span><\/h2>\n<p>You&#8217;re at a tax and accounting conference. Coffee in hand. Someone at the booth next to you is talking about WISPs. You overhear &#8220;Written Information Security Plan&#8221; and your eyes glaze over.<\/p>\n<p>You&#8217;re a <a href=\"https:\/\/verito.com\/industries\/bookkeepers\" target=\"_blank\" rel=\"dofollow\" >bookkeeper<\/a>. You don&#8217;t prepare returns. You don&#8217;t have a PTIN. None of this applies to you.<\/p>\n<p>That assumption could be the most expensive thing in your practice.<\/p>\n<p>Federal law disagrees. So does the FTC and the IRS. And so does the insurance carrier you&#8217;ll call the morning after a breach.<\/p>\n<p>This article walks you through what the law actually says.\u00a0<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-the-rule-most-bookkeepers-have-never-read\" class=\"wp-block-heading\"><span id=\"the-rule-most-bookkeepers-have-never-read\"><strong>The Rule Most Bookkeepers Have Never Read<\/strong><\/span><\/h2>\n<p>If you run a bookkeeping practice, you almost certainly handle SSNs, payroll data, bank routing numbers, or business financials used for tax filings. That&#8217;s enough to put you under the FTC Safeguards Rule.<\/p>\n<p>The rule has been on the books since <a href=\"https:\/\/www.ftc.gov\/sites\/default\/files\/documents\/federal_register_notices\/standards-safeguarding-customer-information-16-cfr-part-314\/020523standardsforsafeguardingcustomerinformation.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">May 23, 2003<\/a>. It was strengthened on <a href=\"https:\/\/www.federalregister.gov\/documents\/2021\/12\/09\/2021-25736\/standards-for-safeguarding-customer-information\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">December 9, 2021 (86 Fed. Reg. 70272)<\/a>. Final compliance for the new technical safeguards was extended to <a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2022\/11\/ftc-extends-deadline-six-months-compliance-some-changes-financial-data-security-rule\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">June 9, 2023<\/a>. That deadline already passed.<\/p>\n<p>The AICPA has been telling its members for years that a significant share of small accounting and bookkeeping firms still don&#8217;t realize the rule applies to them.\u00a0<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-the-ftc-safeguards-rule-in-plain-english\" class=\"wp-block-heading\"><span id=\"the-ftc-safeguards-rule-in-plain-english\"><strong>The FTC Safeguards Rule, In Plain English<\/strong><\/span><\/h2>\n<p>Start here. This is the rule that catches everyone. PTIN or no PTIN. Solo or 50-person firm. CPA, EA, or bookkeeper.<\/p>\n<p>The Federal Trade Commission&#8217;s Safeguards Rule, codified at <a href=\"https:\/\/www.ecfr.gov\/current\/title-16\/chapter-I\/subchapter-C\/part-314\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">16 CFR Part 314<\/a>, requires every &#8220;financial institution&#8221; under FTC jurisdiction to maintain a written information security program. The Rule&#8217;s examples at <a href=\"https:\/\/www.ecfr.gov\/current\/title-16\/chapter-I\/subchapter-C\/part-314\/section-314.2\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">16 CFR 314.2(h), Example 6<\/a> list tax preparation firms as covered entities.<\/p>\n<p>Here&#8217;s where most bookkeepers get tripped up. The FTC&#8217;s definition of &#8220;financial institution&#8221; is broader than you&#8217;d expect. It isn&#8217;t limited to banks or lenders. It covers any business engaged in an activity &#8220;financial in nature or incidental to such financial activities.&#8221;<\/p>\n<p>That language is doing a lot of work. It&#8217;s the reason your bookkeeping practice sits on the same legal footing as the bank down the street, at least for data-security purposes.<\/p>\n<p>The rule mandates seven concrete things. Every covered firm must:<\/p>\n<ul class=\"wp-block-list\">\n<li>Develop, implement, and maintain a written information security program<\/li>\n<li>Conduct a formal risk assessment in writing<\/li>\n<li>Designate a qualified individual to oversee the program<\/li>\n<li>Implement multi-factor authentication on all systems containing client data<\/li>\n<li>Encrypt customer data in transit and at rest<\/li>\n<li>Establish a written incident response plan<\/li>\n<li>Notify the FTC <a href=\"https:\/\/www.ftc.gov\/business-guidance\/blog\/2024\/05\/safeguards-rule-notification-requirement-now-effect\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">no later than 30 days after discovery of a security event<\/a> involving the unencrypted information of at least 500 consumers<\/li>\n<\/ul>\n<p>Read that list again. Notice what isn&#8217;t on it.<\/p>\n<p>It doesn&#8217;t say &#8220;if you have a PTIN.&#8221; It doesn&#8217;t say &#8220;if your firm has more than five employees.&#8221; It doesn&#8217;t say &#8220;if your revenue exceeds X dollars.&#8221;<\/p>\n<p>Size and credential don&#8217;t determine whether the rule applies. Data does.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-the-law-underneath-the-rule\" class=\"wp-block-heading\"><span id=\"the-law-underneath-the-rule\"><strong>The Law Underneath the Rule<\/strong><\/span><\/h2>\n<p>The Safeguards Rule doesn&#8217;t exist in isolation. It&#8217;s the regulation that implements a federal law from 1999: the Gramm-Leach-Bliley Act, codified at <a href=\"https:\/\/www.law.cornell.edu\/uscode\/text\/15\/6801\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">15 U.S.C. \u00a7 6801<\/a>.<\/p>\n<p>Most bookkeepers have never heard of GLBA. That&#8217;s fine. You don&#8217;t need to memorize statutes. But you should understand what GLBA actually did, because that&#8217;s the part that surprises people.<\/p>\n<p>When Congress passed GLBA, it defined &#8220;financial institution&#8221; deliberately broadly. The goal was to bring every business handling consumer financial data under one privacy and security regime, not just chartered banks. The statute named tax preparation as a financial activity. Activities incidental to financial services were swept in along with it.<\/p>\n<p>That category includes bookkeeping, payroll, accounts payable and receivable, and the financial statements you prepare for clients who&#8217;ll use them on their returns.<\/p>\n<p>GLBA assigned enforcement authority to different agencies depending on the type of entity. Banks answer to federal banking regulators. Insurance companies answer to state commissioners. Everyone else, including independent bookkeepers, falls under FTC jurisdiction.<\/p>\n<p>That&#8217;s why the FTC writes the rule. It&#8217;s why the FTC investigates the breaches.<\/p>\n<p>The <a href=\"https:\/\/taxschool.illinois.edu\/post\/applying-the-updated-wisp-requirements\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">University of Illinois Tax School<\/a> put it cleanly in a September 2024 analysis: &#8220;The GLBA designated tax professionals as financial institutions. It gave the same responsibilities to small tax practices as to large banks, although banks realistically have much more complex security needs.&#8221;<\/p>\n<p>Same legal duty. Different operational scale. That&#8217;s the whole story.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-the-irs-layer-if-you-hold-a-ptin\" class=\"wp-block-heading\"><span id=\"the-irs-layer-if-you-hold-a-ptin\"><strong>The IRS Layer (If You Hold a PTIN)<\/strong><\/span><\/h2>\n<p>For bookkeepers who also hold a PTIN, there&#8217;s a third layer worth knowing.<\/p>\n<p>IRS <a href=\"https:\/\/www.irs.gov\/pub\/irs-pdf\/p4557.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Publication 4557 (Safeguarding Taxpayer Data)<\/a> and <a href=\"https:\/\/www.irs.gov\/pub\/irs-pdf\/p5708.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Publication 5708 (Creating a Written Information Security Plan for Your Tax &amp; Accounting Practice)<\/a> both state that tax professionals are required by law to maintain a WISP. The IRS isn&#8217;t writing those publications as suggestions. It&#8217;s interpreting the same federal law you&#8217;ve been reading about, plus its own authority over preparers.<\/p>\n<p>The teeth come from <a href=\"https:\/\/www.irs.gov\/pub\/irs-pdf\/fw12.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">IRS Form W-12<\/a>, the PTIN renewal application. Line 11 (Data Security Responsibilities) is a checkbox where you confirm you&#8217;re aware of the <a class=\"wpil_keyword_link\" href=\"http:\/\/verito.com\/written-information-security-plan\" target=\"_blank\"  rel=\"dofollow noopener\" title=\"WISP\" data-wpil-keyword-link=\"linked\"  data-wpil-monitor-id=\"1251\">WISP<\/a> requirement and your obligation to safeguard taxpayer data. The signature block at the bottom of the form, where you certify the entire application, is signed under penalty of perjury.<\/p>\n<p>That&#8217;s not a checkbox you can ignore. False statements on the W-12 can result in PTIN suspension or revocation. No PTIN means no preparing returns for compensation. Practically speaking, it ends the part of your practice that depends on it.<\/p>\n<p>If you&#8217;ve been checking that box on annual renewals without actually having a WISP on file, the gap between what you certified and what exists in your practice is a real problem.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-im-just-a-bookkeeper-and-other-objections\" class=\"wp-block-heading\"><span id=\"im-just-a-bookkeeper-and-other-objections\"><strong>&#8220;I&#8217;m Just a Bookkeeper&#8221; and Other Objections<\/strong><\/span><\/h2>\n<p>Let&#8217;s run through the objections we hear most. Every one of them.<\/p>\n<h3 id=\"h-i-dont-prepare-tax-returns\" class=\"wp-block-heading\"><span id=\"i-dont-prepare-tax-returns-i-just-do-bookkeeping\"><span id=\"i-dont-prepare-tax-returns\"><strong>&#8220;I don&#8217;t prepare tax returns. I just do bookkeeping.&#8221;<\/strong><\/span><\/span><\/h3>\n<p>The FTC Safeguards Rule applies to any business handling non-public personal information in connection with a financial activity. Payroll processing, bank reconciliation, accounts payable, accounts receivable, and financial statement preparation are all covered.<\/p>\n<p>The trigger is the data you handle, not the credential on your business card.<\/p>\n<p>If you reconcile a client&#8217;s bank statements, you have their account numbers. If you process payroll, you have employee SSNs. If you prepare a P&amp;L used for tax purposes, you&#8217;re touching financial data that flows directly into a federal return.<\/p>\n<p>Any one of those is enough.<\/p>\n<h3 id=\"h-im-a-solo-practitioner\" class=\"wp-block-heading\"><span id=\"im-a-solo-practitioner-the-law-is-meant-for-big-firms\"><span id=\"im-a-solo-practitioner\"><strong>&#8220;I&#8217;m a solo practitioner. The law is meant for big firms.&#8221;<\/strong><\/span><\/span><\/h3>\n<p>The FTC explicitly rejected size-based exemptions in 2021. The National Federation of Independent Business asked for an exemption for sole proprietors during the rulemaking. The FTC said no, writing in the final rule that whether a business is operated by a single individual is &#8220;not determinative&#8221; of financial-institution status. The Federal Register reflects that decision (<a href=\"https:\/\/www.federalregister.gov\/documents\/2021\/12\/09\/2021-25736\/standards-for-safeguarding-customer-information\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">86 Fed. Reg. 70272<\/a>, December 9, 2021).<\/p>\n<p>The IRS reinforces the point in Publication 5708. A WISP can be scaled for size, scope, complexity, and customer-data sensitivity. The requirement to have one is universal.<\/p>\n<p>A solo bookkeeper&#8217;s WISP will be shorter than a 30-person firm&#8217;s. It still has to exist. The requirement is universal. The format is flexible.<\/p>\n<h3 id=\"h-my-software-vendor-handles-data-security\" class=\"wp-block-heading\"><span id=\"my-software-vendor-handles-data-security\"><strong>&#8220;My software vendor handles data security.&#8221;<\/strong><\/span><\/h3>\n<p>This is the most common objection. It&#8217;s also the most dangerous, because it sounds reasonable.<\/p>\n<p>The FTC Safeguards Rule requires you to oversee service providers. That means selecting capable vendors and requiring them, by contract, to implement appropriate safeguards. You&#8217;re responsible for documenting that oversight in your WISP.<\/p>\n<p>Vendor due diligence is a section of the plan. It&#8217;s not a substitute for it.<\/p>\n<p>In other words: your QuickBooks subscription doesn&#8217;t satisfy your obligation. Your hosting provider&#8217;s SOC 2 report doesn&#8217;t satisfy your obligation. Your IT person&#8217;s verbal assurance that &#8220;we&#8217;re locked down&#8221; doesn&#8217;t satisfy your obligation.<\/p>\n<p>A written, dated, reviewed WISP that documents what your vendors do and what you do is what satisfies your obligation.<\/p>\n<h3 id=\"h-i-havent-been-audited\" class=\"wp-block-heading\"><span id=\"i-havent-been-audited-or-penalized-so-it-must-not-be-enforced\"><span id=\"i-havent-been-audited\"><strong>&#8220;I haven&#8217;t been audited or penalized, so it must not be enforced.&#8221;<\/strong><\/span><\/span><\/h3>\n<p>This is the gambler&#8217;s argument. The FTC has broad enforcement authority and a track record of acting against firms that fail to protect consumer data. Our overview of <a href=\"https:\/\/verito.com\/ftc-safeguards-rule\" target=\"_blank\" rel=\"dofollow\" >the FTC Safeguards Rule<\/a> walks through what the agency actually looks for in an investigation.<\/p>\n<p>But the more practical risk isn&#8217;t a proactive audit. It&#8217;s what happens when a client gets phished, a laptop gets stolen, or ransomware hits your shared drive.<\/p>\n<p>That&#8217;s when the WISP question gets asked. That&#8217;s the moment your insurance carrier looks at whether you had one. Without a WISP, you may face a denied claim, a civil suit from the affected client, and personal liability you didn&#8217;t expect.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-insurance-doing-the-ftcs-enforcement-work\" class=\"wp-block-heading\"><span id=\"the-insurance-industry-is-doing-the-ftcs-enforcement-work-for-it\"><span id=\"insurance-doing-the-ftcs-enforcement-work\"><strong>The Insurance Industry Is Doing the FTC&#8217;s Enforcement Work for It<\/strong><\/span><\/span><\/h2>\n<p>Here&#8217;s a development that doesn&#8217;t get enough attention: cyber liability underwriters are now requiring evidence of WISP compliance before they&#8217;ll bind or renew a policy.<\/p>\n<p>That shift happened quietly over the last two years. Pre-2023, the standard cyber application asked whether you had &#8220;reasonable security measures&#8221; in place. The current generation of applications asks specific questions: Do you have a documented written information security plan? Do you enforce MFA on all systems with client data? Do you have a written incident response plan? Have you completed a risk assessment in the last twelve months?<\/p>\n<p>If you can&#8217;t answer yes, with documentation, you&#8217;re not getting the policy. Or you&#8217;re getting it at a much higher premium with a higher deductible and broader exclusions.<\/p>\n<p>This matters for two reasons.<\/p>\n<p>First, it&#8217;s the most reliable way the FTC&#8217;s rule actually gets enforced. The FTC investigates a small fraction of breaches. Insurance carriers underwrite every renewal. They&#8217;ve now made WISP compliance a precondition of coverage, which means every bookkeeper who carries cyber insurance is effectively being audited every year by their broker, whether they realize it or not.<\/p>\n<p>Second, the documentation requirement is functionally equivalent to FTC compliance. If your WISP satisfies the carrier, it almost certainly satisfies the FTC. If it doesn&#8217;t satisfy the carrier, you have a problem on both fronts.<\/p>\n<p>Call your broker. Ask what their current cyber application looks like. If they say &#8220;we&#8217;re tightening up at renewal,&#8221; that&#8217;s the answer. The work you do for the carrier is the same work you do for the FTC. Do it once, satisfy both.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-what-actually-triggers-the-obligation\" class=\"wp-block-heading\"><span id=\"what-actually-triggers-the-obligation\"><strong>What Actually Triggers the Obligation<\/strong><\/span><\/h2>\n<p>The data, not the title. Here&#8217;s the working list:<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Data type<\/th>\n<th>Where bookkeepers touch it<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Social Security Numbers and ITINs<\/td>\n<td>Payroll, 1099 prep, new-employee onboarding<\/td>\n<\/tr>\n<tr>\n<td>Bank account and routing numbers<\/td>\n<td>Reconciliations, ACH setup, refund routing<\/td>\n<\/tr>\n<tr>\n<td>Payroll information (wages, hours, withholding)<\/td>\n<td>Weekly or biweekly payroll runs<\/td>\n<\/tr>\n<tr>\n<td>Federal Tax Information from returns or W-2\/1099<\/td>\n<td>Year-end packages, audit support<\/td>\n<\/tr>\n<tr>\n<td>Business financial records used to prepare tax filings<\/td>\n<td>Monthly close, financial statement prep<\/td>\n<\/tr>\n<tr>\n<td>Personally identifiable financial information (NPPI)<\/td>\n<td>Client portals, email attachments, shared drives<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>If your practice touches any of those on behalf of a client, the obligation is triggered. That&#8217;s most bookkeeping practices.<\/p>\n<p>A useful test: if a stranger walked into your office and copied your hard drive, what could they do with the contents? If the answer involves opening fraudulent accounts, filing false returns, redirecting payroll, or impersonating your clients to their bank, you&#8217;re handling NPPI.<\/p>\n<p>The FTC Safeguards Rule applies.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-the-cost-of-doing-nothing\" class=\"wp-block-heading\"><span id=\"the-cost-of-doing-nothing\"><strong>The Cost of Doing Nothing<\/strong><\/span><\/h2>\n<p>Here&#8217;s how the exposure plays out in a small bookkeeping practice.<\/p>\n<p><strong>Regulatory penalties.<\/strong> FTC civil penalties for Safeguards Rule violations run up to <a href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2025\/01\/ftc-publishes-inflation-adjusted-civil-penalty-amounts-2025\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">$53,088 per violation<\/a> under the FTC&#8217;s January 2025 inflation adjustment. The rule&#8217;s breach notification requirement adds another exposure. Failure to notify the FTC within 30 days of a qualifying security event compounds the problem.<\/p>\n<p><strong>PTIN consequences.<\/strong> If you hold a PTIN and there&#8217;s no WISP behind the box you checked on Form W-12, the IRS can suspend or revoke your number. That ends paid return preparation immediately.<\/p>\n<p><strong>Insurance denial.<\/strong> Cyber liability and errors-and-omissions carriers have refused to pay claims when the insured had no documented WISP. Some carriers now require a WISP as a condition of binding coverage at all. The University of Illinois Tax School flagged this trend in its 2024 analysis. If your renewal application doesn&#8217;t ask whether you have a WISP yet, it will soon.<\/p>\n<p><strong>Breach costs.<\/strong> <a href=\"https:\/\/www.ibm.com\/reports\/data-breach\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">IBM&#8217;s 2024 Cost of a Data Breach Report<\/a> put the average breach cost for organizations with fewer than 500 employees at $3.31 million once forensics, client notification, credit monitoring, legal fees, and reputational damage are accounted for. Most independent bookkeepers operate at a tiny fraction of that scale, and a small fraction of $3.31 million is still a practice-ending number.<\/p>\n<p><strong>Civil litigation.<\/strong> Affected clients can sue. Without a WISP showing reasonable safeguards were in place, you have no documented defense. The plaintiff&#8217;s attorney will ask for your written security plan in discovery. If you don&#8217;t have one, that fact becomes a centerpiece of the negligence argument.<\/p>\n<p>The math here isn&#8217;t dramatic. It&#8217;s arithmetic. The cost of not having a WISP is high. The cost of having one is a few hundred dollars and a few hours of your time. For tax-season-specific operational risk that ties directly into the WISP&#8217;s incident-response section, our piece on <a href=\"https:\/\/verito.com\/blog\/co-managed-it-tax-season-cpa-firms\" target=\"_blank\" rel=\"dofollow noopener\">co-managed IT during tax season<\/a> covers the layered controls firms typically cite under the rule.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-what-a-compliant-wisp-looks-like\" class=\"wp-block-heading\"><span id=\"what-a-compliant-wisp-looks-like\"><strong>What a Compliant WISP Looks Like<\/strong><\/span><\/h2>\n<p>The IRS and FTC don&#8217;t leave the contents to imagination. Publication 4557, translated into the standard nine-section format used by practitioners, identifies these required elements:<\/p>\n<ol class=\"wp-block-list\">\n<li>A named Designated Security Coordinator<\/li>\n<li>A documented risk assessment listing the data you handle and the threats to it<\/li>\n<li>Administrative, technical, and physical safeguards<\/li>\n<li>Employee training, sign-offs, and access controls<\/li>\n<li>An inventory of every device storing client data, with MFA and encryption documented<\/li>\n<li>Procedures for detecting and managing system failures<\/li>\n<li>Data disposal and retention policies covering paper and electronic records<\/li>\n<li>A step-by-step incident response plan<\/li>\n<li>An annual review cycle with dates and changes recorded<\/li>\n<\/ol>\n<p>The plan must be a living document. Review it at least annually. Update it whenever your technology, staff, or operations change. Keep a copy offsite or in the cloud so you can retrieve it after an incident.<\/p>\n<p>None of this is optional. All of it is documentable in a few hours if you start with a real template instead of a blank page.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-a-word-on-ai-tools\" class=\"wp-block-heading\"><span id=\"a-word-on-ai-tools\"><strong>A Word on AI Tools<\/strong><\/span><\/h2>\n<p>One section that wasn&#8217;t on the IRS list ten years ago, but absolutely belongs on yours today: AI usage.<\/p>\n<p>If anyone in your practice uses ChatGPT, Claude, Copilot, or Gemini to draft client emails, summarize statements, or build journal entries, you have an AI-tool data flow. That flow needs to be documented in your WISP. The default settings on most consumer AI tools allow the provider to use your inputs to train their models. Pasting a client&#8217;s Schedule C into a free-tier ChatGPT account is, in effect, transmitting that data to a third party with broad rights to retain and reuse it.<\/p>\n<p>The FTC Safeguards Rule treats every third-party data processor as a vendor. AI tools count. If your firm uses them, your WISP needs an AI section that covers acceptable use, account-tier requirements, and the data types staff are allowed to put into them.<\/p>\n<p>A few practical points worth getting right. Free-tier consumer accounts are generally not safe for client data, because the consumer terms typically permit training on inputs. Business and enterprise tiers have different terms, but only when the account is actually configured at that tier. Personal accounts used at work don&#8217;t qualify, no matter what plan the user is on at home. And Microsoft Copilot, Google Gemini, and Claude all have different default data-handling rules depending on the tenant configuration. The version your firm pays for matters more than the brand on the logo.<\/p>\n<p>Most WISPs written before 2023 don&#8217;t address any of this. Most WISPs written today still don&#8217;t. That gap is where your next FTC headache lives. For tax-firm specific guidance on AI usage, our piece on <a href=\"https:\/\/verito.com\/blog\/quickbooks-mcp-ai-compliance-tax-firms-2026\" target=\"_blank\" rel=\"dofollow\" >AI compliance for tax firms in 2026<\/a> covers the same considerations through a tax-prep lens.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-what-this-looks-like-when-it-goes-wrong\" class=\"wp-block-heading\"><span id=\"what-this-looks-like-when-it-goes-wrong\"><strong>What This Looks Like When It Goes Wrong<\/strong><\/span><\/h2>\n<p>Picture a five-person bookkeeping practice in any mid-sized city. Solo owner, four staff, a mix of monthly bookkeeping clients and seasonal payroll work. No PTIN holder on staff. No CPA. Just experienced bookkeepers running a clean book of business on QuickBooks Online, a shared OneDrive, and a couple of cloud-based payroll tools.<\/p>\n<p>One Tuesday, the owner gets a call from a client. The client received an email from her own bookkeeper asking her to confirm the new bank account for an outgoing wire. Except the bookkeeper never sent that email. The bookkeeper&#8217;s email had been compromised the previous week through a phishing message that looked like a Microsoft password reset. The attacker had been quietly reading her inbox for nine days, learning the cadence of her client communication, before launching the wire fraud attempt.<\/p>\n<p>Three things happen in the next forty-eight hours. The owner contacts her cyber insurance carrier. The carrier asks for a copy of the firm&#8217;s written incident response plan and WISP. She doesn&#8217;t have one. The carrier opens a coverage review. The owner contacts an attorney, who informs her that under her state&#8217;s breach notification law, she has a defined window to notify every affected client whose information passed through that compromised mailbox.<\/p>\n<p>That&#8217;s not a worst-case scenario. That&#8217;s an average week for a small bookkeeping practice without documentation. The breach itself was recoverable. The lack of a WISP is what turned it into an existential problem.<\/p>\n<p>For more on the practical side of this, our guide on <a href=\"https:\/\/verito.com\/blog\/cybersecurity-for-accounting-firms\" target=\"_blank\" rel=\"dofollow\" >cybersecurity for accounting firms<\/a> covers the underlying controls that a WISP documents, and our piece on <a href=\"https:\/\/verito.com\/blog\/managed-it-for-accounting-firms-it-guy-quits\" target=\"_blank\" rel=\"dofollow\" >what happens when your only IT person leaves<\/a> covers the operational fragility most small bookkeeping practices don&#8217;t realize they&#8217;re sitting on.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-where-to-start\" class=\"wp-block-heading\"><span id=\"where-to-start\"><strong>Where to Start<\/strong><\/span><\/h2>\n<p>If you don&#8217;t have a WISP today, you have three reasonable options.<\/p>\n<p>The first is the IRS template. The Service publishes a model plan in Publication 5708. It&#8217;s free. It&#8217;s a starting point. The downside is that it&#8217;s generic, and turning it into something defensible for your specific practice takes time, judgment, and willingness to read the regulation carefully.<\/p>\n<p>The second is your accountant or attorney. Some firms have built WISP creation into their advisory services. The cost varies. The quality varies more.<\/p>\n<p>The third is a turnkey product. <a href=\"https:\/\/verito.com\/wisp\" target=\"_blank\" rel=\"dofollow\" >VeritShield WISP<\/a> is built for tax and accounting practices that want a compliant, audit-ready plan in 5 business days without the time cost of building one from scratch. It covers the nine required sections, a documented vendor management process, AI usage policies, and the annual review cadence. It isn&#8217;t the only option on the market. It&#8217;s the one we built specifically for this audience.<\/p>\n<p>Whatever path you take, take one. The compliance deadline already passed. Your insurance carrier is going to ask. Your clients are going to ask. The regulation isn&#8217;t going away.<\/p>\n<p>A WISP isn&#8217;t a competitive advantage. It&#8217;s the floor.<\/p>\n<p>The good news: the floor is reachable in less time than you&#8217;d expect.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-how-verito-fits\" class=\"wp-block-heading\"><span id=\"how-verito-fits-this\"><span id=\"how-verito-fits\"><strong>How Verito Fits This<\/strong><\/span><\/span><\/h2>\n<p>Verito provides cloud hosting and managed IT exclusively for tax and accounting firms. We work with 1,000+ firms across the country. Our work sits on three products that map directly to the FTC Safeguards Rule&#8217;s seven mandates.<\/p>\n<p><a href=\"https:\/\/verito.com\/managed-it\" target=\"_blank\" rel=\"dofollow\" >VeritGuard<\/a> handles the technical safeguards: MFA on every account that touches client data, endpoint detection and response, 24\/7 SOC monitoring, patch automation, and email security. These are the controls a WISP documents and the controls an FTC investigator or insurance carrier asks about first.<\/p>\n<p>VeritShield WISP delivers the written plan itself. Five business days from kickoff to a signed, dated document that covers the nine required sections, the vendor oversight requirement, AI usage policies, and the annual review cadence.<\/p>\n<p><a class=\"wpil_keyword_link\" href=\"http:\/\/verito.com\/veritspace\" target=\"_blank\"  rel=\"dofollow noopener\" title=\"VeritSpace\" data-wpil-keyword-link=\"linked\"  data-wpil-monitor-id=\"1250\">VeritSpace<\/a> is the dedicated hosting environment underneath everything else. Encryption in transit and at rest, isolation from other tenants, and SOC 2 Type II audit documentation that satisfies the rule&#8217;s service-provider oversight requirement when your clients ask for it. <a href=\"https:\/\/verito.com\/managed-backup-services\" target=\"_blank\" rel=\"dofollow\" >Managed backup services<\/a> sit alongside it for the WISP&#8217;s data retention and incident-recovery sections.<\/p>\n<p>Verito has maintained <a href=\"https:\/\/verito.com\/blog\/100-uptime-for-cpa-firms\" target=\"_blank\" rel=\"dofollow\" >100 percent uptime since 2016<\/a>. SOC 2 Type II certified. Built for tax-firm peak load.<\/p>\n<p>If you want a starting point before talking products, you can <a href=\"https:\/\/verito.com\/security-assessment\" target=\"_blank\" rel=\"dofollow\" >book a free security assessment<\/a> to see where your current posture stands. It&#8217;s a 30-minute scoping conversation that surfaces the gaps that matter before they become incidents.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-frequently-asked-questions\" class=\"wp-block-heading\"><span id=\"frequently-asked-questions\"><strong>Frequently Asked Questions<\/strong><\/span><\/h2>\n<h3 id=\"h-faq-1-does-the-ftc-safeguards-rule-apply-to-bookkeepers-without-a-ptin\" class=\"wp-block-heading\"><span id=\"does-the-ftc-safeguards-rule-apply-to-bookkeepers-without-a-ptin\"><span id=\"faq-1-does-the-ftc-safeguards-rule-apply-to-bookkeepers-without-a-ptin\"><strong>Does the FTC Safeguards Rule apply to bookkeepers without a PTIN?<\/strong><\/span><\/span><\/h3>\n<p>Yes. The rule applies to any business engaged in activities financial in nature or incidental to financial activities. Bookkeeping, payroll, and accounts payable\/receivable are all covered. The trigger is the data you handle, not the credential on your business card. PTIN status changes which IRS publications apply to you, not whether the FTC rule applies.<\/p>\n<h3 id=\"h-faq-2-what-is-a-wisp\" class=\"wp-block-heading\"><span id=\"what-is-a-wisp-and-what-does-it-have-to-contain\"><span id=\"h-faq-2-what-is-a-wisp\"><strong>What is a WISP and what does it have to contain?<\/strong><\/span><\/span><\/h3>\n<p>A WISP is a Written Information Security Plan. It&#8217;s a single document covering nine sections: a designated security coordinator, a written risk assessment, administrative\/technical\/physical safeguards, employee training and access controls, a device inventory with MFA and encryption documented, procedures for detecting system failures, data disposal and retention policies, an incident response plan, and an annual review cycle. IRS Publication 5708 publishes a template you can start from.<\/p>\n<h3 id=\"h-faq-3-are-solo-bookkeepers-exempt\" class=\"wp-block-heading\"><span id=\"are-solo-bookkeepers-exempt-from-the-ftc-safeguards-rule\"><span id=\"are-solo-bookkeepers-exempt\"><strong>Are solo bookkeepers exempt from the FTC Safeguards Rule?<\/strong><\/span><\/span><\/h3>\n<p>No. The FTC explicitly rejected size-based exemptions in the 2021 rulemaking. The Federal Register response (86 Fed. Reg. 70272) states that whether a business is operated by a single individual is &#8220;not determinative&#8221; of financial-institution status. A solo bookkeeper&#8217;s WISP can be shorter and simpler than a 30-person firm&#8217;s, but the requirement to have one is the same.<\/p>\n<h3 id=\"h-faq-4-what-is-the-penalty-for-not-having-a-wisp\" class=\"wp-block-heading\"><span id=\"what-is-the-penalty-for-not-having-a-wisp\"><strong>What is the penalty for not having a WISP?<\/strong><\/span><\/h3>\n<p>FTC civil penalties run up to $53,088 per violation under the January 2025 inflation adjustment. Beyond direct penalties, the bigger exposure is usually a denied cyber insurance claim after a breach, civil litigation from affected clients, and PTIN suspension if you hold one and certified the W-12 box without an actual plan in place.<\/p>\n<h3 id=\"h-faq-5-do-i-need-a-wisp-if-i-only-do-quickbooks-bookkeeping\" class=\"wp-block-heading\"><span id=\"do-i-need-a-wisp-if-i-only-do-quickbooks-bookkeeping\"><strong>Do I need a WISP if I only do QuickBooks bookkeeping?<\/strong><\/span><\/h3>\n<p>If you handle SSNs, bank account numbers, payroll data, or financial records used in tax filings, yes. The platform you use doesn&#8217;t change the obligation. Your QuickBooks subscription handles its own infrastructure security; it doesn&#8217;t satisfy your obligation to maintain a written information security program over the way your practice handles client data.<\/p>\n<h3 id=\"h-faq-6-how-long-does-it-take-to-create-a-compliant-wisp\" class=\"wp-block-heading\"><span id=\"how-long-does-it-take-to-create-a-compliant-wisp\"><strong>How long does it take to create a compliant WISP?<\/strong><\/span><\/h3>\n<p>If you start from the IRS Publication 5708 template and fill in your specific systems, vendors, and processes, a solo or small firm WISP takes about 4 to 8 hours of focused work. A turnkey product like VeritShield WISP delivers the same document in 5 business days with the customization done for you.<\/p>\n<h3 id=\"h-faq-7-do-i-need-an-ai-section-in-my-wisp\" class=\"wp-block-heading\"><span id=\"do-i-need-to-add-an-ai-usage-section-to-my-wisp\"><span id=\"do-i-need-an-ai-section-in-my-wisp\"><strong>Do I need to add an AI usage section to my WISP?<\/strong><\/span><\/span><\/h3>\n<p>Yes, if anyone in your practice uses ChatGPT, Claude, Copilot, Gemini, or any other AI tool with client data. The Safeguards Rule treats third-party data processors as vendors, and AI tools qualify. Your WISP should cover acceptable use, required account tier (business or enterprise, not free), and which data types staff are permitted to enter into them.<\/p>\n<h3 id=\"h-faq-8-will-cyber-insurance-pay-without-a-wisp\" class=\"wp-block-heading\"><span id=\"will-my-cyber-insurance-pay-if-i-dont-have-a-wisp\"><span id=\"will-cyber-insurance-pay-without-a-wisp\"><strong>Will my cyber insurance pay if I don&#8217;t have a WISP?<\/strong><\/span><\/span><\/h3>\n<p>Increasingly, no. Cyber liability carriers now require WISP documentation as a condition of binding or renewing coverage. Carriers have refused to pay claims when the insured had no documented plan. Read the application your broker sent at last renewal. If it asks about your WISP, MFA enforcement, or risk assessment, those questions are pre-conditions for the policy to respond.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<h2 id=\"h-the-bottom-line\" class=\"wp-block-heading\"><span id=\"the-bottom-line\"><strong>The Bottom Line<\/strong><\/span><\/h2>\n<p>If you handle SSNs, payroll data, bank routing numbers, or business financials, federal law treats your bookkeeping practice the same way it treats a bank, at least for data-security purposes. The FTC Safeguards Rule has been on the books since 2003 and was strengthened in 2021. The deadline for the latest technical safeguards passed in June 2023.<\/p>\n<p>The WISP requirement isn&#8217;t going away. Your insurance carrier is asking about it now. Your clients will start asking soon. The IRS already requires it of every PTIN holder.<\/p>\n<p>The path forward is one document, nine sections, a few hours of focused work. Start from the IRS template, hire it out, or buy a turnkey plan. Whatever path, take one.<\/p>\n<p><em>This article is provided for educational purposes. It is not legal advice. For guidance specific to your practice, consult a qualified attorney familiar with the FTC Safeguards Rule.<\/em><\/p>\n<p><strong>Sources:<\/strong> 15 U.S.C. \u00a7 6801 \u00b7 16 CFR Part 314 \u00b7 IRS Publication 4557 \u00b7 IRS Publication 5708 \u00b7 86 Fed. Reg. 70272 \u00b7 IRS Form W-12 \u00b7 FTC 2025 inflation-adjusted civil penalties \u00b7 IBM 2024 Cost of a Data Breach Report \u00b7 University of Illinois Tax School (September 2024 analysis)<\/p>\n<p><script type=\"application\/ld+json\"><br \/>\n{<br \/>\n  \"@context\": \"https:\/\/schema.org\",<br \/>\n  \"@graph\": [<br \/>\n    {<br \/>\n      \"@type\": \"Article\",<br \/>\n      \"headline\": \"FTC Safeguards Rule for Bookkeepers: WISP Requirements 2026\",<br \/>\n      \"description\": \"Bookkeepers handling SSNs, payroll, or bank data are financial institutions under the FTC Safeguards Rule. What the WISP requirement actually says.\",<br \/>\n      \"author\": {\"@type\": \"Person\", \"name\": \"Camren Majors\"},<br \/>\n      \"publisher\": {\"@type\": \"Organization\", \"name\": \"Verito Technologies\", \"logo\": {\"@type\": \"ImageObject\", \"url\": \"https:\/\/verito.com\/wp-content\/uploads\/2024\/05\/verito-logo.png\"}},<br \/>\n      \"mainEntityOfPage\": {\"@type\": \"WebPage\", \"@id\": \"https:\/\/verito.com\/blog\/bookkeeper-wisp-ftc-safeguards-rule\/\"},<br \/>\n      \"datePublished\": \"2026-05-02\",<br \/>\n      \"dateModified\": \"2026-05-02\",<br \/>\n      \"articleSection\": \"Compliance\",<br \/>\n      \"keywords\": \"bookkeeper WISP, FTC Safeguards Rule bookkeepers, written information security plan, GLBA bookkeepers, IRS Publication 5708\"<br \/>\n    },<br \/>\n    {<br \/>\n      \"@type\": \"FAQPage\",<br \/>\n      \"mainEntity\": [<br \/>\n        {\"@type\": \"Question\", \"name\": \"Does the FTC Safeguards Rule apply to bookkeepers without a PTIN?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Yes. The rule applies to any business engaged in activities financial in nature or incidental to financial activities. Bookkeeping, payroll, and accounts payable\/receivable are all covered. The trigger is the data you handle, not the credential on your business card.\"}},<br \/>\n        {\"@type\": \"Question\", \"name\": \"What is a WISP and what does it have to contain?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"A WISP is a Written Information Security Plan. It is a single document covering nine sections: a designated security coordinator, a written risk assessment, administrative\/technical\/physical safeguards, employee training and access controls, a device inventory with MFA and encryption documented, procedures for detecting system failures, data disposal and retention policies, an incident response plan, and an annual review cycle.\"}},<br \/>\n        {\"@type\": \"Question\", \"name\": \"Are solo bookkeepers exempt from the FTC Safeguards Rule?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"No. The FTC explicitly rejected size-based exemptions in the 2021 rulemaking. The Federal Register response (86 Fed. Reg. 70272) states that whether a business is operated by a single individual is not determinative of financial-institution status.\"}},<br \/>\n        {\"@type\": \"Question\", \"name\": \"What is the penalty for not having a WISP?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"FTC civil penalties run up to $53,088 per violation under the January 2025 inflation adjustment. The bigger practical exposure is usually a denied cyber insurance claim after a breach, civil litigation from affected clients, and PTIN suspension if you hold one and certified the W-12 box without an actual plan in place.\"}},<br \/>\n        {\"@type\": \"Question\", \"name\": \"Do I need a WISP if I only do QuickBooks bookkeeping?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"If you handle SSNs, bank account numbers, payroll data, or financial records used in tax filings, yes. The platform you use does not change the obligation.\"}},<br \/>\n        {\"@type\": \"Question\", \"name\": \"How long does it take to create a compliant WISP?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Starting from the IRS Publication 5708 template, a solo or small firm WISP takes about 4 to 8 hours of focused work. A turnkey product like VeritShield WISP delivers the same document in 5 business days.\"}},<br \/>\n        {\"@type\": \"Question\", \"name\": \"Do I need to add an AI usage section to my WISP?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Yes, if anyone in your practice uses ChatGPT, Claude, Copilot, Gemini, or any other AI tool with client data. The Safeguards Rule treats third-party data processors as vendors, and AI tools qualify.\"}},<br \/>\n        {\"@type\": \"Question\", \"name\": \"Will my cyber insurance pay if I don't have a WISP?\", \"acceptedAnswer\": {\"@type\": \"Answer\", \"text\": \"Increasingly, no. Cyber liability carriers now require WISP documentation as a condition of binding or renewing coverage. Carriers have refused to pay claims when the insured had no documented plan.\"}}<br \/>\n      ]\n    }<br \/>\n  ]\n}<br \/>\n<\/script><\/p>\n","protected":false},"excerpt":{"rendered":"Bookkeepers handling SSNs, payroll, or bank data are financial institutions under the FTC Safeguards Rule. What the WISP requirement actually says.\n","protected":false},"author":14,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[104],"tags":[392,280,456,643,326,369],"class_list":{"0":"post-6539","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-managed-it-services","7":"tag-ftc-safeguards","8":"tag-ftc-safeguards-rule","9":"tag-glba-compliance","10":"tag-irs-publication-5708-wisp","11":"tag-wisp","12":"tag-wisp-compliance"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.1 (Yoast SEO v27.1.1) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>WISP for Bookkeepers: What You Need to Know - Verito Technologies | Blog<\/title>\n<meta name=\"description\" content=\"Common misconception is that bookkeepers or accountants who don&#039;t do taxes have no WISP requirements. We&#039;ll dispel common myths in this article.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WISP for Bookkeepers: FTC Safeguards Requirements 2026\" \/>\n<meta property=\"og:description\" content=\"Bookkeepers handling SSNs, payroll, or bank data are financial institutions under the FTC Safeguards Rule. What the WISP requirement actually says.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/\" \/>\n<meta property=\"og:site_name\" content=\"Verito Technologies | Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-19T19:14:36+00:00\" \/>\n<meta name=\"author\" content=\"Verito Blog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Verito Blog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"WISP for Bookkeepers: What You Need to Know - Verito Technologies | Blog","description":"Common misconception is that bookkeepers or accountants who don't do taxes have no WISP requirements. We'll dispel common myths in this article.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/","og_locale":"en_US","og_type":"article","og_title":"WISP for Bookkeepers: FTC Safeguards Requirements 2026","og_description":"Bookkeepers handling SSNs, payroll, or bank data are financial institutions under the FTC Safeguards Rule. What the WISP requirement actually says.","og_url":"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/","og_site_name":"Verito Technologies | Blog","article_published_time":"2026-05-19T19:14:36+00:00","author":"Verito Blog","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Verito Blog","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/#article","isPartOf":{"@id":"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/"},"author":{"name":"Verito Blog","@id":"https:\/\/verito.com\/blog\/#\/schema\/person\/35c3a6023364d4e3af161f130f727508"},"headline":"WISP for Bookkeepers: FTC Safeguards Requirements 2026","datePublished":"2026-05-19T19:14:36+00:00","mainEntityOfPage":{"@id":"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/"},"wordCount":4162,"publisher":{"@id":"https:\/\/verito.com\/blog\/#organization"},"keywords":["FTC Safeguards","FTC safeguards rule","GLBA compliance","IRS Publication 5708 WISP","WISP","WISP compliance"],"articleSection":["Managed IT Services"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/","url":"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/","name":"WISP for Bookkeepers: What You Need to Know - Verito Technologies | Blog","isPartOf":{"@id":"https:\/\/verito.com\/blog\/#website"},"datePublished":"2026-05-19T19:14:36+00:00","description":"Common misconception is that bookkeepers or accountants who don't do taxes have no WISP requirements. We'll dispel common myths in this article.","breadcrumb":{"@id":"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/verito.com\/blog\/wisp-for-bookkeepers-ftc-safeguards-requirements-2026\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/verito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Managed IT Services","item":"https:\/\/verito.com\/blog\/category\/managed-it-services\/"},{"@type":"ListItem","position":3,"name":"WISP for Bookkeepers: FTC Safeguards Requirements 2026"}]},{"@type":"WebSite","@id":"https:\/\/verito.com\/blog\/#website","url":"https:\/\/verito.com\/blog\/","name":"Verito Technologies | Blog","description":"Verito Technologies Blog","publisher":{"@id":"https:\/\/verito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/verito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/verito.com\/blog\/#organization","name":"Verito Technologies","url":"https:\/\/verito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/verito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/verito.com\/blog\/wp-content\/uploads\/2020\/01\/logo_blue.png","contentUrl":"https:\/\/verito.com\/blog\/wp-content\/uploads\/2020\/01\/logo_blue.png","width":625,"height":208,"caption":"Verito Technologies"},"image":{"@id":"https:\/\/verito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/verito.com\/blog\/#\/schema\/person\/35c3a6023364d4e3af161f130f727508","name":"Verito Blog","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/verito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/cea1c4ed36195b75c257fa1abd157062f689800670899dc1612932549d577967?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cea1c4ed36195b75c257fa1abd157062f689800670899dc1612932549d577967?s=96&d=mm&r=g","caption":"Verito Blog"}}]}},"_links":{"self":[{"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/posts\/6539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/comments?post=6539"}],"version-history":[{"count":2,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/posts\/6539\/revisions"}],"predecessor-version":[{"id":6672,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/posts\/6539\/revisions\/6672"}],"wp:attachment":[{"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/media?parent=6539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/categories?post=6539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/verito.com\/blog\/wp-json\/wp\/v2\/tags?post=6539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}