LoginStart free trial
QuickBooksQuickBooks

How to Comply with the FTC Safeguards Rule: A Checklist for CPA Firms

8 min readJuly 17, 2026WOW Backup & Restore

If your CPA firm handles financial data for clients, you are subject to the FTC Safeguards Rule. This is not optional, and it is not limited to banks or financial institutions. The revised rule, which took effect in June 2023, applies directly to accountants, bookkeepers, tax preparers, and anyone else classified as a "financial institution" under the Gramm-Leach-Bliley Act (GLBA).

The requirements are specific. You need a Written Information Security Plan. You need a designated Qualified Individual overseeing it. You need documented access controls, encryption, vendor management, incident response procedures, and an independent data backup strategy.

That last item is the one most firms overlook. And it is exactly where QuickBooks Online backup fits into the compliance picture.

This article breaks down what the FTC Safeguards Rule requires, what CPA firms specifically need to do, and how to build a checklist that holds up if the FTC comes asking.

What the FTC Safeguards Rule Requires

The Safeguards Rule under GLBA mandates that financial institutions develop, implement, and maintain an information security program. For CPA firms, "financial institution" is broadly defined. If you prepare tax returns, provide financial advisory services, or manage client accounting records, you are covered.

The revised rule added teeth. It moved from vague principles to concrete requirements. Here is what it demands.

Designate a Qualified Individual

Your firm must name a specific person responsible for overseeing your information security program. This can be an internal employee or an outsourced provider, but it must be documented. "Everyone handles security" is not an answer the FTC accepts.

Conduct a Risk Assessment

You need a documented risk assessment that identifies foreseeable internal and external threats to client data. This is not a one-time exercise. The assessment must be updated periodically and must address how your firm handles client financial records, including the systems those records live in.

For CPA firms using QuickBooks Online to manage client files, the risk assessment should specifically address what happens if client QBO data is lost, corrupted, or compromised. The fact that Intuit caps their liability for data loss at $100 total is relevant context here. Intuit's Terms of Service state clearly: "You are responsible for any lost or unrecoverable Content and for keeping backups of any Content you provide."

That responsibility sits with your firm, not with Intuit.

Implement Safeguards Based on Your Risk Assessment

The rule requires you to implement controls that address the risks you identified. These fall into several categories.

Access controls. Limit who can access client data to the people who need it for their job function. Review access rights when staff join, change roles, or leave.

Encryption. Client data must be encrypted both in transit and at rest. If your firm stores or transmits client financial information, it needs to be encrypted at every stage.

Multi-factor authentication. MFA is required for anyone accessing client data on your systems.

Monitoring and logging. You need systems that detect unauthorized access or data changes. An audit trail showing who accessed what, and when, is part of this.

Vendor management. If third-party service providers handle your client data, you need to assess their security practices and monitor them on an ongoing basis.

Independent data backup. Your firm must maintain independent backups of client financial data that can be used to restore information in the event of a security incident, data corruption, or accidental loss.

This is where most CPA firms have a gap.

Why Backup Is the Most Commonly Missed Requirement

Most firms have some version of access controls and encryption in place. MFA adoption has increased significantly. But when it comes to independent data backup, many CPA firms are relying on assumptions that do not hold up.

The most common assumption is that QuickBooks Online itself is the backup. It is not.

Intuit maintains platform-level infrastructure backups for their own disaster recovery. These are designed to keep the QBO platform operational after a server failure or data center incident. They are not designed to restore your individual company file, recover records you accidentally deleted, or roll back a bad import that corrupted your chart of accounts.

QBO Simple Start, Essentials, and Plus plans have no native backup or restore capability at all. QBO Advanced (US only) includes a limited backup feature, but it excludes custom reports, bank rules, reconciliation history, recurring transactions, payroll data, and more. The exclusion list runs to 15+ data types.

A CSV export is not a backup either. CSV files are flat snapshots. They lose the relational connections between records and cannot be used to reconstruct a working company file. You cannot take a CSV export and rebuild a functional QBO file from it. Reconciliation status, attachments, and transaction relationships are all gone.

The FTC Safeguards Rule requires an independent backup strategy. "We use QuickBooks Online" is not that strategy.

The QuickBooks Online Backup Checklist for FTC Compliance

Here is a practical checklist for CPA firms to address the data backup requirements of the FTC Safeguards Rule. This covers the backup component specifically. Full compliance requires addressing all the rule's requirements, not just this one.

1. Confirm you have an independent backup running

Your backup for QuickBooks Online must be separate from Intuit's infrastructure. It should be a third-party QuickBooks backup that captures your data independently and stores it outside of Intuit's environment.

2. Verify daily automated snapshots

Manual backups create gaps. Someone forgets, someone is on leave, someone assumes someone else did it. An automated QuickBooks Online backup removes the human element. Snapshots should run daily without any manual trigger required.

3. Confirm point-in-time restore capability

If an incident corrupts your data on Tuesday, you need to restore to Monday's state. Your QuickBooks Online backup solution should let you select any previous snapshot date and restore from it.

4. Verify the restore creates a new company file

A proper QuickBooks Online restore creates a brand-new QBO company file. It never overwrites your live data. This means you can compare the restored version against your current file before making any decisions. Look for a backup solution that rebuilds the full relational structure, not one that hands you a pile of CSVs.

5. Check that attachments are included

Receipts, invoice PDFs, and documents attached to transactions are part of your client records. Your QuickBooks Online data backup service should capture them and re-link them to the correct transactions on restore.

6. Verify encryption in transit and at rest

The backup data itself must be encrypted. This is a standalone requirement of the Safeguards Rule, but it also applies to how your backup provider stores your data. WORM-protected (write once, read many) storage adds an additional layer. Ransomware cannot encrypt or delete write-protected backups.

7. Confirm an audit trail exists

Every backup run, every download, and every restore should be logged with a timestamp, user identity, and IP address. This log is what you produce when the FTC, your E&O insurer, or a client asks for evidence that your backup procedures are real and running.

8. Document the backup in your Written Information Security Plan

Your WISP must reference your backup strategy by name. It should describe what is backed up, how frequently, where it is stored, who is responsible for it, and how a restore would be executed. Generic language like "data is backed up regularly" is not sufficient. Name the tool, state the frequency, and describe the restore process.

9. Test the restore process

A backup you have never tested is a backup you do not actually have. Schedule a restore test at least once per year. Confirm the restored data matches expected records. Document the test results and include them in your WISP review.

10. Review your backup coverage when you add new clients

Every time you onboard a new client QBO file, confirm it is added to your backup. If your firm manages 30 client files and only 25 are backed up, you have five compliance gaps.

How WOW Backup and Restore Fits This Checklist

WOW Backup and Restore is a QuickBooks Online backup app built specifically for accounting firms. Here is how it maps to the checklist above.

WOW connects via Intuit's official OAuth flow. No passwords stored. Automated daily backups run every night without manual intervention, covering 50+ entity types including chart of accounts, customers, vendors, invoices, bills, payments, journal entries, attachments, and company settings.

Every restore creates a new QBO company file with full relational integrity. Records are rebuilt in strict dependency order and validated to the cent. Attachments are re-linked to the correct transactions automatically.

Storage is encrypted in transit and at rest, write-protected (WORM), and AWS region-aware, keeping data in the country your account is based in. Every backup, download, and restore is logged with timestamps, user identity, and IP address.

WOW's multi-client dashboard lets firms manage backup across every client file from a single login. Pricing starts at $9.95 USD per month per active company file. Every signup includes a free first month and a free restore coupon worth $149.95.

One important note: WOW satisfies the independent backup requirement of the FTC Safeguards Rule. A full compliance program involves additional controls beyond backup alone. WOW also supports IRS Publication 4557 guidance and AICPA data protection standards.

Do Not Wait for an Enforcement Action

The FTC has been increasingly active in enforcing the Safeguards Rule since the revised requirements took effect. CPA firms are not exempt from scrutiny, and "we did not know it applied to us" is not a defence that holds up.

The backup component is one of the easiest elements to get right. An automated QuickBooks Online backup takes less than a minute to set up, runs silently in the background, and produces the documented evidence trail that compliance requires.

Start a free trial with WOW Backup and Restore. Connect via OAuth, and your first backup runs tonight.

FAQ

Frequently Asked Questions

Common questions from this article, answered.

Yes. The revised Safeguards Rule under GLBA defines "financial institution" broadly enough to include accountants, bookkeepers, tax preparers, and financial advisors. If your firm handles client financial data, you are covered.
A WISP is the documented security program the Safeguards Rule requires. It must describe your risk assessment, the safeguards you have implemented, your backup strategy, your incident response procedures, and who in your firm is responsible for overseeing the program.
No. Intuit maintains infrastructure-level backups for platform recovery. These cannot restore your individual company file or recover deleted records. The Safeguards Rule requires an independent backup, meaning your data must be backed up outside of the primary platform it lives on. A separate QuickBooks Online backup solution meets this requirement.
QBO Advanced includes a limited backup feature, but it excludes 15+ data types including custom reports, bank rules, reconciliation history, and payroll. These gaps may not satisfy the Safeguards Rule's requirement for a comprehensive backup strategy. An independent third-party QuickBooks backup closes those gaps.
The Safeguards Rule does not specify an exact frequency, but daily automated backups are the standard for professional accounting work. Automated QBO data backup eliminates the risk of human error or missed manual runs.
Yes. A backup you have never restored from is unverified. Best practice is to run a restore test at least annually and document the results in your WISP. WOW's restore process creates a new company file, so testing does not affect your live data.
WOW rebuilds your QuickBooks Online company file in a brand-new QBO company. Chart of accounts, customers, vendors, transactions, and attachments are all reconstructed with full relational integrity. Restores complete in under 24 hours.
Yes. WOW stores backup data encrypted in transit and at rest. Storage is WORM-protected (write once, read many), meaning backups cannot be deleted or encrypted by ransomware. AWS region-aware storage keeps data within the country the account is based in.
Yes. WOW's multi-client dashboard lets firms monitor backup status, access audit logs, and run granular restores for every client QBO file from a single login.
WOW Connect costs $9.95 USD per month per active company file. WOW Restore costs $149.95 USD one-time per restore. WOW Vault (for archiving inactive files) costs $2.49 USD per month. Every signup includes one free month and one free restore coupon.

Still have questions?

Our team replies within a few hours during business days.