Gramm-Leach-Bliley Act – (See IRS Pub 4557) – *New* Effective 2022
The FTC issued a Final Rule (86 FR 70272) related to the Gramm Leach Bliley Act (“GLB” or “GLBA”) of 1999 on December 9th 2021 that became effective on January 10th 2022. This change added five (5) changes to the Final Rule. One of these changes effectively expanded the scope of GLBA to include Tax Preparers and additional Financial Institutions. 
How Does This Affect My Organization
As with most rules enacted related to cybersecurity in the Federal Government, it was done fairly quietly to those who aren’t closely following cybersecurity rule changes in the Federal Government. And, although this change does not yet have effective “teeth”, certain institutions are starting to ensure that the newly covered entities by this Final Rule are following it’s specific direction. Although most Tax Preparers are used to and are effective in the handling of the PII of their clients, the IRS is now ensuring that these new rules are being followed.
According to an article published by the Journal of Accountancy, “Tax preparers will encounter a checkbox when they obtain or renew their preparer tax identification number (PTIN), requiring them to affirm their awareness that they must have a data security plan and provide data and system security protections for all taxpayer information”.
The IRS has filtered effective execution of GLBA down into their Publication 4557 – “Safeguarding Taxpayer Data” as well as some guidance in “Creating an Information Security Plan” or “WISP”. These documents are referenced below 
What if I just check the box as Yes without doing anything?
As this was recently implemented, it is unclear how this will be enforced or audited by the IRS or the FTC.
However, GLBA does state that failure to follow the process could result in fines up to $100,000 per occurrence. 
This could also lead your firm to a situation where you cannot file tax returns for your clients.