The recent $60,000 penalty against Wojeski (Attorney General James Announces Settlement with Accounting Firm for Failing to Protect New Yorkers’ Personal Data) is a reminder: you don’t need a breach to get burned. Regulators can penalize weak programs, full stop. Lawsuits and regulatory actions are different tracks—and you can face both.
Lawsuits vs. regulatory enforcement (use this framing with prospects)
Lawsuits are one party saying, “you harmed me, pay up.” They hinge on common-law theories like negligence and breach of contract and can drag through motions, discovery, and trial. Regulatory actions, by contrast, flow from statutes and rules (FTC, SEC, and states) aimed at deterring future conduct—and fines go to governments, not victims. They’re often less formal and heard by an administrative law judge, with court review available.
Where do they overlap? You can get hit by both simultaneously, e.g., a class action in California federal court, an SEC action in D.C., and a New York state enforcement. Plaintiffs will also cite every regulation to paint you as negligent—even when that statute doesn’t create a private right of action.
Why CPAs (and their MSPs) are squarely in the FTC Safeguards frame
The Safeguards Rule requires covered “financial institutions” to “develop, implement, and maintain” a written information security program proportionate to the firm’s size, activities, and data sensitivity. CPA/tax prep can be considered as a financial institution when providing tax services to individuals for personal or household purposes.
You’re the designated individual. But are you qualified?
Required ISP elements include: “Designate a qualified individual”, to conduct a written risk assessment, implement MFA and encryption, select and monitor service providers, test/monitor, train, and maintain a written incident response plan.
MSP takeaway: these controls map directly to the services you deliver. The Safeguards Rule also expects service-provider oversight, which puts your stack, contracts, and reporting under the microscope.
Why lawsuits still matter (and how your documentation wins cases)
Every lawsuit begins with a Complaint. Plaintiffs will argue you failed to meet industry-standard security or an implied contract to safeguard data. Courts look for evidence you ran a reasonable program.
MSP playbook: turn requirements into a defensible operation
- Name the Qualified Individual (RACI + board-level reporting).
- Risk assessment + data inventory (written, updated).
- MFA + encryption everywhere NPPI lives.
- Service-provider oversight (security clauses, monitoring, SOC 2 where appropriate).
- IR plan with comms templates pre-cleared by counsel.
- Policy rollout with attestations—“If it’s not documented, it didn’t happen.”
Frameworks (SOC 2, NIST, ISO 27001, CMMC) overlap, but details differ. Build a compliance-grade security program with proof—controls, logs, attestations, and third-party assessments—so you’re ready for both regulators and courts.
Bottom line for MSPs: Compliance isn’t just “check the box”—it’s your evidence strategy. That’s how you lower clients’ cyber liability and your own.
