Skip to content

Methodology

How we verify

Last reviewed July 10, 2026

Every regulatory claim on Safeguards Monitor is traced to a primary source (a regulation, an IRS publication, the Federal Register, a court record, or a state statute) and carries the date we last checked it. Our rule for penalty figures is one figure, on one page, straight from the regulation, and when the record is silent or a rule has not settled, we say so. This page explains exactly how that works.

What Safeguards Monitor is

Safeguards Monitor is an independent publication about the security obligations of US tax firms: the Written Information Security Plan (WISP) requirement, the FTC Safeguards Rule (16 CFR Part 314), and the IRS guidance around them. It is a publication and a record, not a vendor. We do not sell security software or write plans for hire, and that is what lets us describe the rules without an angle.

Who writes it

One person: Dolev Arama, the founder. He is not an attorney or a CPA, and the site never claims otherwise. Its authority comes from method, not credentials: every regulatory statement is linked to the regulator that made it, so you can check the work instead of taking our word. For your specific situation, consult a qualified professional; this site exists to make that conversation shorter and sharper. The full bio is on the About page.

Where our facts come from

We rank sources, and the top tier is the only one we will use for a rule, a penalty, or an enforcement claim.

  • Primary and regulatory, the only tier for legal claims: the eCFR, FTC.gov, IRS publications and irs.gov, the Federal Register, state government sites and statutes, and court records.
  • Peer-reviewed and academic work, where it is relevant.
  • Established industry reports (the Verizon DBIR, IBM's cost-of-a-breach study, and the like), for context on attack trends only, and labeled as such.
  • Major-outlet reporting, to point to a breach, never to establish a legal requirement.
  • Vendor research, used cautiously, never as the only source, and often as an example of a figure worth double-checking.
  • Blogs and opinion, for perspective, never for facts.

For the rules this site is about, that top tier is concrete. The FTC Safeguards Rule is codified at 16 CFR Part 314, and the FTC pairs it with a plain-language small-entity compliance guide. The IRS writes for tax firms directly in Publication 4557, Safeguarding Taxpayer Data, and Publication 5708, its written-plan template. Those are the documents behind most of what we publish, and every one is a click away.

A rule or a number never comes from a blog, a competitor's page, or memory.

How we check a claim before it runs

Before a regulatory claim goes on a page, we open the current official text and confirm the claim against it, not last year's version and not someone else's summary. Rules get amended; a citation that was accurate in 2024 can be wrong today.

Penalty figures get the strictest handling. Search the field and you will find at least seven different numbers for what a Safeguards violation "costs": some years out of date, some simply invented. Our rule: a penalty figure appears on exactly one page, taken straight from the regulation, with the citation in view. Any other page that mentions penalties links there rather than repeating the number, so there is exactly one figure to keep current.

Going to the record ourselves

Most of what we publish comes from records a regulator has already made public. But some public records exist without being posted: the FTC collects data-breach reports from financial institutions, and Massachusetts records whether a breached firm had a written security plan, and neither is published openly. Our standard is to request those records directly, through public-records and Freedom of Information requests, rather than repeat a number secondhand or borrow one scaled for large companies. We have not published any such findings yet. When we do, each figure will show the record it came from and the date we obtained it. Until then, every figure on this site rests on the named cases and primary regulatory sources above.

When the rules are not settled

Not every rule is final, and we do not write as if it were. When a change is proposed but not yet in effect, we say so plainly and tell you what the current law still requires. Federal civil-penalty amounts, for instance, are adjusted on a yearly cycle, and the field is full of figures that quietly assume an adjustment a given year did not make. That is one more reason every figure here is dated and re-checked against the current official text before it publishes. A pending change is named as pending, never as law.

Keeping it current

Every article shows when it was published and when it was last updated, and every figure carries the date we last confirmed it. Behind those dates is a fixed re-verification routine:

  • Penalty and rule figures are re-pulled from the eCFR before any page that carries a figure is published or updated.
  • The sources behind our breach and enforcement data are re-checked on a quarterly schedule.
  • Before we write a new batch of articles, we re-open the primary sources for that topic rather than trust an earlier read.

A figure that cannot be re-confirmed comes down or gets a dated note. It does not sit on the page hoping no one checks.

What we will not do

  • State a penalty or a rule from memory, or cite a regulation we have not opened.
  • Inflate a risk to move you: no invented fines, no "the FTC will fine you tomorrow" when the enforcement record shows otherwise.
  • Claim a credential we do not hold, or invent a quote or a testimonial.
  • Call a task trivial when it is not, or imply that a template or a checklist makes your firm compliant on its own.
  • Name a partner we do not have, or let a commercial relationship change a figure.

Correcting mistakes

We will get something wrong eventually: a source will move, a rule will change, a number will slip through. When it happens, tell us at hello@safeguardsmonitor.com. We correct in the open: the page gets a dated correction note, not a silent edit, so anyone who read the old version can see what changed and when. Corrections are genuinely welcome; a reader who catches an error makes the site better for the next one.

Everything here is educational information for tax and accounting professionals, not legal, regulatory, or financial advice for your situation. Before you act on it, confirm the requirement with the regulator or a qualified professional.