Skip to content

FTC Safeguards Rule Penalties: The Verified Figure and Where the Other Numbers Come From

Checked against the primary record: July 17, 2026Penalty amounts last adjusted: January 17, 2025 (90 FR 5581)

Dolev Arama, Founder/Last updated July 18, 2026/Every figure primary-sourced

The short answer

The current maximum FTC civil penalty is $53,088 per violation, set by 16 CFR 1.98 and unchanged since January 17, 2025. There was no 2026 increase: the government shutdown cancelled the annual inflation adjustment. And how that number can actually reach a tax practice is narrower than the marketing suggests. Here is the full chain.

This page verifies the civil penalties tied to the FTC Safeguards Rule and the tax code's preparer-disclosure statutes, every figure from its primary record. It is general information, not legal advice for your specific situation. For that, consult a qualified professional.

How much is the FTC Safeguards Rule penalty per violation?

The number that governs is $53,088 per violation, and it lives in one place: 16 CFR 1.98, the FTC's table of inflation-adjusted civil penalty amounts. The current entries took effect on January 17, 2025, when a Federal Register notice raised the maximum from $51,744. Everywhere else you see a Safeguards penalty number, including on FTC web pages, you are looking at a snapshot that can go stale. The regulation is the record.

Primary record

16 CFR § 1.98 · Adjustment of civil monetary penalty amounts

This section makes inflation adjustments in the dollar amounts of civil monetary penalties provided by law within the Commission's jurisdiction. The following maximum civil penalty amounts apply only to penalties assessed after January 17, 2025, including those penalties whose associated violation predated January 17, 2025. ... Section 5(l) of the FTC Act, 15 U.S.C. 45(l): $53,088; Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. 45(m)(1)(A): $53,088; Section 5(m)(1)(B) of the FTC Act, 15 U.S.C. 45(m)(1)(B): $53,088.
Prepared by Safeguards Monitor from 16 CFR 1.98 (eCFR), current as of July 2026. The regulation separates each entry from its amount with a dash; those render here as colons, with wording and amounts unchanged.
90 FR 5581, Jan. 17, 2025 · Verified July 17, 2026

Three entries carry the same maximum because they are three different legal routes to a penalty. Section 5(l) of the FTC Act covers violations of a final Commission order. Section 5(m)(1)(A) covers knowing violations of certain FTC trade-regulation rules. And section 5(m)(1)(B) covers conduct the Commission has already condemned in a litigated decision, after written notice. Which of those routes can actually reach a Safeguards Rule case is the part the field skips. It is the heart of the enforcement section below.

Why didn't the penalty increase in 2026?

A federal statute, the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, directs agencies to adjust these maximums for inflation every January, keyed to the October Consumer Price Index reading from the year before. In January 2026 that was impossible. The Bureau of Labor Statistics never published the October 2025 CPI-U because of the government shutdown, and the statute allows no substitute calculation.

So on April 17, 2026, the Office of Management and Budget cancelled the 2026 adjustment across the government: memo M-26-11 directs agencies to keep using their 2025 penalty levels. Other agencies have published Federal Register notices saying exactly that, the Department of Labor among them. One caveat, stated because precision is the point of this page: we have not located an FTC-specific notice adopting the cancellation. As of July 17, 2026, the newest adjustment notice in the FTC's own Federal Register listing is still the January 2025 one. The conclusion that FTC amounts stayed at $53,088 rests on the current text of 16 CFR 1.98 plus the government-wide directive: strong evidence, one step short of a direct FTC statement.

The next window is January 2027. If BLS publishes the October 2026 CPI-U on schedule, the maximum should adjust then, and any page quoting $53,088 without a date will quietly become wrong. We re-pull the primaries each January and stamp this page with what we find.

Which figures circulating in the field are wrong?

Search this topic and you can meet at least seven different numbers presented as the current penalty. Most trace to a real figure from the wrong year, the wrong statute, or the wrong unit. The table maps each circulating figure to its origin, with the primary record beside it.

Circulating Safeguards penalty figures, mapped to the record
Figure you may seeWhat it actually isWhat the primary record says
$53,088 per violationThe current maximum, in effect since January 17, 2025Correct. 16 CFR 1.98, verified July 17, 2026.
$50,120 per violationThe 2023 amount, superseded in January 2024Stale by two adjustment cycles. It still appeared on the FTC's own Penalty Offenses page when we checked on July 17, 2026; only the 16 CFR 1.98 entry is operative.
$51,744 per violationThe 2024 amount, superseded January 17, 2025Stale. The FTC's February 2025 release states the increase from $51,744 to $53,088, effective January 17, 2025.
$46,517 per violationThe 2022 amountStale since January 2023, per the FTC's own 2022 release, and it was never a day rate.
$11,000, $43,000, or $46,000 "per day"Out-of-date per-violation amounts recast as day ratesNo FTC provision sets a Safeguards day rate. The real per-day exposure is the continuing-violation mechanism explained below, at the current $53,088 maximum.
$100,000 or $250,000 per violationNo FTC civil-penalty provision matches either figureThe one real six-figure number nearby is the criminal fine cap of 26 U.S.C. 7216 for identity-theft cases, up to $100,000. That is a criminal tax statute, not an FTC Safeguards amount.
$10,000 per violationThe unadjusted figure printed in the FTC Act itself15 U.S.C. 45 still says $10,000; the Inflation Adjustment Act moved the operative maximum into 16 CFR 1.98.
$54,540 per violationA previewed 2026 adjustment that never happenedPreviews of an expected 2026 increase circulated, and the figure still surfaces presented as current. OMB cancelled the 2026 adjustment (memo M-26-11), so no 2026 figure exists.
$530 "per return"A stale amount from an unrelated penalty family$530 was the per-failure amount of the preparer due-diligence penalty, 26 U.S.C. 6695(g), for returns filed in 2020 (Rev. Proc. 2018-57); for returns filed in 2025 it is $635 (IRS). Section 6695 has no data-security penalty at any amount.
Prepared by Safeguards Monitor from 16 CFR 1.98, the FTC's annual adjustment releases for 2022 through 2025, OMB memo M-26-11, Rev. Proc. 2018-57, and the IRS tax-preparer-penalties schedule, all pulled July 17, 2026.

The second row deserves its own sentence, because it is the sharpest lesson in the table. When we checked on July 17, 2026, the FTC's Penalty Offenses page still displayed $50,120, two adjustment cycles after that figure lapsed. Nothing nefarious: large sites carry stale snapshots. But it means even an ftc.gov page can show you a superseded number, which is why this page cites the regulation rather than the brochure layer, and stamps every figure with the date we checked it.

Is there really a per-day penalty?

Sort of, and the field garbles it. There is no special day rate. What exists is a continuing-violation rule: when a violation is ongoing, each day can count as a separate violation, and each carries the same maximum. For orders, section 5(l) of the FTC Act provides that in a case of continuing failure to obey a final order, "each day of continuance of such failure or neglect shall be deemed a separate offense." A parallel provision, section 5(m)(1)(C), does the same for continuing rule violations.

So "up to $53,088 per day" is true only of a continuing violation inside those channels, and it is a multiplier on the same per-violation maximum, not a distinct rate. The day-rate figures in the table above are stale per-violation amounts with "per day" bolted on.

What penalties apply specifically to tax preparers?

Beyond the FTC Act, two tax-code sections aim directly at preparers who disclose or use client information improperly. Both predate the WISP marketing wave, and both are more concrete than most of it.

The civil one is 26 U.S.C. 6713: $250 for each unauthorized disclosure or use of tax return information, capped at $10,000 per calendar year. Congress added an identity-theft tier in 2019: where the disclosure or use connects to a crime of taxpayer-identity misappropriation, the penalty rises to $1,000 per disclosure or use, under a separate $50,000 annual cap.

The criminal one is 26 U.S.C. 7216: knowing or reckless disclosure or use of return information is a misdemeanor, punishable by a fine of up to $1,000, or up to $100,000 where the identity-theft tier applies, imprisonment of up to a year, and the costs of prosecution. The IRS keeps a plain-language hub for both sections at its Section 7216 Information Center.

Criminal exposure is a different world from a civil maximum. If any question under section 7216 is live in your practice, even hypothetically, put it in front of a tax attorney before you act on anything you read online, this page included.

One more correction, because it circulates: section 6695 is the preparer-conduct penalty family (think unsigned returns or due-diligence failures). Its current amounts are $60 per failure for most items and $635 for check negotiation and due-diligence failures, with a $31,500 annual cap on the $60 items, per the IRS's 2025 schedule. It contains no data-security penalty. The "$530 per return" figure sometimes waved at WISP audiences is that family's due-diligence amount for returns filed in 2020, nothing more.

State law stacks on top of all of this. Massachusetts enforces its 201 CMR 17.00 written-plan mandate through the state Attorney General, and New York's SHIELD Act carries its own civil exposure; we cover each duty on its own page as those publish. And if you are here because something already happened, penalties are the wrong page to be reading: the reporting duties and their clocks come first; see our data-breach reporting runbook.

Has the FTC actually fined a tax preparer under the Safeguards Rule?

We can find no such fine, and the reason is structural rather than luck. This is the mechanics story the field never tells, so it is worth three paragraphs of precision.

The Safeguards Rule was issued under the Gramm-Leach-Bliley Act; the authority line on the rule itself cites 15 U.S.C. 6801(b) and 6805(b)(2) (eCFR, Part 314). That matters because the FTC Act's first-violation penalty provision, section 5(m)(1)(A), reaches only knowing violations of trade-regulation rules issued under a different section, 15 U.S.C. 57a. The Safeguards Rule is not one of those rules. The FTC's own report to Congress says the general rule plainly: "The FTC generally cannot seek civil penalties for initial violations of the FTC Act" (FTC report P065404, June 2020), and its list of the statutes that do carry first-violation penalties, COPPA and the Fair Credit Reporting Act among them, does not include the GLBA safeguards provisions.

So a first Safeguards violation, by itself, does not produce a $53,088 bill. The penalty attaches downstream, through two channels. Channel one: the Commission brings a case, obtains an order, and the order is later violated; section 5(l) then puts every violation, and every day of a continuing one, at up to $53,088. Channel two: the notice mechanism of section 5(m)(1)(B), where the FTC formally warns a company that specific conduct was already condemned in a litigated Commission decision (the statute excludes consent orders as the basis), which makes later knowing violations penalty-eligible. Both channels are real. Neither is a first-strike fine for a missing plan.

At a glance

In the Matter of TaxSlayer (FTC File No. 162-3063), the closest record

Who
TaxSlayer, a Georgia-based online tax preparation service. A software service, not a preparer practice.
When
Settlement announced August 29, 2017; final order November 8, 2017 (Docket C-4626).
What the FTC alleged
Violations of the GLBA Privacy Rule and Safeguards Rule after attackers used stolen credentials to reach about 9,000 user accounts in late 2015 and file fraudulent returns; per the complaint, the company lacked a written comprehensive security program until November 2015.
Outcome
A consent order: 20 years under the two rules' obligations, with independent compliance assessments every two years for 10 years. The announced settlement carries no monetary penalty.
Where money could enter
Only through a later violation of that order, via section 5(l), at the maximum in force at that time.
Prepared by Safeguards Monitor from the FTC press release of August 29, 2017 and the case record, checked July 17, 2026.

The 2023 warning to the tax-prep industry was the notice mechanism in action, and it is routinely misdescribed. On September 18, 2023, the FTC sent a Notice of Penalty Offenses to five large tax preparation companies: H&R Block, Intuit, TaxAct, TaxSlayer, and The Lampo Group (Ramsey Solutions), per the FTC's recipients list. Its subject was the use of confidential tax data for advertising without consent. It does not mention the Safeguards Rule or a written security plan at all, so citing it as WISP enforcement is a category error. The release also quoted the penalty ceiling of its day, $50,120: one more dated snapshot, now two cycles old.

And against tax-preparer practices, the firms this site is written for, the record is quiet. We can find no public FTC enforcement action under the Safeguards Rule against a tax-preparer practice; we checked the FTC's public case listings and its Safeguards Rule library page on July 17, 2026. The closest record remains the 2017 TaxSlayer order above, an online service. None of that erases the exposure on the books, and a reportable breach still runs on the FTC's 30-day clock under 16 CFR 314.4(j) either way. But the lever with a documented recent record against practices belongs to the IRS, which can suspend or expel an e-file provider at its own discretion. For a firm built on e-filing, that is the consequence with case law behind it.

How to check the current figure yourself

Four steps, all free. This is the routine we run before anything on this page ships, and it works without trusting us or anyone else.

  1. Open 16 CFR 1.98. The live eCFR text of the entries for section 5(l) and section 5(m)(1) of the FTC Act is the operative maximum. Whatever the regulation says beats every secondary page, including the FTC's own summaries, and including this one.
  2. Cross-check the newest adjustment notice. Each change arrives by Federal Register notice; the current entries trace to the January 17, 2025 notice and its matching FTC press release.
  3. Confirm whether this January brought an adjustment. The statute runs on an annual January cycle. The 2026 cycle was cancelled government-wide by OMB memo M-26-11; if a newer January notice exists, the eCFR text follows it.
  4. Read the as-of date on any secondary source, this page included. A Safeguards penalty figure with no date attached is a warning sign by itself. Ours was last verified on July 17, 2026, and the method behind it is public.

FAQ

Is the $100,000 per violation figure right?

No. No FTC civil-penalty provision sets $100,000, or $250,000, for Safeguards Rule violations; the operative maximum is $53,088 per violation under 16 CFR 1.98, verified July 17, 2026. The real six-figure number in the neighborhood is the criminal fine cap of 26 U.S.C. 7216, up to $100,000 for identity-theft-related disclosure, which is a tax statute with no connection to the FTC's amounts.

Will the penalty change in January 2027?

It can. The Inflation Adjustment Act calls for an adjustment every January, and the cancelled 2026 cycle did not repeal that duty. If the October 2026 CPI-U publishes on schedule, a new maximum should follow in January 2027. We re-verify the primaries each January and update this page with a dated note either way.

Does the under-5,000 exemption lower penalty exposure?

No. The exemption in 16 CFR 314.6, explained in full on our exemptions page, removes four program duties for firms holding customer information on fewer than 5,000 consumers. It does not change what a violation can cost. Duties and exposure are separate dials, and the exemption only turns the first one.

Can I lose my PTIN for not having a WISP?

We can find no case of a PTIN being revoked over a missing written plan; we searched public IRS materials and case coverage on July 17, 2026 and found none. Line 11 of the PTIN renewal form is an awareness attestation, not a compliance certification. The lever with a documented record is different: the IRS can suspend or expel an e-file provider over security failures at its own discretion, and that risk runs through your firm's EFIN rather than your PTIN.

Has the FTC ever fined a tax business under the Safeguards Rule?

We can find no fine. The one public Safeguards settlement with a tax business is the FTC's 2017 TaxSlayer consent order, which imposes conduct obligations and no monetary penalty. First violations of the rule sit outside the FTC's direct civil-penalty authority, so any fine would have to arrive through an order violation or the notice mechanism. We last checked the FTC's public listings on July 17, 2026.

Where can I check the current figure myself?

Start at 16 CFR 1.98 on eCFR: the live regulation is the only operative source for the FTC maximums. The four-step routine above walks the full chain, from the regulation to the newest Federal Register notice to the annual January cycle.

The bottom line

One number is operative today: $53,088 per violation, at 16 CFR 1.98, unchanged through 2026 because the adjustment cycle skipped a year. It reaches a tax practice through narrow channels, order violations above all, and the public record of it landing on a preparer practice is, as of our last check, empty. That is not a reason to relax. It is the honest shape of the risk, and the duty that stands regardless is the written plan. By site policy, penalty figures live on this page only; every other page links here. Every figure above carries its source and its date, and the next scheduled re-check is January 2027.