Back to Blog
Compliance

What Is a Qualified Individual Under FTC Safeguards (Plain English)

The FTC requires every covered firm to designate a qualified individual. Here is what the role actually means, who can fill it, and the liability implications.

June 2, 2026
·
min read

The FTC Safeguards Rule requires every covered firm to designate a qualified individual to oversee the security program. The rule does not define what "qualified" means with any precision. That ambiguity has created confusion, especially for small firms where the answer is usually the owner.

This is the plain-English version. Who qualifies, how to designate one, and the personal liability question every firm owner should think through before signing the WISP.

What the rule actually says

16 CFR 314.4(a) reads: "Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program."

The FTC has clarified through guidance and enforcement actions that the qualified individual:

  • Can be an employee of the firm
  • Can be an affiliate or member of a corporate group
  • Can be a third-party service provider
  • Can work part-time on the role
  • Does not need a specific certification

What the FTC has not said is that the role is optional, transferable mid-incident, or assignable to "the team." It must be one named individual.

Who qualifies

In practice, three patterns work for small tax firms.

Pattern 1: The owner. Most common at firms under 5 people. The owner names themselves in the WISP. They are responsible for the program even if they outsource the technical work to a managed provider.

Pattern 2: A senior staff member with security responsibility. Common at firms with 5 to 20 people. The role is part of their job description, formalized in writing.

Pattern 3: A managed security provider. Common at firms that have outsourced cybersecurity to a managed services or MSSP. The provider's contract names a specific person at their company as the qualified individual for your firm.

All three patterns are defensible. Mixing them or leaving the role implicit is not.

The liability question

The qualified individual is the person the FTC will name in an enforcement action. They are also the person the firm's insurance carrier will scrutinize during a claim.

For pattern 1 and 2 (in-house designation), this means the owner or staff member has personal exposure if the program failed. The exposure is not unlimited (corporate veil rules still apply for legitimate businesses), but enforcement actions can include named individuals.

For pattern 3 (outsourced), the liability shifts to the provider under the contract terms. This is the principal reason most managed-security relationships at small firms end up structuring this way. The owner does not want to be the named qualified individual personally.

Read your contract carefully. If it does not explicitly name a qualified individual at the provider, you are still on the hook even though you pay them.

What the qualified individual actually does

The role has four core duties.

  1. Overseeing the security program. This is reviewing the WISP, the controls, and the artifacts on a recurring basis.
  2. Implementing the program. Either doing it themselves or directing the people who do.
  3. Enforcing the program. Holding the firm accountable to the controls written in the WISP.
  4. Reporting annually to leadership. For a sole proprietor this is a documented self-review; for a partnership it is a partner meeting; for an LLC with members it is a member meeting.

All four duties produce documentation. If the qualified individual cannot point to dated artifacts for each duty over the past 12 months, the role is unfilled regardless of who is named.

How to designate them

The designation must be in writing. The standard place is the front of the WISP.

"The qualified individual responsible for overseeing, implementing, and enforcing this information security program is [Name], [Title], [Email], [Phone]. This designation is effective as of [Date] and remains in effect until updated by [Authority, typically the firm owner]."

If the role is outsourced, add: "The qualified individual is contracted through [Provider Name] under the agreement dated [Date]. Provider responsibilities are detailed in [Reference to contract]."

When to update the designation

Three triggers require an update.

  • The named individual leaves the firm or the provider.
  • The firm changes managed security providers.
  • The annual review identifies a need for different qualifications.

Update the designation in writing and dated. Save the prior version with the change date for the audit trail.

The five-second self-check

Open your WISP. Find the qualified individual designation. Can you identify the person, the date of the designation, and what they have actually done in the last 12 months in writing? If yes, the designation works. If no, the designation is theoretical, which is the same as not having one.

Book a 15-minute WISP and security review

Kenny Berrios
CEO and Co-owner, Watch Cloud Cyber Security

Kenny Berrios leads Watch Cloud Cyber Security, an MSSP built for tax and accounting firms. He helps owners translate FTC Safeguards, IRS Pub 4557, and state privacy laws into operational defenses that protect client data without disrupting tax season.

FREE GAP ANALYSIS

See exactly where your WISP falls short

Five minutes. We compare your documentation against FTC Safeguards and IRS Publication 4557, flag every gap, and hand you a prioritized fix list.

Start My Free Gap Analysis
MORE FROM THE BLOG

Keep reading

Compliance

Annual WISP Review Checklist: 9 Items the IRS and FTC Both Want

June 16, 2026
Compliance

FTC Safeguards Penalty Math: What $50,644 Per Violation Actually Costs Your Firm

April 28, 2026
Compliance

WISP, IRS 4557, and the FTC Safeguards Rule: A Plain-English Guide for Accounting Firms

April 22, 2026