Yes, you sure can. But why go it alone? It is seriously time consuming for you to both understand and implement all the requirements. In addition, the cost for the individual solutions you need will easily amount to more than our monthly pricing. Take advantage of the bundled pricing and “done for you experience” we offer to make the whole process as easy and affordable as possible.

In full disclosure, it is highly unlikely the FTC inspectors are going to break down your door of your CPA firm to examine your systems, policies and documentation – but that all changes the moment a breach occurs. Imagine for a moment the stress of dealing with ransomware, your systems being locked down and your client’s data being posted and sold on the dark web. To make a horrible situation even worse, that’s when the FTC inspectors show up and put your business under a microscope. Let’s make sure the incident never happens in the first place. That’s why our Level One services are so important.

Level One is a bundle of technology and security tools that are your primary defense against cyber threats. It covers your endpoints (computers) and Office 365 / G-Suite. These tools include response – not just alerting. That’s important since most tools only alert when there is an issue. It is great to hear a smoke alarm (alerting) but it is even better to know the fire department has already been dispatched (response). Other important features included with Level One are staff security awareness training, phishing tests and policy management tools. This ensures everyone is on board with a security mindset and are being scored on their engagement. Level One is your CPA firms first step toward being FTC compliant.

Level One is designed to be as hands off as possible. We send you a download link to the installer. Just click to run the installer. Done! We manage all the tools and controls on the back end, so you don’t have to. No configuration. No renewals. No complicated portals. Most clients are fully onboard in one day. Your biggest task is to please encourage your staff to participate in the security awareness training, so they are accurately scored. The entire service is designed to be simple and transparent.

Level Two builds on top of Level One by providing the private coaching, customized policies and risk assessments needed for full compliance. Think of Level Two as the administrative and documentation side of compliance. This is where you prove you are doing everything the FTC demands. It also includes some active requirements such as regular penetration testing, vulnerability testing, asset reporting, vendor management and more. Level Two subscribers receive their own private portal for managing and maintaining all this information. An initial consultation is performed to determine the size and scope of your company’s particular needs so we can price implementation properly. Obviously, a 5-person firm has a different scope than a 50-person firm.

We do not lock anyone into a contract. Billing is month to month. If for any reason you are dissatisfied, you may cancel services and will not be billed for that month. Our philosophy is that if we provide quality services at a fair price then contracts are not necessary.

There is no contract for Level Two, but it is billed annually instead of monthly. Level Two is a time and tool intensive commitment for all parties. We have to arrange for scheduled penetration testing, vulnerability scanning, asset data collection and monthly updates to keep everything as up to date as possible. These premium commitment services and extensive setup on our part requires a different payment method than Level One.

Yes. Level One is a great way to start the journey toward full compliance. Some companies choose to stay on Level One since it helps them reduce the risk of an incident. By reducing the risk, you may never have an incident and therefore never show up on the FTC radar for an audit. Let’s be clear though – Level One is not compliance. It is a comprehensive set of security tools, policies, management tools, and staff training/testing to cover the best practices for compliance. Full compliance requires complete documentation, penetration testing and more. Those components are offered as Level Two services.

Technically yes, but that is not a good way to think about this. The FTC is weary of businesses being careless with their security and allowing consumer information to be compromised. Instead of thinking of ways to avoid compliance, think instead of ways you can safeguard your client’s data, so you are not just another incident waiting to happen. If a breach happens, your clients will not care about whether you are above or below that 5,000 number. The ComplyCPA Level One services are designed to give you an affordable set of security best practices that show you did your due diligence and take security seriously.

No. The FTC rules specify that consumer data is protected from the entry point all the way to the cloud provider. That includes staff working from home as well. It is the firm’s responsibility to meet compliance internally as well as verify the cloud providers you use are also compliant.

ComTech is a managed service provider to businesses, local government and non-profit organizations. Since 1990, we have been developing business and security solutions for our clients. Our experience with thousands of clients gives us unique insight into regulated industries such as financial, medical and local government. Our dedicated team is committed to providing exceptional customer service and solutions our clients can understand, easily implement, and afford.