FTC Safeguard Rules: Car Dealerships and Customer Information

What you need to know to be compliant

Another day. Another data breach. More than 4,100 publicly disclosed data breaches occurred in 2021 with approximately 22 billion records being exposed. When the final numbers come in for 2022, it is expected to match or exceed that amount by as much as 5%. Government and regulatory agencies are taking a closer look at how businesses protect personally identifiable information.

In 2022, The Federal Trade Commission announced an updated rule that strengthened the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information. The FTC’s updated Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, vehicle dealerships, and payday lenders to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. The rule was effective January 10, 2022, and compliance was required by December 9, 2022.

The Final Rule of the Safeguards Rule provides financial institutions the flexibility to design an information security program appropriate to the size and complexity of the organization, the scope of activities, and the sensitivity of customer information. But it also adds requirements designed to improve the accountability of a financial institution’s information security program.

What does this mean for U.S. car dealerships?

One of the largest industries impacted is auto dealerships. Any auto dealership that handles sensitive customer financial information will be required to comply with the newly updated FTC Safeguard Rules.

Here is a breakdown of what these additional security safeguards will require for auto dealerships:

• Dedicating a Qualified Individual. U.S. Auto Dealerships will need to dedicate a qualified individual to develop, oversee, monitor, and enforce the dealership’s information security program. This person can be an external firm or internal staff who is either already capable or can be trained appropriately to perform this role.
• Reporting by Qualified Individual. This person must report in writing, at least annually, to the dealership’s board of directors or governing body. The reporting must include the status of the dealership’s internet security program, compliance with the FTC Safeguard Rules, events related to information systems security, and implementation of the dealership’s entire information security program.

The qualified individual will need to either outsource or oversee the following Safeguard Rule requirements:

• IT Risk Assessments. They must identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or compromise of customer information. The qualified individual must then design and implement a program to control the risks. Adjustments must be made based on the results of testing and monitoring.
• Annual Network Security Assessment. The qualified individual must test to detect actual or attempted intrusions into the information systems along with vulnerability scans every six months. Dealerships are allowed to opt out of the annual network security assessment if they utilize continuous monitoring through Managed Detection and Response (MDR) or a Security Operations Center (SOC) where continuous systems security monitoring is performed 24/7/365 in real time.
• End-User Security Assessments. All employees are required to properly carry out the information security program with security training and testing of end users along with additional training for employees who fail assessments.
• Vendor and Third-Party Safeguards. Dealerships must ensure all vendors or third parties who have access to customer information also maintain safeguards in line with the dealership’s information security policy. They also must maintain a formal incident response policy that is tested on an annual basis through a tabletop exercise.

What if your dealership doesn’t have a qualified individual?

Identifying a qualified individual is a requirement, and the role carries a lot of responsibility under the new FTC Safeguards. They should be overseeing and formally documenting customer information safeguards throughout the year and reporting them annually. If this feels like more than your team is equipped to handle, the team at Locknet® Managed IT, an EO Johnson Company, can help. Our IT and cybersecurity experts can provide remote monitoring, managed detection, and response, security awareness training, vulnerability assessments, and assist with tabletop exercises. With FTC Safeguard requirements starting in December of 2022, now is the time to reach out for assistance and ensure you are complying in 2023.