Origin of the FTC Safeguards Rule
The origins of the FTC Safeguards Rule can be traced back to the 1999 Gramm-Leach-Bliley (GLBA) act requiring financial institutions to document how they handled confidential customer data. Branching off this, in 2003, the Safeguards Rule was established to outline further data security guidelines for financial institutions to protect their customer’s sensitive data.
Why This Applies to Automotive Dealerships
The newly expanded FTC Safeguards Rules now include non-financial institutions that deal with customer data and financial institutions. For automotive dealerships, this means they fall under obligations in the Safeguards Rule as they deal with customers’ sensitive personal and financial information. Under these new revisions, the Safeguards Rule applies to all Personally Identifiable Financial Information (PIFI) shared with dealerships. PIFI is defined as any information:
(i) A consumer provides to you to obtain a financial product or service from you;
(ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.
As stated by the FTC, all organizations that fall under financial institutions or qualifying non-financial institutions must prove they have “…measures to keep customer information secure. In addition to developing their safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.”
It’s also important to note that these revisions now include all customer information in the dealership’s possession, including not only the personal information of customers you have a direct relationship with but the information of customers of other financial institutions that have provided information to you.
Changes for Auto Dealerships
In 2021 the FTC made changes to the Safeguards Rule to ensure it is up to date with current changes in technology and the current threat landscape. These new revisions must be in place by organizations obligated to comply by December 9th, 2022. Listed below are the eight requirements listed in the “Elements” section here, that all automotive dealerships will need to put into place.
Establish a Designated Qualified Individual
Establish a designated Qualified Individual to oversee and enforce the dealership’s information security program. You or a third-party vendor can employ a qualified individual.
Conduct Regular Risk Assessments
Conduct regular risk assessments that examine the internal and external risks to customer information security, confidentiality, and integrity. Risk assessments must be documented and describe how each risk is addressed in the information security program.
Implement safeguards to control the risks identified through risk assessments. Safeguards include access control, multi-factor authentication, data encryption, inventory management of systems, regulated data disposal, change management procedures and the monitoring of user activities. Through a system for 24/7 monitoring, these would all be performed, but if a system providing 24/7 monitoring is not in place, bi-annual vulnerability assessments are required.
Prepare Annual Reports to the Board or Other Governing Body
The dealership’s Qualified Individual needs to report annually in writing the status of the information security program and the compliance with the newly revised FTC Safeguards Rule. Reports need to include documents that detail risk assessments performed, risk management controls, penetrations test results, service provider contracts for those who handle any customer information, security events, and their remediation steps, and changes to the information security program throughout the year.
Testing the Effectiveness of Security Controls
Regular monitoring and testing of the effectiveness of security controls put in place to detect attack attempts on systems storing customer PIFI.
Train Employees on Policies and Procedures
Train employees on policies and procedures that will allow employees to enact your information security program further. Begin by training employees on security risks and how the policies and procedures work to mitigate those risks.
Oversee and Monitor Third-Party Service Providers
Oversee and monitor third-party vendors to ensure they are doing all they can to protect customer information and are capable of maintaining the appropriate safeguards for customer information.
Establish an Incident Response Plan (IRP)
Establish an IRP that includes the following:
- The goals of the incident response plan
- The internal processes for responding to a security event
- The definition of clear roles, responsibilities, and levels of decision-making authority
- External and internal communications and information sharing
- Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls
- Documentation and reporting regarding security events and related incident response activities
- The evaluation and revision as necessary of the incident response plan following a security event
How You Can Implement These Changes
These updates need to be implemented by December 9th, 2022. Meaning, those who have yet to make a plan are running out of time. We know this may feel like a daunting task. That’s why we’re here to help. If you’re struggling to figure out how to become compliant with these new regulations before the December 9th deadline, we’ve got you covered.
AgileBlue can offer you 24/7 monitoring and protection across your entire digital infrastructure including cloud, endpoints, and network to keep your customer information safe, and ensure you comply with FTC’s new standards for automotive dealerships.
To learn more about how we can help, fill out the form below, and a team member will reach out to you promptly to discuss how we can help.