Unpacking The FTC's Cybersecurity Safeguards For Car Dealers: Getting Compliant


The world of cybersecurity is a rapidly evolving landscape. With technology becoming an essential part of business operations and customer interactions, the need for robust data protection measures has never been greater. Recognizing this, the Federal Trade Commission (FTC) has revised its Safeguards Rule, extending its application to automotive dealerships. This article delves into the details of the rule, its requirements, and the steps dealerships need to take to ensure compliance by the June 9th, 2023 deadline.

The FTC's Safeguards Rule: An Overview

The FTC's Safeguards Rule was originally developed to ensure that financial institutions, like mortgage brokers and finance companies, maintain safeguards to protect the security of customer information. However, given the evolving landscape of security threats, the rule was amended in 2021 to expand its coverage. It now applies to "finders," which includes auto dealerships holding over 5,000 customer records【8†source】.

The Key Requirements of the Safeguards Rule

The FTC has outlined several requirements that businesses need to fulfill to comply with the Safeguards Rule:

  1. Assign a qualified individual to oversee, implement, and enforce your Information Security Program.
  2. Perform risk assessments on your information security practices and existing safeguards.
  3. Put in place mandatory safeguards to control risks, which include practices such as access controls, systems inventory, encryption, secure development, multi-factor authentication (MFA), disposal procedures, change management procedures, and monitoring and logging of authorized user activity.
  4. Regularly test or audit the effectiveness of your safeguards, controls, systems, and procedures.
  5. Establish policies and procedures to enable personnel to execute your Information Security Program.
  6. Oversee service providers to ensure they adhere to your security policies.
  7. Create your Incident Response Plan to prepare for potential cybersecurity incidents.
  8. Present an annual report to the board or equivalent, detailing your cybersecurity initiatives and any incidents that may have occurred during the year【11†source】.

These requirements aim to ensure that businesses are proactive in their approach to cybersecurity, taking preventative measures to safeguard customer information and respond effectively in the event of a security breach.

The Impact of Non-compliance

Non-compliance with the Safeguards Rule can have far-reaching consequences. Besides the legal implications, which can include FTC audits and fines, businesses may also face a loss of customer trust, damage to their reputation, and financial losses from cybersecurity incidents. In addition, cybersecurity insurance providers may deny coverage for incidents if the business is found to be non-compliant with the Safeguards Rule【12†source】.

Taking Steps Towards Compliance

Compliance with the Safeguards Rule requires businesses to take a structured, step-by-step approach:

  1. Start with a network assessment: This is a comprehensive evaluation of your current security posture, including testing your existing security measures and other key provisions in the Safeguards Rule.
  2. Develop a plan: This should be a continuous process rather than a one-off exercise. The Safeguards Rule requires regular testing, updates, and reports to your board or equivalent entity.
  3. Ensure you have the right person on staff: This individual should be qualified to create and manage your Information Security Plan. If you do not have such a person on staff, consider partnering with a qualified service provider4. Apply your plan to all systems: This includes systems managed by third-party vendors. Make sure they also comply with your security policies【13†source】.

Deep Dive into Mandatory Safeguards

To ensure compliance with the Safeguards Rule, it's essential to understand the mandatory safeguards in detail:

  • Access controls: Implement measures to control who can access your customer data and systems. This can include password policies, user account management, and access restrictions based on roles or departments.
  • Systems inventory: Maintain an up-to-date inventory of all your systems, including hardware, software, and data storage locations. This allows you to keep track of all potential data repositories and ensure they are adequately secured.
  • Encryption: Encrypt customer data both in transit and at rest. This ensures that even if data is intercepted or accessed without authorization, it remains unreadable without the correct decryption key.
  • Secure development practices: If you develop software in-house, adopt secure coding practices. Regularly review and update your code to ensure it meets current security standards and is free from vulnerabilities.
  • Multi-factor authentication (MFA): Implement MFA to add an extra layer of security for accessing sensitive systems or data. This could involve something the user knows (like a password), something the user has (like a security token), and something the user is (like a fingerprint).
  • Disposal procedures: Have procedures in place for the secure disposal of customer data when it's no longer needed. This can include shredding physical documents and securely wiping electronic data.
  • Change management procedures: Implement a structured process for managing changes to your systems or data, including assessing potential security implications and testing new configurations before deployment.
  • Monitoring and logging of authorized user activity: Regularly monitor and log user activity on your systems. This can help you detect any unusual or suspicious behavior that could indicate a security incident.


The FTC's expanded Safeguards Rule represents a significant shift in the regulatory landscape for car dealerships. With the June 9th, 2023 deadline fast approaching, dealerships need to take proactive steps to ensure compliance.

Embracing these requirements not only helps dealerships avoid potential fines and penalties but also strengthens their overall cybersecurity posture. Ultimately, safeguarding customer data is not just a regulatory obligation – it's a crucial part of maintaining customer trust and building a reputation for integrity and reliability in the digital age.

Looking for cybersecurity services or FTC compliance help for the June 9 deadline? Complete the form below.