The cybersecurity and privacy requirements for car dealers are rapidly increasing, making it essential for businesses handling large volumes of sensitive personally identifiable information (PII) to adopt mandatory security measures. In October 2021, the FTC implemented new regulations with stricter penalties for noncompliance, resulting in fines of up to $11,000 per day per incident. A brief overview of these requirements includes:
Appointment of a Program Coordinator: Car dealers must designate an individual responsible for overseeing compliance with the rule.
Conducting a Risk Assessment: Dealerships are required to perform a comprehensive risk assessment to identify potential vulnerabilities.
Developing a Written Information Security Program: Car dealers must establish a documented information security program outlining their data protection strategies.
Overseeing Service Providers: Dealerships are responsible for ensuring the compliance of their third-party service providers.
Continuous Maintenance and Training: Car dealers must regularly update, maintain, and provide training in relation to their information security program.
These new regulations necessitate both financial and time investments to achieve compliance. Car dealers can either opt to engage a third-party expert to alleviate this burden or build in-house expertise, with the latter generally being more costly.