blog |
The FTC's Expanded Safeguards Rule: What Car Dealerships Need to Know

The FTC's Expanded Safeguards Rule: What Car Dealerships Need to Know

Introduction

As we navigate an increasingly digital world, the importance of safeguarding sensitive customer information has never been more critical. Recognizing this, the Federal Trade Commission (FTC) has extended the scope of its Safeguards Rule to include automotive dealerships, setting new standards for how businesses handle and protect their customer data【7†source】. The revised rule, which applies to auto dealerships with over 5,000 customer records, is slated for compliance by June 9th, 2023.

The Expanded FTC Safeguards Rule

The FTC's Safeguards Rule, traditionally developed for financial institutions, has now been expanded to include "finders," which covers automotive dealerships with over 5,000 customer records. This amendment underscores the changing landscape of security threats and the need for broader protective measures across various industries.

Understanding the New Requirements

The updated FTC Safeguards Rule outlines a list of requirements that dealerships must satisfy:

  1. Assign a qualified individual to oversee and enforce your Information Security Program.
  2. Carry out risk assessments of your information security measures and current safeguards.
  3. Establish mandatory safeguards to control risks. This includes practices like access controls, systems inventory, encryption, secure development, multi-factor authentication (MFA), disposal procedures, change management procedures, and the monitoring and logging of authorized user activity.
  4. Regularly test or audit the effectiveness of your safeguards, controls, systems, and procedures.
  5. Implement policies and procedures that enable your personnel to execute your Information Security Program.
  6. Manage service providers and ensure they adhere to your security policies.
  7. Prepare your Incident Response Plan in anticipation of potential cybersecurity incidents.
  8. Compile an annual report for the board or equivalent body, detailing your cybersecurity efforts and any incidents that may have occurred during the year.

Risks of Non-compliance

While businesses might view these requirements as challenging, the risks of non-compliance are far greater. Cybersecurity incidents such as phishing, ransomware, and other cyber attacks can lead to severe consequences, including identity theft, document tampering, and data misappropriation. If a dealership suffers a security incident, they may be audited by the FTC for compliance, and non-compliance can result in hefty fines. In addition, cybersecurity insurance providers may not cover the incident if the dealership is found to be non-compliant with the Safeguards Rule.

Path to Compliance

Compliance with the Safeguards Rule is a journey, not a destination. Here are some practical steps to consider:

  1. Begin with a network assessment that tests your security and other key provisions in the Safeguards Rule.
  2. Formulate a plan that includes regular testing, updates, and reporting to your board or equivalent entity.
  3. Ensure the right person is in place to create and manage your Information Security Plan.
  4. Make sure your plan applies to all systems you use, including third-party vendors.

Conclusion

The expansion of the FTC's Safeguards Rule to include car dealerships is a timely reminder of the increasing importance of cybersecurity in our digital age. With the June 9th, 2023 deadline fast approaching, dealerships must take the necessary steps to ensure compliance and protect their customer data.

Compliance with the Safeguards Rule is not just about meeting regulatory requirements. It's about demonstrating to your customers that you value their trust and are committed to protecting their personal information. This commitment can differentiate your dealership in a competitive market, enhancing your reputation and fostering customer loyalty.

The path to compliance may seem daunting, but remember that you're not alone in this journey. Many resources are available to help you understand the requirements and implement effective measures. Moreover, investing in cybersecurity is a smart business decision that can safeguard your dealership from potential cyber threats and strengthen your customer relationships.

Note: This article is meant to provide a broad overview of the FTC’s expanded Safeguards Rule. For a full understanding of the requirements and how they apply to your business, please refer to the FTC’s official documentation and consider seeking professional advice.