CORPUS CHRISTI (361) 653-1777
SAN ANTONIO (210) 904-9177
Close this search box.

FTC Rule Changes Auto Dealers Must Know About


Change Guide & Summary for Automotive Dealers


In 2021, The Federal Trade Commission (FTC) revised the “Standards for Safeguarding Customer Information” that was previously issued under the Gramm-Leach-Bliley Act in 2002. The updates are a result of increased cyber threats since the COVID-19 pandemic. The Safeguards Rule applies broadly to all “financial institutions,” including dealerships and other entities that provide or facilitate financial services. The purpose is to protect consumer information from misuse or a data breach, and ultimately identity theft or privacy violations. The intent of this document is to inform auto dealers of the changes and provide guidance for compliance.

Updated Safeguards Rule Compliance Phases

Phase One: Accountability & Ownership

  • Designation of a “qualified” employee to oversee information security.
  • This person may be an employee, or a third party overseen by a senior member of your personnel

Phase Two: Preparation & Evaluation

  • Written documentation & best practices evidencing compliance:
    • Security Risk Assessment, Information Security Program , Incident Response Plan
    • Ongoing written reports to board of directors (or equivalent) on IT & Security, at least annually, prepared by the designated “qualified” employee or third party

Phase Three:  Implementation of Security Tools

  • Implementation of required tools supporting encryption, multifactor authentication, and system monitoring
  • Partnerships & documentation for penetration testing and vulnerability scans

Phase Four: Implementation of Best Practices, Controls, & Procedural Requirements (including ongoing monitoring)

  • Access controls to customer information
  • Inventory of systems that access customer information
  • Secure software development & utilization practices
  • Disposal procedures for customer information
  • Change management plan

Phase Five: Change Management & Employee Training

  • Change management & adoption plan, timeline, training (create a compliance culture), delivery methods

Final Phase: Establish Routines for Auditing & Reviewing Cybersecurity Provider’s Best Practices

  • Annual strategic business reviews (SBRs) with QBRs or check ins

Penalties for Noncompliance

The FTC can initiate an enforcement action against automobile dealers under the authority granted to them in the Federal Trade Commission Act, 15 U.S.C. § 41 et seq. Penalties may include long-term consent decrees with your companies and your executives, extensive injunctive relief, and potential monetary fines for violations of the consent decree. While the FTC cannot seek monetary penalties for first-time violations of the Safeguards Rule, it often seeks to identify violations for which it otherwise can seek money.

We are Here to Help!

The Revised Rule permits you—if you choose—to appoint a third-party vendor employee to fulfill the role of a “Qualified Individual.” The FTC has, for example, pointed favorably to using third parties virtual and/or in person’s services.

Straight Edge Technology is a capable third party to serve as your Qualified Individual & strategic partner allowing you to focus on your business. We provide security programs furnishing reports & evidence of internal audits adhering to FTC safeguard compliance requirements. Most importantly, our solutions reduce your risks protecting you and your customers. Please contact us:


San Antonio Office

17300 Henderson Pass

San Antonio, TX 78232


Corpus Christi Office

2210 Patton

Corpus Christi, TX 78414


Pro tips

  • The risks enumerated here are also consistent with many requirements under the Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) and Center for Internet Security Top 20 Critical Security Controls (CIS20).
  • Your managed cyber security provider should be able to produce and give you a meaningful report that flags any issues, as opposed to a log of tickets or calls.
  • It is critical that your incident response plan is a business level plan with names of executives & dealers to be contacted if an incident occurs. Your managed cybersecurity provider should have a remediation plan working with you to facilitate a table-top exercise for readiness.
  • A risk assessment should not be confused with a vulnerability scan. Scans are generally a quarterly process while risk assessments are once per year.

Nothing in this whitepaper is intended as legal advice. The requirements of the Safeguards Rule and the circumstances of every dealership are complex, and dealers should not simply adopt the sample information.

At Straight Edge Technology, we offer flat-rate pricing along with personalized IT solutions tailored to your business needs. With our experienced team and comprehensive services, we’re here to support your IT infrastructure and help your business thrive. Contact us today to discuss how we can assist you with your IT needs.