FTC Rule & Cybersecurity Changes Auto Dealers Must Know About
How FTC Safeguards Rule Change Affects Cybersecurity & Compliance
Change Guide & Summary for Automotive Dealers
In 2021, The Federal Trade Commission (FTC) revised the “Standards for Safeguarding Customer Information” that was previously issued under the Gramm-Leach-Bliley Act in 2002. The updates are a result of increased cyber threats since the COVID-19 pandemic, which means a closer look at many cybersecurity practices. The Safeguards Rule applies broadly to all “financial institutions,” including dealerships and other entities that provide or facilitate financial services. The purpose is to protect consumer information from misuse or a data breach, and ultimately identity theft or privacy violations. The intent of this document is to inform auto dealers of the changes and provide guidance for compliance.
Updated Safeguards Rule Compliance Phases
Phase One: Accountability & Ownership
- Designation of a “qualified” employee to oversee information security.
- This person may be an employee, or a third party overseen by a senior member of your personnel
Phase Two: Preparation & Evaluation
- Written cybersecurity documentation & best practices evidencing compliance:
- Security Risk Assessment, Information Security Program , Incident Response Plan
- Ongoing written reports to board of directors (or equivalent) on IT & Security, at least annually, prepared by the designated “qualified” employee or third party
Phase Three: Implementation of Security Tools
- Implementation of required tools supporting encryption, multi-factor authentication, and systems monitoring
- Partnerships & documentation for penetration testing and vulnerability scans
Phase Four: Implementation of Best Practices, Controls, & Procedural Requirements (including ongoing monitoring)
- Access controls to customer information
- Inventory of systems that access customer information
- Secure software development & utilization practices
- Disposal procedures for customer information
- Change management plan
Phase Five: Change Management & Employee Training
- Change management & adoption plan, timeline, training (create a compliance culture), delivery methods
Final Phase: Establish Routines for Auditing & Reviewing Cybersecurity Provider’s Best Practices
- Annual strategic business reviews (SBRs) with QBRs or check ins
Penalties for Noncompliance
The FTC can initiate an enforcement action against automobile dealers under the authority granted to them in the Federal Trade Commission Act, 15 U.S.C. § 41 et seq. Penalties may include long-term consent decrees with your companies and your executives, extensive injunctive relief, and potential monetary fines for violations of the consent decree. While the FTC cannot seek monetary penalties for first-time violations of the Safeguards Rule, it often seeks to identify violations for which it otherwise can seek money.
We are Here to Help!
The Revised Rule permits you—if you choose—to appoint a third-party vendor employee to fulfill the role of a “Qualified Individual.” The FTC has, for example, pointed favorably to using third parties virtual and/or in person’s services.
Straight Edge Technology is a capable cybersecurity third party to serve as your Qualified Individual & strategic partner allowing you to focus on your business. We provide security programs furnishing reports & evidence of internal audits adhering to FTC safeguard compliance requirements. Most importantly, our solutions reduce your risks protecting you and your customers. Please contact us:
San Antonio Office
17300 Henderson Pass
San Antonio, TX 78232
Corpus Christi Office
Corpus Christi, TX 78414
- The risks enumerated here are also consistent with many requirements under the Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) and Center for Internet Security Top 20 Critical Security Controls (CIS20).
- Your managed cyber security provider should be able to produce and give you a meaningful report that flags any issues, as opposed to a log of tickets or calls.
- It is critical that your cybersecurity incident response plan is a business level plan with names of executives & dealers to be contacted if an incident occurs. Your managed cybersecurity provider should have a remediation plan working with you to facilitate a table-top exercise for readiness.
- A risk assessment should not be confused with a vulnerability scan. Scans are generally a quarterly process while risk assessments are once per year.
Nothing in this whitepaper is intended as legal advice. The requirements of the Safeguards Rule and the circumstances of every dealership are complex, and dealers should not simply adopt the sample information.