What Auto Dealerships Need to Know About the FTC Safeguards Rule
Every industry has an extensive set of regulations to comply with. They range from rules established by professional associations, to state laws, to federal acts. Keeping track of all requirements can quickly become a full-time job, as businesses strive to protect consumer information, undergo continuing education requirements, and do everything else that’s needed to maintain their licenses and good standing.
Auto dealerships are no exception. For over two decades, they have had to comply with the Federal Trade Commission’s (FTC) Safeguards Rule, which was specifically designed to ensure that consumers’ sensitive data remains secure and private. But what are the exigencies of this federal act? And are there any new developments auto dealers should be aware of?
The Origin is the Gramm Leach Bliley Act
The Gramm Leach Bliley Act (GLBA) was signed into law on November 12, 1999. It requires all companies that offer financial services to ensure their customers are informed about how they share their information — and to allow customers to opt out of having their information shared. The Act also requires these businesses to prioritize protecting consumer information.
This law was deemed necessary due to the customary practice of critical information being stored, processed and transmitted among banks, financial institutions, and credit card companies. This is relevant to auto dealerships, considering that a significant portion of the population purchases motor vehicles through financing plans they obtain through bank loans or the auto manufacturer’s finance division. In these instances, auto dealerships are deemed financial institutions because of the financing transaction and NPI collected during the transaction.
What is the FTC Safeguards Rule?
The Safeguards Rule is a section of the GLBA (you can read more here). Congress passed the Gramm-Leach-Bliley ACT in 1999 to control how financial institutions handle individuals’ private information. It took effect in 2003, and it requires covered entities to develop, implement, and maintain information security programs for the specific purpose of protecting customers’ personal information.
It also specifies that this rule is required from both financial institutions and other entities that have provided customer data to the financial institutions. Since depository financial institutions are overseen by their respective FFIEC regulators, FDIC and NCUA, for example, the FTC Safeguards Rule exists for other covered entities who are considered financial institutions. Auto dealers fall into this category because of the purchase financing portion of the transaction and the non-public personal information that is collected, stored and transmitted as part of the transaction.
- Financial Privacy Rule – regulates collection and disclosure of private financial information
- Pretexting Provisions – prohibits the practice of accessing private information using false pretenses
- Safeguards Rule –requires financial institutions to implement administrative, physical, and technical safeguards to protect such information against cyber-attacks, email spoofing, phishing schemes, and similar cybersecurity risks.
In 2003, the FTC added the Standards for Safeguarding Customer Information – or the Safeguards Rule, for short – to ensure that all Title IV institutions of higher education (i.e., those that process U.S. federal student aid) comply with specific security guidelines. Now, due to recent high-profile data breaches – including nearly 70 ransomware attacks affecting more than 950 schools and colleges in 2021 alone – the FTC has made amendments to the Safeguards Rule to prioritize protecting consumer information.
- Deadline for amended Safeguards Rule compliance: June 9, 2023
- Exemption: Those who handle less than 5,000 consumer records are exempt from some requirements
Key Sections of the FTC Safeguards Rule:
Section 314.4 of the Rule (others can be searched here) also mentions nine elements each covered entity needs to include in these efforts:
- Designate a qualified individual to oversee and implement the information security program — as well as enforce it.
This can be a person employed by the auto dealership or financial institution), or an affiliate or service provider.
- Base the information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to customer data’s security, confidentiality, and integrity.
Auto dealerships and financial institutions must conduct these assessments taking into account anything that could result in the unauthorized disclosure, misuse, alteration, destruction, or compromise of this sensitive information. These risk assessments must also be conducted periodically to determine whether the efforts are sufficient.
- Design and implement safeguards to control identified risks discovered during any of the risk assessments.
This includes limiting access to customer information exclusively to those who need it to perform their work duties. It also requires authenticating these individuals’ identities, as well as multi-factor authentication.
- Regularly test and monitor whether there have been any attempted attacks or whether any unauthorized party has attempted to access the protected data.
These tests should be done at least every six months, as well as whenever there are circumstances you know — or have reason to believe — that they are necessary.
- Implement internal policies and procedures and train your staff so that they’re fully aware of how to comply with them adequately.
As usual, properly training your employees is a crucial component of any successful cybersecurity plan. And this shouldn’t be done only once. It’s essential to continue to provide security updates and training as risks evolve.
- Oversee service providers and vendors by taking reasonable steps to select those who are capable of complying with these rules.
And once you choose these service providers, you are still responsible for periodically assessing them based on how they continue to provide their services.
- Evaluate security programs and adjust them in light of testing and monitoring results.
It should always be a priority to stay updated on everything that’s going on with your security systems — especially as cybercriminals become more sophisticated with the passage of time.
- Establish a written incident response plan designed to respond immediately to security threats to customer information.
Delineate the goals of such a plan, what are the steps of the internal processes, define who is in charge of what, and each person’s level of decision-making authority. Also, list the requirements to remedy any issues, as well as how to document and report all events.
- Require the qualified individual (mentioned in step 1) to provide an annual written report to your board of directors.
The report should be provided to an equivalent governing entity or senior officer if you don’t have a board of directors. The report should include the status of the information security program, as well as any material issues related to it.
2022 Amendments to the FTC Safeguards Rule
The Safeguards Rule was amended on January 10, 2022, and become effective in December 2022, to ensure that financial institutions’ practices are taking into account modern technologies.
It added five modifications to make the protection of customer data more robust:
- Security programs must include authentication, and data should be encrypted. The rule also requires the risk assessment to be set forth in writing. As to particular safeguards, the Final Rule requires that they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.
- Financial institutions need to improve their accountability when preparing their annual reports. Periodic reporting to boards of directors or governing bodies is also required in order to ensure their awareness and make it more likely that institutions will receive the required resources and be able to protect consumer information.
- It exempts financial institutions that collect information from less than 5,000 consumers from some of the rule’s original nine requirements — specifically having a written risk assessment, an incident response plan, and preparing the annual report to the board of directors.
- It expands the definition of financial institutions to include entities that conduct activities that are incidental to financial services.
- It includes a glossary of terms related to technology so that there is clarity regarding data security practices.
Exceptions to the Revised Rule
The final Rule contains exceptions for those organizations that maintain customer information on fewer than 5,000 consumers. The exceptions reduce some of the requirements. However, this should not prevent your dealership from implementing a robust cybersecurity program that protects your customers and your brand, reputation, and revenue.
Penalties for Non-Compliance
Abiding by the new rules may seem like a hassle, but failure to do so can come at a price. Non-compliance consequences can include:
- Lengthy oversight periods or disabling access to information systems.
- FTC monetary fines can cost an organization $100,000, and individuals in leadership can be fined up to $10,000.
- Prison time of up to five years.
With SCA, you can avoid all that!
SCA Helps Your Auto Dealership Remain in Compliance with The FTC Safeguards Rule Get our Free Guide Below!
At SCA, we have over 17 years of experience specializing in information security programs that comply with federal regulations, including the FTC Safeguard Rule. Clients can engage us at varying levels from individual assessments and penetration testing through complete cybersecurity program guidance and oversight with our Centurion ESO program.
Contact us to ensure the peace of mind that comes with knowing that all of your bases are covered.