FTC Safeguards Rule: Auto Dealers Must Comply by June 9th, 2023

Starting June 9th, 2023, the Federal Trade Commission (FTC) will be enforcing the Safeguards Rule, which requires financial institutions and certain other businesses to have measures in place to protect customers' personal information. Auto dealers, as a subset of the broader financial industry, will be among the businesses affected by this rule. In this blog post, we will discuss the Safeguards Rule, how it will impact auto dealers and the steps auto dealers need to take to comply with the new regulation.

The Safeguards Rule

The Safeguards Rule is a regulation under the Gramm-Leach-Bliley Act (GLBA) that requires financial institutions and certain other businesses to have measures in place to protect customers' personal information. This includes the development of a comprehensive information security program that includes administrative, technical, and physical safeguards to protect personal information. The rule applies to any business that holds non-public personal information and is not already subject to similar regulations such as HIPAA or GLBA.

In addition to auto dealers, the following types of companies are mentioned specifically in the new rule:

• Career Counselors specializing in Finance
• Check Cashers, Printers and Sellers
• Finance Companies
• Financial Advisors (non-SEC licensed)
• Finders
• Higher Education Institutions
• Mortgage Brokers & Lenders
• Non-Federally Insured Credit Unions
• Non-SEC Registered Investment Advisors
• Payday Lenders
• Real Estate Appraisers & Settlers
• Retailers With Their Own Credit Services
• Travel Agencies
• Tax Preparation Firms
• Wire Transferors

Fines for non-compliance can be $44,000 per violation PER DAY!

Impact on Auto Dealers

The Safeguards Rule will have a significant impact on auto dealers, as they will be required to implement and maintain a comprehensive information security program to protect their customers' personal information. This includes information such as customers' names, addresses, Social Security numbers, and financial information. Auto dealers will also be required to conduct regular risk assessments, implement security controls, and provide employee training on information security.

There are 17 specific requirements in the updated rule with which companies must comply:

1. Appoint a “qualified individual” to implement and supervise information security program
2. Conduct a formal risk assessment
3. Design and implement safeguards to address risks discovered in the risk assessment
4. Implement and regularly review access controls
5. Know what you have and where you have it
6. Encrypt customer information at rest and in transit
7. Assess security of custom applications
8. Implement MFA for anyone with access to customer data
9. Dispose of customer information securely
10. Anticipate and evaluate changes to systems and infrastructure
11. Maintain user activity logs and review for unauthorized access to customer data
12. Regularly monitor and test effectiveness of your safeguards
13. Train your staff
14. Monitor your service providers
15. Keep your information security program current
16. Create a written incident response plan
17. Require your “qualified individual” to report on security to your Board of Directors

Steps Auto Dealers Need to Take

Auto dealers can take the following steps to comply with the Safeguards Rule:

1. Appoint a security leader internally or contract with a security company to provide a virtual Chief Information Security Officer (vCISO)
2. Conduct a risk assessment of their information systems and identify any vulnerabilities.
3. Develop a comprehensive information security program that includes administrative, technical, and physical safeguards.
4. Implement security controls such as firewalls, intrusion detection systems, and access controls.
5. Encrypt customer information (IDs, proof of income, loan documents, etc.) from test drive to delivery.
6. Provide employee training on information security to ensure that all employees understand their responsibilities for protecting personal information.
7. Regularly monitor and update the information security program to ensure that it remains effective.

Conclusion

The FTC Safeguards Rule will have a significant impact on auto dealers starting June 9th, 2023. The rule requires many businesses that have never faced security compliance to have measures in place to protect customers' personal information. Nearly all auto dealers will need to raise their information security game quickly causing unplanned budget expenses and changes to key workflows. Many dealers will find themselves unprepared or under budgeted for these requirements. 

The silver lining is that this rule change is compelling companies to do what they probably should be doing already. First-year pain aside, companies that face this challenge head-on with the right partners will build stronger, more resiliant businesses with less risk and, in many cases, competitive advantage. By taking steps now, auto dealers can ensure that they are in compliance with the Safeguards Rule and that their customers' personal information is protected.