New 2023 Deadline for FTC Safeguards Rule & Automotive Dealerships

Update:  The Federal Trade Commission has extended the deadline of their  Safeguards Rule that applies to auto dealerships from December 9th, 2022 to June 9th 2023, the article below reflects this update.  

This article details the revised FTC Safeguards Rule that sets standards for how businesses handle and keep safe their customer information data.  It focuses on the steps and processes needed for compliance and how it now applies to automotive dealerships.  

What businesses now need to follow the new FTC Safeguards Rule? 

As the landscape of security threats continues to change, requirements for more in-depth security policies must adapt.  The FTC Safeguards Rule was originally developed to ensure that financial institutions like mortgage brokers, tax preparation firms, finance companies, and other similar businesses maintain safeguards to protect the security of customer information.  The 2021 amendment to the rule expanded the examples of financial institutions covered to include "finders" which would include auto dealerships with over 5,000 customer records.  This includes all records, not just transaction ones.    

What is the Safeguards Rule? 

The Safeguards Rule ensures that entities covered by the Rule maintain safeguards to protect the security of customer information.  The Safeguard Rule gives businesses concrete guidelines to follow to keep their customer information safe from cyber security incidents.  

The revised Safeguards Rule applies to all customer information that is in your possession, whether the information pertains to individuals with whom you have a customer relationship with or to the customers of other financial institutions that have provided information to you. 

What are the updated FTC Safeguards Rule requirements for automotive dealers?

These requirements are expected to be met by June 9th, 2023. All dealers must satisfy this list of requirements if they have over 5,000 customer records. 

1. Designate a qualified individual to oversee, implement, and enforce your Information Security Program
2. Conduct risk assessments on information security and existing safeguards
3. Implement mandatory safeguards to control risks:
   • Access controls 
   • Systems inventory 
   • Encryption
   • Secure development practices
   • Multi-factor authentication (MFA)
   • Disposal procedures
   • Change management procedures
   • Monitoring and logging of authorized user activity
4. Regularly test or audit the effectiveness of your safeguards, key controls, systems, and procedures
5. Implement policies and procedures for personnel to implement your Information Security Program
6. Oversee service providers
7. Draft your Incident Response Plan
8. Prepare an annual report to the board or equivalent 

What happens if an auto dealer doesn't follow the Safeguards Rule?

No matter what industry you're in, you're not safe from cyber attacks. As long as your business has access to personnel information, then you are a target. Data breaches are in the news almost every day. Small, medium, and large companies are targeted for phishing, ransomware, or other cyber-attacks that put personal information at risk of exposure. 

This can lead to identity theft, document tampering, or misappropriation of data. If your auto dealership suffers a security incident, you may be subject to an audit by the FTC for compliance resulting in fines if you are found to be not compliant.  Even if you are not audited by the FTC, you may be audited by your cybersecurity insurance provider.  If they find you are not compliant with the new Safeguards Rule, they may not cover the incident.  

Tips for complying with the new Safeguards Rule for auto dealers

You still have some time to get compliant with the new June 9th deadline but don't wait.  Here are a few next steps and things to consider: 

1. Start with a network assessment that includes testing your security and other key provisions in the Safeguards Rule.  An example of this is Usherwood's Odyssey Discovery.  
2. Develop a plan that is not a one-time exercise that goes on a shelf and collects dust.  The Safeguards Rule requires regular testing, updates, and reports to your board or equivalent entity.  
3. Make sure you have the right person on staff who is qualified to create and manage your Information Security Plan.  If you do not have one, look for a qualified partner that can provide the services you need.  Here at Usherwood, this role would be filled by our Virtual CIO's.
4. Make sure your plan applies to all of the systems you use, including third-party vendors.  

The earlier you implement these critical security regulations, the safer your dealership will be from experiencing a cybersecurity attack and non-compliance issues. 

Interested in learning more?  

Usherwood Office Technology works with various industries to manage all aspects of IT and security.  If you're interested in learning more about how to ensure your dealership is compliant, just complete our Discover Your Solution form below, and a representative will be in touch.