Compliance Guidance for the revised FTC safeguards rule

Data breach after data breach, the FTC enforced its own Safeguards Rule, which took effect in 2003. Witnessing that companies were not living up to expectations, the FTC changed the Rule in October 2021 to remove any doubt as to minimum requirements.  The new FTC Safeguards Rule sets forth very specific requirements and processes that must be followed with stiff penalties for non-compliance. The FTC has also made it very clear that “automobile dealerships” must comply, just like lenders, finance companies, and related finance companies.

November 15, 2022 Update:

FTC Extends Safeguards Rule Compliance Deadline

New Requirements

The new provisions to the FTC Safeguards Rule take effect on December 9, 2022. In summary, the requirements are:

• The designation of a “Qualified Individual” to implement, oversee, and enforce administrative, physical, and technical safeguards
• Mandatory and documented employee training
• Creation and management of the following documents:
  • A risk assessment
  • An information security program
  • An incident response plan
  • An annual report to the board of directors (or equivalent executive management)
• IT requirements:
  • Enabling multi-factor authentication (MFA) on systems containing customer information
  • Encrypting systems containing customer information
  • Performing either:
    • Continuous monitoring of information systems
    • Annual penetration testing and vulnerability scans at least every 6 months
• Ongoing monitoring of:
  • Access controls to documents and data
  • Customer information storage
  • Disposal procedures
  • Change management procedures
  • Security practices
• Assessing the risks of vendors with access to customer information, and contractually requiring them to meet or exceed the Safeguards Rule standards

Limited Exceptions

For smaller dealers, there may be a limited exception to certain provisions of the revised Rule. If a dealer maintains customer information concerning fewer than 5,000 consumers, then the dealer will not need to:

• Create a written risk assessment
• Create a written incident response plan
• Create a written annual report
• Conduct continuous monitoring of systems, penetration testing, or vulnerability scans

Smaller dealers need to be mindful that exceeding the 5,000 figure can easily happen and the burden will be on the dealer to prove the exception.  There are many places where customer information may be warehoused, including:

• Credit applications
• Deal jackets
• DMS
• CRM
• Emails
• Social media accounts
• Websites

Additionally, there are data and record retention requirements, so data and documents cannot be immediately purged. For example, credit applications are federally required to be maintained for 25 months under the Equal Credit Opportunity Act (ECOA), but your document retention schedule should be at least 5 years to exceed the time-frame for bringing federal claims under the ECOA and the Fair Credit Reporting Act (FCRA). For credit applications alone, it takes only 83.33 applications per month to exceed the 5000 limit if the retention schedule is 5 years.

The FTC has made clear that if you do not have someone capable of implementing, overseeing, and enforcing your information security program, then you should hire someone. Also, if your vendors are not fulfilling their obligations or cooperating with assessments, you will need to find new vendors.

Most dealerships are wondering where to start, and it begins with assembling a team that periodically collaborates to identify risks, and designates roles and responsibilities for mitigating those risks, developing the program, and adjusting the program. This team should be comprised of the dealership’s qualified individual, a compliance expert, and an IT expert to ensure you are compliant and let you get back to what you do best – selling and servicing vehicles.