Data breach after data breach, the FTC enforced its own Safeguards Rule, which took effect in 2003. Witnessing that companies were not living up to expectations, the FTC changed the Rule in October 2021 to remove any doubt as to minimum requirements. The new FTC Safeguards Rule sets forth very specific requirements and processes that must be followed with stiff penalties for non-compliance. The FTC has also made it very clear that “automobile dealerships” must comply, just like lenders, finance companies, and related finance companies.
November 15, 2022 Update:
FTC Extends Safeguards Rule Compliance Deadline
The Federal Trade Commission today announced it is extending by six months the deadline for companies to comply with some of the amendments to the FTC’s Safeguards Rule. Earlier this year, NADA submitted comments to the FTC seeking an extension of the deadline. The deadline for complying with some of the updated requirements of the Safeguards Rule is now June 9, 2023.
designate a qualified individual to oversee their information security program,
develop a written risk assessment,
limit and monitor who can access sensitive customer information,
encrypt all sensitive information,
train security personnel,
develop an incident response plan,
periodically assess the security practices of service providers, and
implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
Dealers are encouraged to continue in their efforts to expeditiously comply with all the new requirements of the Rule but should consult with their attorneys, service providers and IT professionals about the potential impact of this deadline extension.
The new provisions to the FTC Safeguards Rule take effect on December 9, 2022. In summary, the requirements are:
The designation of a “Qualified Individual” to implement, oversee, and enforce administrative, physical, and technical safeguards
Mandatory and documented employee training
Creation and management of the following documents:
A risk assessment
An information security program
An incident response plan
An annual report to the board of directors (or equivalent executive management)
Enabling multi-factor authentication (MFA) on systems containing customer information
Encrypting systems containing customer information
Continuous monitoring of information systems
Annual penetration testing and vulnerability scans at least every 6 months
Ongoing monitoring of:
Access controls to documents and data
Customer information storage
Change management procedures
Assessing the risks of vendors with access to customer information, and contractually requiring them to meet or exceed the Safeguards Rule standards
For smaller dealers, there may be a limited exception to certain provisions of the revised Rule. If a dealer maintains customer information concerning fewer than 5,000 consumers, then the dealer will not need to:
Create a written risk assessment
Create a written incident response plan
Create a written annual report
Conduct continuous monitoring of systems, penetration testing, or vulnerability scans
Smaller dealers need to be mindful that exceeding the 5,000 figure can easily happen and the burden will be on the dealer to prove the exception. There are many places where customer information may be warehoused, including:
Social media accounts
Additionally, there are data and record retention requirements, so data and documents cannot be immediately purged. For example, credit applications are federally required to be maintained for 25 months under the Equal Credit Opportunity Act (ECOA), but your document retention schedule should be at least 5 years to exceed the time-frame for bringing federal claims under the ECOA and the Fair Credit Reporting Act (FCRA). For credit applications alone, it takes only 83.33 applications per month to exceed the 5000 limit if the retention schedule is 5 years.
The FTC has made clear that if you do not have someone capable of implementing, overseeing, and enforcing your information security program, then you should hire someone. Also, if your vendors are not fulfilling their obligations or cooperating with assessments, you will need to find new vendors.
Most dealerships are wondering where to start, and it begins with assembling a team that periodically collaborates to identify risks, and designates roles and responsibilities for mitigating those risks, developing the program, and adjusting the program. This team should be comprised of the dealership’s qualified individual, a compliance expert, and an IT expert to ensure you are compliant and let you get back to what you do best – selling and servicing vehicles.