In the fall of 2021, the Federal Trade Commission (FTC) announced a new Safeguards Rule designed to protect the personal financial information collected by businesses. For dealerships and other businesses that help to facilitate consumer financing, these changes mean increased compliance obligations.
On November 15, 2022, The FTC announced a six-month extension (previously December 9, 2022) for businesses to comply with the rule updates. The new deadline for the Safeguards Rule is now June 9, 2023, so it’s critical to understand the newly modified requirements and take steps now to ensure compliance.
The FTC Safeguards Rule is a rule promulgated under the Gramm-Leach-Bliley Act (GLBA) introduced in 2002 that requires businesses to develop, implement, and maintain a comprehensive information security program to protect the security, confidentiality, and integrity of customer information.
In response to public concern over the increased flow of sensitive financial information, the FTC created the law to give consumers greater control over how their personal information is used.
To comply with the FTC Safeguards Rule, businesses must take a risk-based approach to develop, implement, and maintain a written information security program that contains administrative, technical, and physical safeguards appropriate to the size and complexity of the business and the nature and scope.
In the past, some businesses interpreted the Safeguards Rule to mean one thing, while others took it to mean something else entirely. However, after hearing what the public had to say and doing more research, the FTC updated its Rule, considering things like technological advancements and current cybersecurity concerns.
Since then, the Safeguards Rule has been amended several times since its introduction. The most recently revised Rule was introduced in December of 2021 and goes into effect on June 9, 2023, applying to any business that collects or maintains consumer financial information.
The updated Safeguards Rule lists various responsibilities businesses must take to protect their customer’s confidential information. These responsibilities include:
A business must designate an individual or individuals responsible for developing, implementing, and maintaining the information security program.
A business must regularly audit its information security program and risk mitigation protocols to ensure they are up-to-date and effective. This includes auditing physical, technological, and administrative safeguards to protect customer information adequately.
All employees with access to customer information must be trained on the proper security procedures to protect that information. Training must be conducted on a regular basis and should be updated as new threats emerge.
Businesses must take reasonable steps to select and implement safeguards that protect customer information from unauthorized access, destruction, use, modification, or disclosure. This includes changes or improvements made to support IT infrastructure to ensure:
Businesses must regularly test their security controls to ensure they are functioning properly and providing the desired level of protection. This includes testing things like firewalls, intrusion detection systems, and access control systems.
The updated Safeguards Rule also requires businesses to consider the current cybersecurity landscape when developing their information security program. This includes understanding the types of threats that exist, how those threats could impact customer information, and what safeguards would be effective in preventing or mitigating those threats.
All security improvements must be well documented, so businesses can show they have effectively protected their customers’ information.
Businesses must have an incident response plan in place if customer information is compromised. This plan should include steps for notifying affected customers, conducting a thorough investigation, and taking appropriate steps to prevent future incidents.
For dealerships specifically, these changes to the Safeguards Rule mean they must take extra steps to protect online and offline customer information. When a customer purchases a vehicle, a dealership has access to a wealth of personal and financial information. This includes things like social security numbers, driver’s license numbers, home addresses, birthdates, and banking information.
With the updated Safeguards Rule in place, dealerships must take extra steps to protect this information from unauthorized access, destruction, use, modification, or disclosure.
Dealerships are also responsible for training their employees on proper information security procedures. The amount of foot traffic through a dealership can be high, which means there are more opportunities for customer information to be compromised. To protect this information, dealerships must ensure their employees are trained on proper security procedures and know how to spot potential threats.
Regardless of the size of your dealership, it’s important to be aware of the changes to the Safeguards Rule and take steps to protect customer information. Reviewing your current security procedures and making improvements where needed is a good place to start. However, it most likely won’t be enough to ensure your dealership’s compliance and won’t shield you from fines.
The best way to prepare for these changes is to partner with a reputable IT service provider or IT compliance expert who understands the latest compliance mandates, such as LDD Consulting. Contact us today to learn more about how we can help you comply with the updated Safeguards Rule.
Not ready to talk yet? Then at least let me point you to another resource. Listen to our recent YouTube video on The Reboot which discusses the Safeguards Rule specifically for automotive dealerships.