How does the new FTC Safeguard Requirements Affect Auto Dealerships?

The Federal Trade Commission’s Standards for Safeguarding Customer Information - the Safeguards Rule, was proposed to ensure that measures were taken to safeguard customer information, especially financial-related information and to protect that information from misuse, data breach and prevent the identity theft of customers.  On December 9, 2021, the FTC published updates to the Safeguards Rule.  Some of the changes became effective on January 10, 2022, which were minimal and only required slight changes.  However, the remainder of which require compliance by December 9, 2022.  The amendments have a direct impact on dealerships and therefore certain measures need to be taken to meet the December deadline.

Having reviewed the additional changes to the Safeguards Rule, we will briefly outline some of the technical requirements that LecsIT would need to provide in order to conform to the additional rules.

Documentation: From December 9, 2022, periodic risk assessments will need to be performed on the security measures that are currently in place that secure customer information.  Risk assessments were already a requirement, however, this process needs to be ongoing.  Tests will also need to be performed on these security systems to detect actual intrusions and attempts made to access the information.  Information relating to, who has access, the access control systems in place and the retention policy are just some of the requirements that will need to be documented.  The documents will then have to be reviewed and updated on a regular basis.

Security: Taking steps to ensure the protection of information is an important part of the information security process.  Creating and implementing safeguards allow the control of risks.  Methods of access control will need to be implemented and reviewed, as well as auditing to include information like, who has access to data, and where it is stored, transmitted and collected.  Security apps as well as methods used for the disposal of information and changes to the network will need to be evaluated.  Monitoring for unauthorized access, for network activity and for file access or movement will also need to be included.

Several requirements that the dealership needs to take:

• The Safeguards Rule requires a designated "qualified individual" responsible for overseeing, monitoring, and enforcing the information security program.
• Periodic written risk assessments to be used and maintained, to guide the continued updating and enforcement of information security systems.
• Safeguard implementations required from the results of the risk assessments - the details of which we can provide.  For example, access controls, systems inventory, monitoring and multi-factor authentication.
• Testing of vulnerabilities within your information systems either through continuous monitoring or annual penetration testing and bi-annual vulnerability assessments.
• Dealership employees must follow policies and procedures outlined in the information security program.  Security awareness training and keeping personnel up to date on the latest threats and risks also need to be included.
• Dealerships must ensure that third parties or service providers that have access to their customer information maintain safeguards and comply with the dealership's own information security program.  Access to the information will be assessed periodically and re-evaluated.  Contractual requirements may need to be added to said entities to enforce the Safeguards Rule's standards.
• Develop and implement a written incident response plan to outline procedures in response to a breach of the information security system in place or exposure of customer information that the dealership maintains.  It should also include guidelines for internal and external communications and the sharing of information regarding the incident, a clear outline of roles and responsibilities for decision-makers in dealing with the incident and an internal process for responding to an incident and correcting any issue that has arisen.
• A written report by a designated qualified individual, at least annually to the dealership's board of directors or equivalent governing body on the status of the dealership's information security program and compliance with the Safeguards Rule as well as material events related to information systems security and the implementation and enforcement of your information security program.