What Auto dealers Need to Know About FTC Safeguards Rule
The FTC's Safeguards Rule, which mandates financial institutions (including auto dealers) to follow strict security requirements in order to secure client data, has been in effect for almost 20 years. Recent changes to the regulation, however, bring in more thorough controls and increased complexity to dealers' security compliance processes.
We break down the key components in this piece and outline steps you can take for successful compliance by December 9, 2022.
What is the Safeguards Rule?
Under the federal Gramm-Leach-Bliley Act (GLBA), the Safeguards Rule, which first took effect in 2003, mandates that financial institutions (including auto dealers) have security measures in place to protect client information. Because they provide financing arrangements, auto dealers are categorized as financial institutions under the rule.
Keep in mind that the GLBA's Privacy Rule is different from the Safeguards Rule. The Privacy Rule covers the sharing of data between institutions and dealers regarding customers who buy, apply for, or lease products from them. How these organizations are required to protect such consumer information is covered by the Safeguards Rule.
What does the updated rule require?
The FTC published its final revisions to the regulation on October 27, 2021, in order to address "recent high-profile data breaches." Financial institutions, including auto dealers, must adhere to a sizable number of new and extended procedural, technical, and people requirements as a result of the rule revisions in order to fulfill their information security obligations.
Overview of rule amendment:
In terms of data security, the regulation is not as flexible as it once was. Now, regardless of size, systems, or the types or extent of data they maintain, it is required that all financial institutions (including dealers) meet a set of criteria.
Five key changes:
Adds detailed requirements for the development and implementation of a written information security program mandated under the existing rule. These include requirements for risk assessment, system access controls, authentication and encryption, and mechanisms to ensure effective employee training and oversight of service providers.
Requires institutions to appoint a “qualified individual” to be responsible for the information security program. That person must submit periodic reports to boards of directors or governing bodies so senior management has better awareness of their data security safeguards.
Exempts institutions that collect information on fewer than 5,000 consumers from the following requirements: written risk assessments, incident response plans, and annual reporting to the board of directors.
Adds "finders," which are organizations that connect buyers and sellers of a good or service, to the definition of "financial institution." This means that the dealerships are in charge of making sure that the vendors with whom they share information comply with the rules.
Instead of referencing a relevant FTC rule to define words and provide examples, this rule does so directly.
Under the rule, financial institutions must specifically:
“Develop, implement and maintain a [written] comprehensive information security program” that “contains administrative, technical and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities and the sensitivity of any customer information at issue.”
To put it another way, they must create a document outlining the precautions they take to safeguard the consumer data stored on their systems.
Which requirements are unique to auto dealers?
The revisions include amendments that apply specifically to car dealers:
Dealers must ensure that their affiliates and service providers protect the customer information in their custody in addition to creating their own safeguards
To do this, dealers must audit their vendors for compliance
If a dealer fails to ensure any vendor complies, they may be penalized or fined in the event of an audit or security breach