Posted on

New FTC Guidelines for Car Dealerships

Signing a contract

For nearly 20 years, the Federal Trade Commission (FTC) has required financial institutions, including automotive dealers, to protect the security of their customer’s information under the Safeguards Rule. Recent amendments to the rule include more stringent and comprehensive controls to dealers’ security compliance processes. All financial institutions must satisfy a list of requirements, regardless of their size, what systems they use, or the types or scope of data they support. 

Under the new rule, car dealerships must designate a qualified individual to oversee, implement, and enforce the information security program. The rule outlines specific guidelines for ensuring the qualified individual and other personnel involved in managing risks receive proper training. They must report, in writing, the status and compliance of the program to the board or equivalent governing body at least once a year. Dealerships are expected to become compliant with the new rule by December 9, 2022. 

Overview of the Safeguards Rule 

The FTC’s Standards for Safeguarding Customer Information, or the Safeguards Rule, first went into effect in 2003 under the federal Gramm-Leach-Bliley Act (GLBA). The Safeguards Rule is separate from the Privacy Rule under GLBA, which addresses how institutions and dealers share information about consumers who apply for or obtain credit or lease products from them. The Safeguards Rule addresses how these organizations must protect that consumer data. The rule classifies auto dealers as financial institutions because they offer financial agreements. 

Five Key Changes to the Rule

  1. Institutions must develop and execute a written information security program, which includes requirements for risk assessment, system access controls, authentication and encryption, and employee training and oversight of service providers. 
  1. Institutions must appoint a qualified individual to be responsible for the program. This person is in charge of submitting periodic reports to the board of directors so senior management has a clear understanding of their data security safeguards.
  1. Institutions that collect information on fewer than 5,000 consumers are exempt from the following requirements: written risk assessments, incident response plan, and annual reporting to the board of directors.
  1. The definition of “financial institution” now includes “finders”, which are companies that bring together buyers and sellers of a product or service. The dealerships are responsible for ensuring that the vendors they share information with also meet the requirements of the rule. 
  1. Terms are defined, and examples are provided in the rule itself rather than incorporating them by reference from a related FTC rule. 

Requirements Specific to Auto Dealers

In addition to developing their own safeguards, auto dealers are required to ensure that their affiliates and service providers safeguard the customer information in their care. Dealers must audit their vendors for compliance, and if they fail to do so, they may be subject to penalties or fines in the event of an audit or security breach. 

How Should You Prepare For Compliance?

Financial institutions, including car dealerships, need to take steps to prepare for compliance with the FTC’s new guidelines by December 9th. Consider the following as a good starting point for your company: 

  • Appoint a dedicated security officer within the dealership to handle all compliance measures
  • Inventory your network and all security controls
  • Conduct a risk assessment to address specific security issues and areas of concern
  • Ensure all your paperwork is up to date
  • Implement required security controls, such as multi-factor authentication (MFA) and security awareness training

Expert Cyber Security Consultants in NJ & FL

Mindcore is your trusted source for comprehensive and high-quality cyber security services in New Jersey, Florida, and throughout the United States. We can help your car dealership stay compliant with the FTC’s new guidelines by leveraging our extensive knowledge and expertise. Contact us to learn more or schedule a consultation with a member of our team today!

Matt Rosenthal Headshot
Learn More About Matt

Matt Rosenthal is CEO and President of Mindcore, a full-service tech firm. He is a leader in the field of cyber security, designing and implementing highly secure systems to protect clients from cyber threats and data breaches. He is an expert in cloud solutions, helping businesses to scale and improve efficiency.

Related Posts