When it comes to regulatory agencies overseeing your dealership, the Federal Trade Commission is NOT one to be taken lightly! That’s why when we heard that the FTC Safeguards Rule for auto dealers got an update that will be enforced and effecting all automotive dealerships very soon, we knew we needed to learn more.

So what’s the deal with the FTC Safeguards Rule for Auto Dealers?

Soon, new regulations with the Safeguards Rule will be able to be enforced with a hefty fine (we’re talking up to $46,517 per violation!!), but if you’ve taken steps to ensure the safety of the data being used and transmitted through your dealership departments you’re well on your way to avoiding that costly headache.

Okay wait – let’s back it up: WHY is the FTC cracking down on data security right now?

As you know, things have moved rapidly towards the digital landscape in recent years, expedited even more so once the COVID-19 pandemic changed our standard operating methods drastically.

With this growing online presence comes growing opportunity – both for reputable businesses and nefarious organizations alike.

Ransomware and other cyber attacks have grown increasingly more frequent, sophisticated, and so much more aggressive than the internet has ever seen. Pair this with the growing ease of access to these forms of malware – some advanced ransomware tools are as cheap as $50 – and you’ve got a security breach disaster waiting to happen.

r

The FTC has delayed the compliance date for the new Safeguards Rule to June 9, 2023.

What is required under the safeguards rule to ensure your dealership is compliant ASAP? First, get started. NOW.

If you’re seeing this and haven’t actually started the process, you’re too late to get your business fully compliant before the end of the year.

Don’t panic, though!

Start working on a plan TODAY so that you have a compliance roadmap in place. This way, if your business does come under scrutiny for not being 100% ready in time, you can show that you are truly making the effort to get there.

Plan your Information Security Program in 7-8 Steps

Step One: Designate a Qualified Individual to Implement and Supervise Your Company’s Information Security Program
Step Two: Conduct A Risk Assessment
Step Three: Design and Implement Safeguards to Control the Risks Identified Through Your Risk Assessment
Step Four: Regularly Monitor and Test the Effectiveness of Your Safeguards
Step Five: Train Your Staff
Step Six: Monitor Your Service Providers
Step Seven: Create A Written Incident Response Plan
Step Eight: Require your Qualified Individual to Report to your Board of Directors

Yes, eight steps is a lot, especially with the level of involvement required to complete each, but depending on your size you might get to skip the last one! Here’s a quick breakdown of each step to get compliant with the FTC Safeguards Rule for auto dealers, why it’s important, and what resources are out there to help you tackle them.

Don’t Just Take OUR Word for It…

Check out what your fellow Automotive Industry professionals have to say about the FTC Safeguards Rule and other regulations coming through the pipeline as well on Dealer Refresh:

Step One: Designate a Qualified Individual to Implement and Supervise Your Company’s Information Security Program

First thing first – you need to pick someone to be in charge of heading up this hefty endeavor.

This “Qualified Individual” will have a lot of responsibility – they need to be able to develop your information security program, oversee its implementation, and enforce it with risk assessments and safeguard tests periodically throughout the year.

The “Qualified Individual” is in charge of making sure your entire team gets regular information security training, and ensuring your vendors and partners (like Dealer Authority!) are sticking to your information security program guidelines, too. They also need to be keeping your company’s top leadership updated with annual reporting on the status of the information security program.

Don’t have someone on your team currently who you feel is up to the challenge?

No need to fear – you CAN involve a third-party vendor to take up the role of your Qualified Individual.

This is a great option if your dealership is on the smaller side, or if you want to ensure you’ve got a cybersecurity pro in your corner (sorry, we’re not it, but we’ve got a handy list of options to check out at the bottom of this article).

Just keep in mind that if you go this route, YOU still are responsible for the third party operating on your behalf, so you still need a senior team member to keep an eye on the situation.

Step Two: Conduct A Risk Assessment

Risk assessment is a critical part of keeping your business safe from cyber attacks, and this update is going even harder with its requirements for this. A proper risk assessment in accordance with the Safeguards Rule:

(1) evaluates internal and external security risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information; and (2) assesses the sufficiency of any safeguards in place to control these risks.

Sound familiar? That’s because the 2003 version of the Safeguards Rule requires an assessment like this.

Now with the update, it is required that your information security program is based on this assessment, that the assessment is done in writing, and that it is performed periodically.

Step Three: Design and Implement Safeguards to Control the Risks Identified Through Your Risk Assessment

You’ve assessed your risks and identified areas requiring some maintenance, now it’s time to implement a fix! Similar to step two, this surely sounds familiar since your dealership already needs to have safeguards in place to control risks.

But this revised Safeguards Rule has several new safeguards that need to be incorporated into your information security program, including:

  • Implement and periodically review access controls – Controls must be put on all customer information – both digital and physical info – so only authorized users can access it.
  • Know what you have and where you have it – Documentation is needed about the data, personnel, devices, systems, and facilities your business uses to operate that explains how all these individual parts are connected.
  • Encrypt customer information on your system and when it’s in transit – ALL customer info must be encrypted – both while in transit (like sending the data to your third party vendors) and while at rest (like your customer email list waiting for your next newsletter inspiration to strike)
  • Assess your apps – Whether you are using third-party software or have your own developer on staff, you need to ensure secure development practices are in place for any apps that transmit, access, or store customer data.
  • Implement multi-factor authentication (MFA) for anyone accessing customer information on your system – Ensure any individual accessing any information system that houses your customers’ information is using MFA or “reasonably equivalent controls”
  • Dispose of customer information securely – Have procedures in place to ensure any and all customer information that is disposed of is done so securely.
  • Anticipate and evaluate changes to your information system or network – You need to have a plan of action for ensuring security is maintained when adding, removing, or modifying any tool or system that interacts with your information.
  • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access – It’s now necessary to monitor the activity of authorized users on your system and watch for unauthorized users.

Step Four: Regularly Monitor and Test the Effectiveness of Your Safeguards

This is where the fun really begins! Now that you’ve got your information security program all set, it’s time to start planning your regular testing and auditing of your system’s safeguards.

You should already be monitoring this based on the existing rules in place, but the Revised Rule adds an extra layer of protection by specifically requiring you to also test for detection of actual or attempted cyber attacks.

This can be done with either continuous monitoring of the system or regular penetration testing, at least annually.

Step Five: Train Your Staff

It’s simply not enough to have your Qualified Individual know all the ins and outs of your newly-revamped, extra-robust information security program. Your personnel at all dealership levels who have access to any customer information need to have security awareness training, too.

By no means do they need to have the same level of knowledge as your qualified information security personnel, but they still need to be educated on risks and security based on the findings of your regular risk assessments.

Step Six: Monitor Your Service Providers

Yeah, they’re really serious about this one.

As touched on in the details of Step One, this step really drives home the point that it is YOUR responsibility as a dealer to ensure that any and all service providers and third-party partners that work with your dealership are adhering to the standards of your information security program.

It completely makes sense to outsource a variety of processes to outside providers, where you can hire a team of experts instead of worrying about finding one of your own. But it is fully up to you to vet them thoroughly to ensure they are a true partner – not a potential risk!

Don’t worry – it’s not your responsibility to monitor the activity of these providers around the clock.

Instead, you want to review their information security practices from time to time and have them sign a contract agreeing to routine security audits.

If any of your service providers push back or simply can’t accommodate the level of security needed, it’s time to break up with that partner in the eyes of the FTC.

Step Seven: Create A Written Incident Response Plan

Note: This is an additional REQUIRED WRITTEN DOCUMENT that you must have by the FTC Safeguards Rule compliance deadline of 12/09/22 6/09/23.

Based on everything we’ve laid out so far, it should come as no shock that you need to get an action plan in place so you’re ready if a security event arises.

And no, you can’t have a loose plan in your head ready to wing it if something does come up – it’s time to get to writing! On or before the official compliance deadline of June 9th, 2023, you need a written incident response plan document that tackles the following:

  • The goals of your Incident Response Plan
  • What processes you will use internally to respond to a security issue
  • Clearly defined roles and responsibilities for the team members who will be involved in executing the Incident Response Plan
  • What standards of communication will be used both externally and internally in relation to the event
  • Information on what will be required to resolve any identified issues in the information systems
  • What your process for documenting and reporting these events will look like
  • Details on how you plan to evaluate and revise the Incident Response Plan over time

Based on everything we’ve laid out so far, it should come as no shock that you need to get an action plan in place so you’re ready if a security event arises.

Step Eight: Require your Qualified Individual to Report to your Board of Directors

The last step in your FTC Safeguards Rule checklist is another you probably saw coming if you’ve been following along: an annual written report documenting all the details of your program.

Your Qualified Individual will need to write this up at least once a year, and deliver it to the board of directors or the senior official who is keeping tabs on the Qualified Individual’s process. This document should include an update on the status of the program, and any material related to it like:

  • Risk assessments that have happened since the last report
  • Risk management decisions or control decisions that have been enacted
  • Arrangements with and agreements from service providers to ensure information security
  • The results of any penetration testing you’ve done
  • Details on any and all security events as well as how each of said events was handled
  • Any recommendations the Qualified Individual has to improve or change the information security program going forward

NADA offers this Compliance Tip:

Depending on the Size of your Dealership, You May Get to Skip This Part

Before you task your Qualified Individual with writing this up in the next few weeks, double-check your records if you’re a small dealership. If your records house details on fewer than 5,000 customers, you don’t need to worry about this step!

What Now? Create your Compliance Roadmap!

Okay, okay, we know this is a bit of information overload and the deadline for compliance with the updated FTC Safeguards Rule for auto dealers is fast approaching. Don’t panic – take a peek at our recommendations on how to proceed!

  • Start by creating a roadmap to complete compliance. Figure out what things you can tackle in-house, and which you need to outsource. Choose your Qualified Individual and get them set up for success. This does NOT need to be a full-time role (depending on the size of your dealer group!), but this person does need to be able to take on everything required AND be able to discuss it with the FTC in a clear and concise manner if needed.
  • Remember that implementation takes time! Don’t put this off any longer – use the roadmap you’ve created to get the ball rolling so you’ll be set up as soon as possible.
  • An initial risk assessment should happen as one of the first steps – check out Better Vantage Point or ComplyAuto for a risk assessment from a company specializing in dealership compliance and risk mitigation services.

Don’t let it shake you if it’s impossible to get your business compliant in time. Should you get investigated, having a roadmap in place can show the FTC that you do care, you know what needs to happen, and that you are working on it.

We obviously can’t guarantee that a roadmap is a get-out-of-jail-free card, but the experts at Armour Cybersecurity let us in on the tip that, in general, this will prove that you’re making the effort and will likely prevent you from facing one of those hefty violation fines.

Yes, this WILL take time and money upfront to prepare for – but will be much less expensive to prepare than to wait and see with violations having a max fee of $46,517 per violation.

Get started now and you’ll be in a state of fully-compliant information security bliss in no time!

Want to Learn More?

While we have covered how to put together a roadmap for setting up your Information Security Program, the team at NADA has put together an even more comprehensive guide on the FTC Safeguards Rule.

It encompasses all of the things your dealership will need to complete in order to be in compliance with these regulations so definitely check that out when you’re ready for the fine print!