Blog
A Refresher on the FTC Safeguards Rule
With a deadline of June 9, 2023 to comply with amendments to the FTC Safeguards Rule, now is the time to get crystal clear on what’s required. Unfortunately, though, automotive dealerships seem to lack clarity on these requirements. One recent survey found that only 35% of dealerships fully comprehend the new rules, while just 50% have made adequate preparations to comply.
Changes to existing data privacy rules or the introduction of new laws almost always cause a degree of misunderstanding among those who need to comply. Whether it’s navigating complex legal terms to understand what’s actually expected, implementing big changes that you’re not sure how to best go about or not being totally sure if the law applies to you, this article aims to reduce confusion, refresh you on the Safeguards Rule’s key points and point you toward some more resources on the topic.
Brief History of the Safeguards Rule
The Safeguards Rule is part of the Gramm Leach Bliley Act (GLBA), which came into law in 1999. GLBA reformed the U.S. financial services sector by, among other things, implementing stricter governance over the collection and disclosure of customers’ personal financial information by non-banking financial institutions.
The Safeguards Rule, which came into law in 2003, made it mandatory for such institutions to design, implement and maintain information security safeguards. The mandated safeguards were fairly non-specific, and they included creating an information security program, designating responsibility for that program and conducting a risk assessment, followed by implementing appropriate mitigation measures.
Some examples of non-banking financial institutions are:
- Mortgage brokers
- Auto dealerships
- Tax preparers or accountants
- Investment advisors
- Real estate settlers
Since banks, federal credit unions and savings/loan institutions are all outside the jurisdiction of the FTC, the Safeguards Rule doesn’t apply to them. As for auto dealerships specifically, you must comply if your dealership extends credit to someone in connection with the purchase of a car, arranges for someone to finance or lease a car or provides financial advice to an individual.
Interestingly, despite a vastly changing cyber threat landscape, the Safeguards Rule remained unchanged for almost 20 years until the FTC issued a set of amendments in December 2021. This set of amendments addresses the higher risks to customers’ personal information in an increasingly digital world that sees more cyberattacks than ever against financial institutions.
The changes also overcome some of the shortfalls of the original Safeguards Rule, particularly in terms of its lack of specificity in some important details about information security program requirements.
Key Changes in the Updated FTC Safeguards Rule
Termed the Final Rule, the new set of amendments to the FTC Safeguards Rule becomes effective on June 9, 2023. Here is a reminder of the key changes that you must prioritize, with an emphasis on the protections deemed essential by the FTC as part of a modern information security program that best protects customer information.
- Implement and regularly review access controls. This means finding out who has access to customer information, and ideally limiting that access to only those who have a legitimate business need for it.
- Map out your data and IT ecosystem. This essentially translates to knowing what you have and knowing where it is. Take a regular inventory of data and record where it’s collected and stored. Keep a similar updated inventory for your systems, apps and users.
- Create a written incident response plan. The plan should include clear roles and responsibilities for incident response, the internal processes that become active in response to a security event, processes for fixing any identified weaknesses in your systems and controls, overall high-level goals, communication details, and procedures for documenting and reporting security incidents.
- Implement multi-factor authentication (MFA). This rule reflects widespread opinion among security experts that multiple factors of authentication best hardens accounts against hacking or takeover. You need to implement MFA for any account that has access to customer information.
- Test and monitor your safeguards. The amendments state you can achieve this through an annual penetration test combined with regular vulnerability testing. If you have a continuous monitoring solution in place, that also satisfies the requirements.
While this list acts as a refresher on the crux of required, there are other important rule changes. For a more comprehensive breakdown including a full checklist for getting compliant with the new rules, check out our FTC Safeguards Rule Dealership Guide.
Consequences of Non-Compliance with the Safeguards Rule
The consequences of non-compliance with regulations are often hefty, ranging across monetary and legal. There are also reputational impacts to consider, especially when 59% of auto shoppers now choose a dealer based on reputation. Non-compliance with the Safeguards Rule is highly likely to draw negative media publicity and damage a company’s reputation.
But for now, let’s look at the monetary costs of non-compliance. While each case is viewed uniquely, the maximum fine is $11,000 per day for each rule breach occurrence. There can be additional penalties added on top of this depending on the negligence involved.
Get Expert Help If You Need It
Compliance with any sweeping new legislative change is understandably a stressful experience that also comes with high stakes and high costs! If you’re an automotive dealer, navigating these complex changes alone is not your only option.
Nuspire’s managed security services include an FTC Safeguards Package. This package gives you access to security and compliance experts who can help implement the assessments, policies and procedures templates, training and mandatory services you need to comply with the updated rules.
