FTC Safeguards Rule: What Auto Dealers Need to Know

The FTC’s Safeguards Rule has been around for nearly 20 years, requiring financial institutions (including automotive dealers) to comply with specific security guidelines to protect customer data. However, recent amendments to the rule introduce more comprehensive controls and added complexity to dealers’ security compliance processes.

In fact, since the new requirements are extensive and complicated, many dealers will likely incur significant costs to comply. Some estimates put that cost around $300,000, though the cost depends on what the dealer already has in place.

In this post, we break down the essentials and explain actions you can take to set yourself up for successful compliance by the new date of June 9, 2023.

What is the Safeguards Rule?

The Safeguards Rule – which originally went into effect in 2003 under the federal Gramm-Leach-Bliley Act (GLBA) – requires financial institutions (including automotive dealers) to put in place measures that keep customer information secure. The rule classifies auto dealers as financial institutions because they offer financing agreements.

Note that this Safeguards Rule is distinct from the Privacy Rule under the GLBA. The Privacy Rule addresses how institutions and dealers share information about consumers who obtain or apply for credit or lease products from them. The Safeguards Rule addresses how these entities must protect that consumer information.

What does the updated rule require?

On October 27, 2021, the FTC issued its final amendments to the rule to address “recent high-profile data breaches.” The rule amendments include a substantial number of new and expanded procedural, technical and personnel requirements that financial institutions, including automotive dealers, must satisfy to meet their information security obligations.

Overview of rule amendment:

• At a high level, the rule is not as flexible as it used to be around data security. Now it mandates that all financial institutions (including dealers) must satisfy a list of requirements regardless of their size, systems, or the types or scope of data they maintain.

Five key changes:

1. Adds detailed requirements for the development and implementation of a written information security program mandated under the existing rule. These include requirements for risk assessment, system access controls, authentication and encryption, and mechanisms to ensure effective employee training and oversight of service providers.
2. Requires institutions appoint a “qualified individual” to be responsible for the information security program. That person must submit periodic reports to boards of directors or governing bodies so senior management has better awareness of their data security safeguards.
3. Exempts institutions that collect information on fewer than 5,000 consumers from the following requirements: written risk assessments, incident response plan and annual reporting to the board of directors.
4. Expands the definition of “financial institution” to include “finders,” which are companies that bring together buyers and sellers of a product or service. This means that the dealerships are responsible for ensuring that the vendors they share information with also meet the requirements of the rule.
5. Defines terms and provides related examples in the rule itself instead of incorporating them by reference from a related FTC rule.

Under the rule, financial institutions must specifically:

• “Develop, implement and maintain a [written] comprehensive information security program” that “contains administrative, technical and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities and the sensitivity of any customer information at issue.”
• Simply put, they must write a document explaining the steps they take to protect the customer data on their systems.

Which requirements are unique to auto dealers?

Parts of the amendments are specific to automotive dealers:

• In addition to developing their own safeguards, dealers must ensure their affiliates and service providers safeguard the customer information in their care.
• To do this, dealers must audit their vendors for compliance.
• If a dealer fails to ensure any vendor complies, they may be penalized or fined in the event of an audit or security breach.

What Are the Key Deadlines?

Within 30 days of the October 27, 2021 publication, financial institutions and dealers needed to comply with the following sections of the amended rule (many of which were existing requirements):

• 314.4(b)(2)—Additional periodic risk assessments.
• 314.4(d)(1)—Regularly test or monitor effectiveness of the safeguards key controls, systems, or procedures
• 314.4(f)(1) and (2)—Overseeing service providers by: (1) taking reasonable steps to select and retain, and (2) requiring specific contract terms.
• 314.4(g)—Evaluate and adjust your information security program considering the results of the testing and monitoring required by paragraph (d).

By December 9, 2022, financial institutions and dealers must comply with all remaining requirements of the rule and amendments as outlined on the Code of Federal Regulations site.

5 Steps to Prepare for Compliance

Financial institutions and automotive dealers need to take steps to be prepared for compliance by December 9. We recommend these as a good starting point.

Need additional help navigating the complexities of the FTC Safeguards Rule? Share your risk assessment with our team at Nuspire, and we can work together on a plan of action to address your security gaps.