Blog

FTC Safeguards Rule: What You Need to Know

“Where do we even begin?” It’s a question being asked at car dealerships across the country as they race to comply with updates to the FTC Safeguards Rule released late last year. With the deadline less than two months away, automotive dealers are in a sprint to understand the specific steps they need to take to get into compliance.

Mike Pedrick, VP of Cybersecurity Consulting at Nuspire, and Tony Haux, CISO and Chief Compliance Officer at Accelerate2Compliance, recently hosted a webinar to help auto dealers navigate the complexities of the Rule. Read on to hear their tips.

Why the FTC Safeguards Rule is important

“I always try to avoid focusing on fear, but I do think it’s important to share some stats to offer context for why the FTC Safeguards Rule is important,” Mike said.

According to Automotive News, auto dealers are a prime target, with research revealing:

153 viruses blocked per day
84 malicious spam emails blocked per day
212 instances of malicious activity through a firewall each month
45 high severity attacks per month
6 suspicious files come through a firewall each month.

“The FTC Safeguards Rule has been around for 20 years, but it didn’t include the specificity needed to adequately account for today’s cyber threats,” said Tony. “There are so many factors that come into play when you’re dealing with customer data, which is why it’s valuable to have clear directions for what’s required and who does what.”

Questions You’ll Be Asked by the FTC and HHS

At any given point beyond the new deadline of June 9, 2023, an auditor could be at your door asking a variety of questions to ensure you’ve met the requirements of the FTC Safeguards Rule.

“If they’re investigating a breach, they’ll ask about your WISP (written information security program) and will want to see it,” said Tony. “They’ll ask if you’ve assessed your information security on a periodic basis and whether you’ve trained your staff adequately. They’ll also want to know about how you’ve assessed third-party vendors who have access to customer data.”

Mike added that having a written plan helps control for variability in what you’re being assessed for.

“Any time an auditor arrives onsite, they’ll evaluate controls, systems and processes you employ in relation to your documented plan,” said Mike. “If you have nothing written, you lose predictability in terms of what to expect and what you need to improve upon.”

6 standards for creating a written information security program

The updated FTC Safeguards Rule asks that auto dealers create a written information security program that includes six specific focus areas.

1. Designate a “single qualified individual”

This standard is meant to create a clear path of communication and accountability. The qualified individual doesn’t have to be a cybersecurity or information security expert. What’s most important is that this person is someone who can interface confidently and competently between cybersecurity experts and the organization’s leadership.

2. Generate security reports on a periodic basis to the organization’s highest management

These reports should demonstrate the types of metrics you’re reporting and evaluating against, as well as show that you’re meeting regularly to assess compliance.

“This report is all about providing a history of commitment to the process,” said Mike. “Auditors like these reports because it helps them feel confident that you’re doing your part to comply.”

Tony recommended that the report makes it clear what the organization’s goals are and offers periodic updates on the process, including things like where you are in terms of getting assessments done, employee training, etc.

3. Have a written incident response plan

This is a critical element of the security program because it specifically calls out who’s doing what and how you’ll respond if an incident occurs.

“A big part of written IR plan is tactical, because you don’t want to waste any time deciding who’s doing what,” said Mike. “Every second you spend figuring out what to do translates into lost revenue. That’s why it’s important to not only have a written IR plan, but also understand it and rehearse it.”

“An IR plan can look a lot like a business continuity plan at times because it’s not just about compliance, it’s about having good business sense,” Tony added.

4. Perform penetration testing

The FTC Safeguards Rule allows for dealers to make a choice: do penetration testing and vulnerability scans twice per year or conduct continuous monitoring of endpoints, which include desktops, servers, laptops, tablets, etc.

“There’s some controversy with this part of the rule, because many will default to continuous monitoring because it’s not clearly defined and appears to be cheaper,” said Mike. “You have to be extremely thorough with monitoring, because you may miss out on something you could’ve found with vulnerability scan or pen test.”

When it comes to penetration testing, Mike advised that you wait to schedule a test until you’re confident you’ve covered your bases in protecting your environment.

“A pen test is all about validation of the efforts you’re doing,” said Mike. “If you’re not ready, meaning you have gaps, a pen test is pretty much a blank check to the tester, and it can get expensive.”

5. Have a written policy for the purpose of private data destruction

“Every business needs to hold on to data like credit reports for a certain period of time, but often that time expires, which means you have more data that can be exposed to threats,” Tony said. “I’ve seen deal jackets lying around a dealership for years – those have data that could be compromised.”

Mike added that not all data destruction is equal and not all data is actually destroyed, so it’s important to do your homework.

6. Employ logging and monitoring of user activity

Logging is one of the most important ways to track and investigate suspicious activity.

“If we are subject to attack or data has been leaked, the wrong answer is to come back is that you don’t know when it was accessed,” said Mike. “It’s critical to provide an audit trail to pinpoint when an incident occurred.”

Why does the FTC come down so hard on dealers?

It’s not just about the compliance factor alone. The FTC feels that with its Safeguard Rule, it has provided dealerships with the recipe book needed to ensure the same quality of work when it comes to protecting consumer data. Why does this matter?

Because when a business fully complies, it incurs added costs. If another business does not comply and is able to continue a business-as-usual approach, it may be able to sell its cars cheaper because it didn’t incur the compliance costs. The FTC considers failure to comply an act of unfair trade practice.