What Auto Dealerships Need to Know About the FTC Safeguards Rule – SCA Security (2023)

  • August 2, 2022
  • admin
  • Blog, Compliance, Gramm Leach Bliley Act, Safeguards Rule

Every industry has an extensive set of regulations to comply with. They range from rules established by professional associations, to state laws, to federal acts. Keeping track of all requirements can quickly become a full-time job, as businesses strive to protect consumer information, undergo continuing education requirements, and do everything else that’s needed to maintain their licenses and good standing.

Auto dealerships are no exception. For over two decades, they have had to comply with the Federal Trade Commission’s (FTC) Safeguards Rule, which was specifically designed to ensure that consumers’ sensitive data remains secure and private. But what are the exigencies of this federal act? And are there any new developments auto dealers should be aware of?

The Origin is the Gramm Leach Bliley Act

The Gramm Leach Bliley Act (GLBA) was signed into law on November 12, 1999. It requires all companies that offer financial services to ensure their customers are informed about how they share their information — and to allow customers to opt out of having their information shared. The Act also requires these businesses to prioritize protecting consumer information.

(Video) Full - FTC Safeguards Rule changes for automotive dealerships

This law was deemed necessary due to the customary practice of critical information being stored, processed and transmitted among banks, financial institutions, and credit card companies. This is relevant to auto dealerships, considering that a significant portion of the population purchases motor vehicles through financing plans they obtain through bank loans or the auto manufacturer’s finance division. In these instances, auto dealerships are deemed financial institutions because of the financing transaction and NPI collected during the transaction.

What is the FTC Safeguards Rule?

The Safeguards Rule is a section of the GLBA (you can read more here). It took effect in 2003, and it requires covered entities to develop, implement, and maintain information security programs for the specific purpose of protecting customers’ personal information. It also specifies that this rule is required from both financial institutions, as well as other entities that have provided customer data to the financial institutions. Since depository financial institutions are overseen by their respective FFIEC regulators, FDIC and NCUA for example, the FTC Safeguards Rule exists for other covered entities who are considered financial institutions. Auto dealers fall into this category because of the purchase financing portion of the transaction and the non-public personal information that is collected, stored and transmitted as part of the transaction.

Section 314.4 of the Rule (others can be searched here) also mentions nine elements each covered entity needs to include in these efforts:

(Video) FTC Safeguards Rule and what you need to do by December 9 2022!

  1. Designate a qualified individual to oversee and implement the information security program — as well as enforcing it.
    This can be a person employed by the auto dealership or financial institution), or an affiliate or service provider.
  2. Base the information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer data.
    Auto dealerships and financial institutions must conduct these assessments taking into account anything that could result in the unauthorized disclosure, misuse, alteration, destruction, or compromise of this sensitive information. These risk assessments must also be conducted periodically to determine whether the efforts are sufficient.
  3. Design and implement safeguard to control identified risks discovered during any of the risk assessments.
    This includes limiting access to customer information exclusively to those who need it to perform their work duties. It also requires authenticating these individuals’ identities, as well as multi-factor authentication.
  4. Regularly test and monitor whether there have been any attempted attacks or whether any unauthorized party has attempted to access the protected data.
    These tests should be done at least every six months, as well as whenever there are circumstances you know — or have reason to believe — that they are necessary.
  5. Implement internal policies and procedures and train your staff so that they’re fully aware of how to adequately comply with them.
    As usual, properly training your employees is a crucial component of any successful cybersecurity plan. And this shouldn’t be done only once. It’s essential to continue to provide security updates and training as risks evolve.
  6. Oversee service providers and vendors by taking reasonable steps to select those who are capable of complying with these rules.
    And once you choose these service providers, you are still responsible for periodically assessing them based on how they continue to provide their services.
  7. Evaluate security programs and adjust them in light of the results of testing and monitoring.
    It should always be a priority to stay updated on everything that’s going on with your security systems — especially as cybercriminals become more sophisticated with the passage of time.
  8. Establish a written incident response plan designed to immediately respond to security threats to customer information.
    Delineate the goals of such a plan, what are the steps of the internal processes, define who is in charge of what — as well as each person’s level of decision making authority. Also list the requirements to remedy any issues, as well as how to document and report all events.
  9. Require the qualified individual (mentioned in step 1) to provide an annual written report to your board of directors.
    If you don’t have a board of directors, the report should be provided to an equivalent governing entity or senior officer. The report should include a status on the information security program, as well as any material issues related to it.

2022 Amendments to the FTC Safeguards Rule

The Safeguards Rule was amended in January 10, 2022 and become effective in December 2022, to ensure that financial institutions’ practices are taking into account modern technologies.

It added five modifications to make their protection of customer data more robust:

  1. Security programs must include authentication and data should be encrypted. The rule also requires the risk assessment be set forth in writing. As to particular safeguards, the Final Rule requires that they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.
  2. Financial institutions need to improve their accountability when preparing their annual reports. Periodic reporting to boards of directors or governing bodies is also required in order to ensure their awareness and make it more likely that institutions will receive the required resources and be able to protect consumer information.
  3. It exempts financial institutions that collect information from less than 5,000 consumers from some of the rule’s original nine requirements —specifically of having a written risk assessment, an incident response plan and preparing the annual report to the board of directors.
  4. It expands the definition of financial institutions to include entities that conduct activities that are incidental to financial services.
  5. It includes a glossary of terms related to technology, so that there is clarity regarding data security practices.

Exceptions to the Revised Rule

The final Rule contains exceptions for those organizations that maintain customer information on fewer than 5,000 consumers. The exceptions reduce some of the requirements, however, this should not prevent your dealership from implementing a robust cybersecurity program that not only protects your customers, but also your brand, reputation, and revenue.

(Video) Car Dealers Oppose Protecting YOUR Data: This FTC Rule Change Coming (What You Need to Know)

Penalties for Non-Compliance

Abiding by the new rules may seem like a hassle, but failure to do so can come at a price. Non-compliance consequences can include:

  • Lengthy oversight periods or disabling access to information systems.
  • FTC monetary fines that can cost an organization $100,000, and individuals in leadership can be fined up to $10,000.
  • Prison time of up to five years.

With SCA, we can help you avoid all that!

SCA Helps Your Auto Dealership Remain in Compliance with The FTC Safeguards Rule Get our Free Guide Below!

(Video) The Revised FTC Safeguards Rule - What It Means and Why It Is More Important Than You Might Think

At SCA, we have over 17 years of experience specializing in information security programs that comply with federal regulations, including the FTC Safeguard Rule. Clients can engage us at varying levels from individual assessments and penetration testing through complete cybersecurity program guidance and oversight with our Centurion ESO program.

Contact us to ensure the peace of mind that comes with knowing that all of your bases are covered.

(Video) Guidance for Dealers: FTC Safeguards Rule


1. Inspired Perspectives | The Safeguards Rule and your Dealership: Cybersecurity Roundtable
(Eide Bailly)
2. The New GLBA Safeguards Rule – What Financial Institutions Need to Know
3. Complying with the Revised FTC Safeguards Rule: Lessons from the New York Experience
(Thompson Coburn LLP)
(Kevin Hunter The Homework Guy)
5. Global Reboot Webinar on IT Governance | Threat Intelligence | Cybersecurity | Audit
(Experts Corner hosted by Veronica Rose)
6. Dunsfold village Surrey | Scenes of this quintessential English rural village 2016
(Dunsfold Village)
Top Articles
Latest Posts
Article information

Author: Arielle Torp

Last Updated: 01/16/2023

Views: 5347

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Arielle Torp

Birthday: 1997-09-20

Address: 87313 Erdman Vista, North Dustinborough, WA 37563

Phone: +97216742823598

Job: Central Technology Officer

Hobby: Taekwondo, Macrame, Foreign language learning, Kite flying, Cooking, Skiing, Computer programming

Introduction: My name is Arielle Torp, I am a comfortable, kind, zealous, lovely, jolly, colorful, adventurous person who loves writing and wants to share my knowledge and understanding with you.