What the FTC Revised Safeguards Rule Means for Auto Dealerships

In addition to data privacy requirements, the FTC Safeguards Rule requires your business to draft and follow specific documented policies in a written Information Security program overseen by a designated Qualified Individual. The Qualified Individual is responsible for ensuring the Information Security program is implemented and followed and compliance is reported to your organization’s Board of Directors.  

Per the FTC, “Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:

1. To ensure the security and confidentiality of customer information
2. To protect against anticipated threats or hazards to the security or integrity of that information
3. To protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer
   
   

A Risk Assessment must be performed to identify risks to personal information held by your company. The outcome of this assessment should be used to design the Information Security program and help determine appropriate controls.

What Does an Information Security Program Include? 

The GLBA Safeguards Rule checklist to compliance includes 9 specific requirements that need to be included in your company’s information security program, summarized below:

1. Designate a Qualified Individual to implement and supervise your company’s information security program.
2. Conduct a risk assessment. 
3. Design and implement safeguards to control the risks identified through your risk assessment, including: 
1. Implement and periodically review access controls
2. Know what you have and where you have it
3. Encrypt customer information on your system and when it’s in transit
4. Assess your apps
5. Implement multi-factor authentication for anyone accessing customer information on your system
6. Dispose of customer information securely
7. Anticipate and evaluate changes to your information system or network.
8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
4. Regularly monitor and test the effectiveness of your safeguards
5.  Train your staff
6. Monitor your service providers
7. Keep your information security program current
8. Create a written incident response plan
9.  Require your Qualified Individual to report to your Board of Directors

How Do I Get Started? 

Creating and implementing an effective Information Security program can be daunting and many auto dealerships don’t know where to start. When it comes to compliance, hiring a consultant to guide you through the process is your best chance of success. If you need help getting started, reach out to Ingalls’ expert consultants who have helped organizations of all sizes evaluate their security practices and design practical, repeatable solutions to meet compliance obligations.

<CLICK HERE TO GET IN TOUCH WITH OUR TEAM >