Skip to the main content.
Under Attack? Login
Under Attack? Login
Managed Extended Detection & Response
Layered cybersecurity controls for effective risk management and rapid response.

24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management

Book MXDR Demo

Government Programs
Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR/RMF Pro)
ATO/RMF Support

Book GP Demo

Professional Services
Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Risk Assessments
vCISO
Penetration Testing

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Resources

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Company

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

2 min read

What the FTC Revised Safeguards Rule Means for Auto Dealerships

Picture of Christopher Magill Christopher Magill Sep 27, 2022 8:45:21 AM

safeguards rule Professional Services
The FTC has issued guidance on the Revised Safeguards Rule for auto dealerships, which in addition to data privacy requirements, includes regulations that require your business to draft and follow a written Information Security program overseen by a designated Qualified Individual. 

What Is the GLBA Safeguards Rule? 

The FTC recently amended the Standards for Safeguarding Customer Information (“the Safeguards Rule”) to include automobile dealerships. Starting June 9, 2023, any auto dealership who extends or facilitates financing for their customers must comply with FTC guidelines for safeguarding the personal data and information of all consumers.


The guidelines are based on 2003’s Gramm-Leach-Bliley Act, 15 U.S.C. § 6805 which applies to financial institutions. The Gramm-Leach-Bliley Act seeks to protect consumer financial privacy. Its provisions limit when a financial institution may disclose a consumer's nonpublic personal information to nonaffiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain financial activities. While the regulations are not new, this is the first time they have been applied specifically to automotive dealerships.

What Are the Safeguards Rule Requirements?

In addition to data privacy requirements, the FTC Safeguards Rule requires your business to draft and follow specific documented policies in a written Information Security program overseen by a designated Qualified Individual. The Qualified Individual is responsible for ensuring the Information Security program is implemented and followed and compliance is reported to your organization’s Board of Directors.  

Per the FTC, “Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:

  1. To ensure the security and confidentiality of customer information
  2. To protect against anticipated threats or hazards to the security or integrity of that information
  3. To protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer

A Risk Assessment must be performed to identify risks to personal information held by your company. The outcome of this assessment should be used to design the Information Security program and help determine appropriate controls.

What Does an Information Security Program Include? 

The GLBA Safeguards Rule checklist to compliance includes 9 specific requirements that need to be included in your company’s information security program, summarized below:

  1. Designate a Qualified Individual to implement and supervise your company’s information security program.
  2. Conduct a risk assessment. 
  3. Design and implement safeguards to control the risks identified through your risk assessment, including: 
    1. Implement and periodically review access controls
    2. Know what you have and where you have it
    3. Encrypt customer information on your system and when it’s in transit
    4. Assess your apps
    5. Implement multi-factor authentication for anyone accessing customer information on your system
    6. Dispose of customer information securely
    7. Anticipate and evaluate changes to your information system or network.
    8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
  4. Regularly monitor and test the effectiveness of your safeguards
  5.  Train your staff
  6. Monitor your service providers
  7. Keep your information security program current
  8. Create a written incident response plan
  9.  Require your Qualified Individual to report to your Board of Directors


How Do I Get Started? 

Creating and implementing an effective Information Security program can be daunting and many auto dealerships don’t know where to start. When it comes to compliance, hiring a consultant to guide you through the process is your best chance of success. If you need help getting started, reach out to Ingalls’ expert consultants who have helped organizations of all sizes evaluate their security practices and design practical, repeatable solutions to meet compliance obligations.

<CLICK HERE TO GET IN TOUCH WITH OUR TEAM >
Subscribe to Network Security News