Cybersecurity Blog | Ingalls Information Security

What the FTC Revised Safeguards Rule Means for Auto Dealerships

Written by Christopher Magill | Sep 27, 2022 4:00:00 AM
The FTC has issued guidance on the Revised Safeguards Rule for auto dealerships, which in addition to data privacy requirements, includes regulations that require your business to draft and follow a written Information Security program overseen by a designated Qualified Individual. 

What Is the GLBA Safeguards Rule? 

The FTC recently amended the Standards for Safeguarding Customer Information (“the Safeguards Rule”) to include automobile dealerships. Starting June 9, 2023, any auto dealership who extends or facilitates financing for their customers must comply with FTC guidelines for safeguarding the personal data and information of all consumers.


The guidelines are based on 2003’s Gramm-Leach-Bliley Act, 15 U.S.C. § 6805 which applies to financial institutions. The Gramm-Leach-Bliley Act seeks to protect consumer financial privacy. Its provisions limit when a financial institution may disclose a consumer's nonpublic personal information to nonaffiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain financial activities. While the regulations are not new, this is the first time they have been applied specifically to automotive dealerships.

What Are the Safeguards Rule Requirements?

In addition to data privacy requirements, the FTC Safeguards Rule requires your business to draft and follow specific documented policies in a written Information Security program overseen by a designated Qualified Individual. The Qualified Individual is responsible for ensuring the Information Security program is implemented and followed and compliance is reported to your organization’s Board of Directors.  

Per the FTC, “Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:

  1. To ensure the security and confidentiality of customer information
  2. To protect against anticipated threats or hazards to the security or integrity of that information
  3. To protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer

A Risk Assessment must be performed to identify risks to personal information held by your company. The outcome of this assessment should be used to design the Information Security program and help determine appropriate controls.

What Does an Information Security Program Include? 

The GLBA Safeguards Rule checklist to compliance includes 9 specific requirements that need to be included in your company’s information security program, summarized below:

  1. Designate a Qualified Individual to implement and supervise your company’s information security program.
  2. Conduct a risk assessment. 
  3. Design and implement safeguards to control the risks identified through your risk assessment, including: 
    1. Implement and periodically review access controls
    2. Know what you have and where you have it
    3. Encrypt customer information on your system and when it’s in transit
    4. Assess your apps
    5. Implement multi-factor authentication for anyone accessing customer information on your system
    6. Dispose of customer information securely
    7. Anticipate and evaluate changes to your information system or network.
    8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
  4. Regularly monitor and test the effectiveness of your safeguards
  5.  Train your staff
  6. Monitor your service providers
  7. Keep your information security program current
  8. Create a written incident response plan
  9.  Require your Qualified Individual to report to your Board of Directors


How Do I Get Started? 

Creating and implementing an effective Information Security program can be daunting and many auto dealerships don’t know where to start. When it comes to compliance, hiring a consultant to guide you through the process is your best chance of success. If you need help getting started, reach out to Ingalls’ expert consultants who have helped organizations of all sizes evaluate their security practices and design practical, repeatable solutions to meet compliance obligations.

<CLICK HERE TO GET IN TOUCH WITH OUR TEAM >
View full post