How the FTC’s Amendments to the Safeguards Rule Affects Auto Dealerships
The Federal Trade Commission (FTC) announced a change in the fall of 2021. The Safeguards Rule, which was created to protect customer financial data, would be expanded to include non-financial institutions that conduct financial transactions, including auto dealerships (that contain over 5,000 customer records). By now, almost all dealers are familiar with these requirements of the FTC Safeguards Rule.
So, what does this expansion of the FTC’s Safeguards Rule mean for you? Most importantly, it means you must comply with several new rules to protect consumer information by June 9, 2023.
What is the FTC Safeguards Rule?
The Gramm-Leach-Bliley Act (GBLA) was passed by Congress in 1999, and it introduced the 2002 Safeguards Rule. The Safeguards Rule increased the FTC's regulatory authority and imposed additional obligations on financial institutions, such as the establishment, implementation and maintenance of an information security program to prevent unauthorized access to sensitive consumer information.
In the past, the Safeguards Rule was ambiguous and allowed for compliance flexibility. However, after receiving public feedback and conducting additional research, the FTC issued an updated Safeguards Rule to keep up with technological development, respond to current cybersecurity concerns and create more precise recommendations. There are 16 new rules specifically outlined for dealers that you should sit down with your internal and legal team to review, plan, and implement. One unique requirement will be dealers must ensure their vendors and service providers safeguard the customer information in their care. Dealers need to audit their vendors for compliance.
What Do These Changes Mean For the Auto Industry?
From a practical, and emotional perspective, a trip to an auto dealership is often a big moment in a consumer’s life.
When a customer places their trust in a dealership, they expect the company to not only help them find the ideal car for their needs, but also protect their personally identifiable information (PII). According to the 2021 CDK Global State of Cybersecurity report, 84% of consumers claimed they would not return to a dealership to purchase another vehicle if their data had been hacked.
Similarly, auto dealerships are concerned with the security of financial data. One issue facing the automotive industry is a lack of specific security and privacy rules for all dealerships to follow. The FTC's Safeguards Act modifications affect everything. Previous laws, such as the cybersecurity standards issued by the New York State Department of Financial Services in 2017 and the California Consumer Privacy Act in 2018, provided guidelines for securing consumer information that could only be enforced on a regional basis. The new FTC Safeguards Rule establishes a national standard by defining what constitutes an acceptable information security program.
Are You Prepared?
In CDK Global’s 2022 State of Cybersecurity report, only 47% of the 201 dealerships surveyed said they are well prepared for FTC Safeguards compliance. The same study also revealed that only 35% of the dealers know each component of the rules well. More than half of the dealers surveyed still have work to do to meet the compliance deadline.
The first step is to perform a series of extensive procedural, technical and contractual steps to protect your sensitive consumer data. To help you get started, we've created an in-depth e-book you can download here.
Here are a few tips to help you begin your strategy:
- Appoint a Dedicated Security Person Within the Dealership
- Keep accurate documentation
- Report back to senior leadership
- Inventory the Network and Security Controls
- Identify relevant date, personnel, devices, systems and facilitie
- Ensure access controls are in place
- Get a Risk Assessment
- Draft a written risk assessment with specific issues
- Use the risk assessment as the base for your written security program
- Ensure Your Paperwork Is Up to Date
- Review plans for information security, incident response and risk assessment
- Amend as needed for compliance
- Implement Required Security Controls
- Multifactor identification
- Cybersecurity awareness training
- Data encryption
Let CDK Global help you understand your IT infrastructure’s effectiveness and identify any gaps in your current environment. Our free network security evaluation can help get you on the right path for FTC compliance.
To take advantage of this free evaluation, visit cdkglobal.com/securityevaluation, reach out to your CDK Sales Representative or call 888.424.6342.