Jul 29, 2022 12:00
New FTC SafeGuard Rules: What Your Dealership Needs to Know
Dealers / Credit Bureaus / Credit Reports / Legal
Security / Compliance
How this affects your dealership
The Federal Trade Commission (FTC) has updated Safeguards Rules. Dealers are required to implement these guidelines as part of their information security program (ISP). Previously, similar rules provided only general guidance but as of December 9, 2022 FTC has published specific requirements. The FTC can fine violators up to
$46,517 per violation.
You must have a written information security program that provides the following:
- to ensure the security and confidentiality of customer information;
- to protect against anticipated threats or hazards to the security or integrity of that information; and
- to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.
What is in your Information Security Program
Designate a Qualified Individual to implement and supervise your company’s information security program. This can be outsourced to a service provider such
Conduct a periodic risk assessment and penetration test.
- Design and implement safeguards to control the risks identified through your risk assessment. The Safeguards Rule requires your company to:
- Implement and periodically review access controls. Review roles and responsibilities from your ISP.
- Conduct a periodic inventory of data. Keep a record of all systems, devices, platforms, and personnel.
a. Encrypt customer information in transit and at rest.
b. Assess the security of your apps.
c. Use multi-factor authentication to access customer information.
d. Dispose of customer information securely.
e. Evaluate changes to your information system or network.
f. Maintain a centralized logging of all activities
- Regularly monitor and test the effectiveness of your safeguards.
- Provide security training to your staff.
- Monitor your service providers.
- Keep your information security program current.
- Create a written incident response plan. Provide Safeguards plan to do the following:
a. State the goals of your plan;
b. Describe how the plan is initiated;
c. State roles, responsibilities, and levels of decision-making authority;
d. Communications and information sharing both inside and outside your company;
e. Describe the process to fix any identified weaknesses in your systems and controls;
f. Procedures for documenting and reporting security events and your company’s response; and
g. Document post mortem of what happened and a revision of your incident response plan and information security program based on what you learned.
- Provide a written report to your Board of Directors and Executive team.
The FTC provides additional information about the Safeguards Rule and general guidance on data security.