FTC Safeguards: Deadline for Dealerships Extended to June 9th

There are severe penalties for auto dealers that don’t comply with the revised FTC Safeguards Rule. The FTC has extended the deadline for dealerships 6 months to June 9th, 2023.


The Federal Trade Commission recently extended the implementation date of their FTC Safeguards Rule from December 9th, 2022 to June 9th, 2023. The below article is updated to reflect the new June deadline.


This article will explore the June 9th deadline for the revised FTC Safeguards Rule and what that means for an auto dealership as the Federal Trade Commission strives to provide better consumer protections for car buyers. In addition, it provides a comprehensive compliance checklist and details potential punishments for non-compliance.

Understanding the FTC Safeguards Rule

The Federal Trade Commission‘s revised Safeguards Rule (originally an update to the Gramm-Leach-Bliley Act (GLBA) from 1999) requires car dealers to develop and implement a written information security plan to protect customers’ personal information. The updates to the rule take effect on June 9, 2023, and is part of the FTC‘s ongoing efforts to protect consumers’ personal information in the wake of the ever-increasing threat of data breaches and cyberattacks.

The FTC Safeguards Rule applies to businesses and financial institutions that hold or have access to consumer information, including “traditional” banks, credit unions, credit card companies, and other lenders. However, the protections extend to “nontraditional” financial institutions or “non-bank” entities such as auto dealerships and payday lenders. Both groups must develop a written information security plan outlining how to protect consumer information.

The new rules require auto dealerships to take reasonable steps to protect customer information from foreseeable risks, such as unauthorized access, use, disclosure, destruction, or theft. In developing their information security plans, auto dealerships must consider their size and resources, the type of customer information they collect and maintain, and the nature and scope of their business operations.

By requiring businesses to take measures to safeguard consumer information, the rule helps to ensure that consumers can trust that their personal information will be protected during and after the car-buying process.

Your Car Dealer Checklist

You could face severe penalties if your auto dealership doesn’t comply with the revised FTC rule by June 9th, 2023. So here is a checklist of what you need to knock off your list: 

1. Appoint a Qualified Individual to implement and oversee your information security program. Select someone with real-world experience and well-suited to manage your specific environment.

2. Conduct a security risk assessment. Administer an assessment of foreseeable risks and threats, including internal/external factors that could compromise customer confidentiality. Think through all the ways unauthorized access could occur.

3. Implement security safeguards. Design company security measures that identify and control the risks found during your risk assessments, vulnerability scans, and penetration testing. Your safeguards should include the following:

    •   Create access controls to administer who can access your customer’s information.
    •   Inventory where and how data is gathered, transmitted, and stored.
    •   Encrypt data at rest and in transit.
    •   Custom applications should be evaluated for how customer information is stored, accessed, or transmitted.
    •   Require Multi-Factor Authentication (MFA) to access company applications or customer data.
    •   Properly dispose of personal information within two years of serving a customer, unless doing so conflicts with state or federal laws.
    •   Anticipate and manage change to your environment, systems, equipment, technology, and personnel.
    •   Log user activity and monitor both authorized and unauthorized access.

For more information on the safeguards auto dealers must implement to comply with the revised rule, please visit our latest article FTC Safeguards: What This Means for Auto Dealerships.

4. Enforce continuous monitoring and testing of your systems. Theoretical safeguards are great, but without consistent testing of their effectiveness, your safeguards will inevitably become outdated and ineffective. Ongoing risk assessments are critical and should be complemented with annual vulnerability scans and penetration testing.

5. Provide Security Awareness Training for your entire staff. The security of customer data can be reduced to your weakest link, so make sure to provide your team with ongoing training for your employees, vendors, affiliates, and even service providers to ensure everyone associated with the business is equipped to spot cybersecurity risks and threats.

6. Monitor your third-party partners. While it should be assumed that all vendors or service providers are up-to-date on the appropriate safeguards, it just isn’t the case. Make sure your agreements are clear about your industry’s security standards and once you push forward with their services, make sure they continue to share their ongoing security credentialing.

7. Revisit your information security program. To ensure your security plan is relevant within the ever-changing cybersecurity landscape, your team needs to understand how changes to your processes, network, systems, technology, equipment, and applications will affect your compliance.

8. A written incident response plan is critical. Nobody can predict the future, but we can plan for it. Businesses need a set of thoughtful response and recovery protocols for when they have a security event. Your plan should cover the following:

    •   The objectives and goals of your plan
    •   The internal processes that were initiated in response to a security issue
    •   Detailed roles, responsibilities, and who has authority to make decisions
    •   Communication guidelines for how you share information internally as well as with the public
    •   Comprehensive next steps in repairing identified weaknesses in your systems and processes
    •   A process for documenting and reporting both the security event itself as well as your organization’s associated response activities
    •   After an incident, a detailed synopsis of what happened and a summary of how your company has updated its information security program and incident response plan from what occurred

9. Restructure your org chart so that your Qualified Individual reports directly to your Board of Directors. In addition, your Qualified Individual must provide at least one compliance report per year to your organization’s board of directors or senior officer responsible for your information security program.

What If A Dealership Breaks The Revised FTC Safeguards Rule?

Simply put, businesses should be stewards of their customer’s privacy. They should implement rigid security protocols to make sure everyone is safe and protected from the threat of cyberattacks. If they don’t, they should be punished. Here is some more information on the potential FTC enforcement actions, along with other issues that can arise from these deceptive practices:

If you are an auto dealer, be aware that you can be severely fined up to $46,517 (up from $43,792 because of inflation) per violation for breaking the strict FTC Safeguards Rule. With the amount of customer data they keep on hand, there are many potential violations for car dealerships that are careless with their information collection and handling. You don’t have to be a mathematician to know that could be a considerable sum of money that would significantly affect a dealer’s profit.

But that’s just from FTC fines. The more extensive issue may be class action lawsuits from customers as the Federal Trade Commission considers a violation to be deceptive trade practices from automobile dealers. Class action lawsuits typically recover millions for their plaintiffs — something any business will want to avoid at all costs. A class action lawsuit has already been filed against a dealership group earlier this year, and this trend will likely continue as customers fight for a better car-buying experience.

Automotive dealers should understand that there is a target on their back, and the FTC and individual consumers aren’t letting businesses get away with shoddy data practices anymore. Therefore, our recommendation for dealers — get compliant immediately!! If you don’t, the June 9th deadline could be your downfall!!

If you are interested in more information on Meriplex or how we can help you to become compliant, please contact us today!