The Federal Trade Commission is cracking down on deceptive data practices and auto dealerships must comply with the revised FTC Safeguards Rule by June 9th, 2023, or run the risk of some heavy financial penalties.
Extension Update!
The Federal Trade Commission has extended the deadline of their FTC Safeguards Rule from December 9th, 2022 to June 9th, 2023. The article will reflect the adjusted date.
Summary
This article will detail the revised FTC Safeguards Rule implemented to ensure businesses handle customer information properly and keep it safe from misuse. You will learn who is covered by the safeguard rule, what an information security program looks like, and what this all means for auto dealerships.
What Is the FTC Safeguards Rule
The FTC Safeguards Rule is a set of updated regulations announced by the Federal Trade Commission in late 2021 that requires financial institutions to develop and implement a comprehensive information security program. The Safeguards Rule is an integral part of the FTCâs efforts to protect the security, confidentiality, and integrity of customer-sensitive information from cyberattacks, identity theft, and other forms of fraud. Beginning June 9, 2023, the FTC Safeguards Rule will officially take effect, and all financial institutions, including ânon-banking financial institutionsâ like auto dealerships, will be required to prove their compliance.
The rule applies to all businesses that collect or maintain sensitive customer information, including large institutions like banks, credit card companies, and small businesses. The FTC has enforcement authority over the safeguards rule and can punish companies failing to comply with the rule requirements.
The revised safeguards rule is the FTCâs update to the Gramm-Leach-Bliley Act (GLBA), implemented in 1999.
What Businesses Fall Under The New Rule?
Financial institutions are covered by the amended safeguards rule, which requires them to take measures to protect consumersâ personal information. The rule covers banks, credit unions, and other lenders, as well as broker-dealers, investment advisers, and mutual fund companies. In addition, the rule applies to companies that hold or process consumersâ personal information, whether a traditional financial institution or a ânon-bankâ financial institution such as auto dealers, payday lenders, or an online banking services provider. In short, if a company has access to consumersâ personal information, it must take steps to safeguard that information.
Required Information Security Program
The new regulations require financial institutions to implement an information security program, a set of policies, procedures, and guidelines that an organization uses to protect its customer information. The program includes plans for managing access to data, detecting and responding to security incidents, security awareness training, and risk management. In addition, it sets forth the roles and responsibilities of the security team. The goal of an information security program is to protect information from unauthorized access or data breaches and can be an important part of an organizationâs overall security strategy. Make sure to include these safeguards in your information security program:
Access Controls
Businesses must implement and periodically review access controls, which are security measures designed to administer who can access your customersâ information. For example, an organization might require employees to log in with a unique user ID and password, or they might use an electronic key card system. The key is to ensure that only authorized individuals can access customer information and that they can only access the information they need to do their job. Once access controls are in place, remember to review them regularly.
Inventory
One of the first steps in protecting your data is to conduct a periodic inventory, noting where and how data is gathered, stored, and transmitted. This will help you keep an accurate list of all systems, devices, platforms, and personnel that have access to your data. By keeping track of these things, you can quickly identify any potential security risks and take steps to mitigate them.
Encryption
Encryption is a process of transforming readable data into an unreadable format. It prevents anyone who does not have the key from being able to access the information. Encryption is critical to any comprehensive data security program and is necessary to comply with the FTC Safeguards Rule.
Custom Apps
If your business has developed custom applications that store, access, or transmit customersâ personal information, it is critical that you evaluate whether they meet FTC safeguarding standards.
Multi-Factor Authentication
Organizations are required to implement Multi-Factor Authentication (MFA) to access company applications or customer data. MFA adds an extra layer of security to data access by requiring users to provide more than one authentication factor when logging in.
Customer Information Disposal
Businesses must take reasonable measures to protect consumer information by securely disposing of any data within two years of serving a customer. The rule applies to paper records and electronic data, and it establishes guidelines for both the storage and destruction of customer information.
Change Management
Businesses must anticipate changes to their information systems to comply with the new regulations, including new equipment, technology, software, updates, or personnel changes that could affect customer information security.
Logs
Organizations are required to take steps to protect customer information from unauthorized access. It is recommended that businesses implement continuous monitoring protocols as they must keep a log of all access, including authorized users and unauthorized users, and take proactive steps to prevent it from happening in the first place.
What Does This Mean for Auto Dealers?
June 9, 2023, may sound like just another day on the calendar, but for auto dealerships, itâs an important date to remember as itâs the compliance deadline for the new FTC Safeguards Rule. The rule requires dealerships to have a comprehensive information security program to protect customersâ personal information. While many dealerships already have such programs in place, the new regulations impose new requirements, such as conducting regular risk assessments and providing customers with annual notices of their rights under the rule. Failure to comply with the rule could result in significant fines from the FTC, so if youâre in the business of selling cars, donât let June 9, 2023, roll around without having a written information security program. If youâre not ready for the new regulations to go into effect, getting some legal advice or talking to a cybersecurity service provider might be a good idea. Meriplex can help you understand the new rules and make sure youâre in compliance.
