FTC Safeguards: What This Means for Auto Dealerships

The Federal Trade Commission is cracking down on deceptive data practices and auto dealerships must comply with the revised FTC Safeguards Rule by June 9th, 2023, or run the risk of some heavy financial penalties.

Extension Update!

The Federal Trade Commission has extended the deadline of their FTC Safeguards Rule from December 9th, 2022 to June 9th, 2023. The article will reflect the adjusted date.


This article will detail the revised FTC Safeguards Rule implemented to ensure businesses handle customer information properly and keep it safe from misuse. You will learn who is covered by the safeguard rule, what an information security program looks like, and what this all means for auto dealerships.

What Is the FTC Safeguards Rule

The FTC Safeguards Rule is a set of updated regulations announced by the Federal Trade Commission in late 2021 that requires financial institutions to develop and implement a comprehensive information security program. The Safeguards Rule is an integral part of the FTC’s efforts to protect the security, confidentiality, and integrity of customer-sensitive information from cyberattacks, identity theft, and other forms of fraud. Beginning June 9, 2023, the FTC Safeguards Rule will officially take effect, and all financial institutions, including “non-banking financial institutions” like auto dealerships, will be required to prove their compliance.

The rule applies to all businesses that collect or maintain sensitive customer information, including large institutions like banks, credit card companies, and small businesses. The FTC has enforcement authority over the safeguards rule and can punish companies failing to comply with the rule requirements.

The revised safeguards rule is the FTC’s update to the Gramm-Leach-Bliley Act (GLBA), implemented in 1999.

What Businesses Fall Under The New Rule?

Financial institutions are covered by the amended safeguards rule, which requires them to take measures to protect consumers’ personal information. The rule covers banks, credit unions, and other lenders, as well as broker-dealers, investment advisers, and mutual fund companies. In addition, the rule applies to companies that hold or process consumers’ personal information, whether a traditional financial institution or a “non-bank” financial institution such as auto dealers, payday lenders, or an online banking services provider. In short, if a company has access to consumers’ personal information, it must take steps to safeguard that information.

Required Information Security Program

The new regulations require financial institutions to implement an information security program, a set of policies, procedures, and guidelines that an organization uses to protect its customer information. The program includes plans for managing access to data, detecting and responding to security incidents, security awareness training, and risk management. In addition, it sets forth the roles and responsibilities of the security team. The goal of an information security program is to protect information from unauthorized access or data breaches and can be an important part of an organization’s overall security strategy. Make sure to include these safeguards in your information security program:

Access Controls

Businesses must implement and periodically review access controls, which are security measures designed to administer who can access your customers’ information. For example, an organization might require employees to log in with a unique user ID and password, or they might use an electronic key card system. The key is to ensure that only authorized individuals can access customer information and that they can only access the information they need to do their job. Once access controls are in place, remember to review them regularly.


One of the first steps in protecting your data is to conduct a periodic inventory, noting where and how data is gathered, stored, and transmitted. This will help you keep an accurate list of all systems, devices, platforms, and personnel that have access to your data. By keeping track of these things, you can quickly identify any potential security risks and take steps to mitigate them.


Encryption is a process of transforming readable data into an unreadable format. It prevents anyone who does not have the key from being able to access the information. Encryption is critical to any comprehensive data security program and is necessary to comply with the FTC Safeguards Rule.

Custom Apps

If your business has developed custom applications that store, access, or transmit customers’ personal information, it is critical that you evaluate whether they meet FTC safeguarding standards.

Multi-Factor Authentication

Organizations are required to implement Multi-Factor Authentication (MFA) to access company applications or customer data. MFA adds an extra layer of security to data access by requiring users to provide more than one authentication factor when logging in.

Customer Information Disposal

Businesses must take reasonable measures to protect consumer information by securely disposing of any data within two years of serving a customer. The rule applies to paper records and electronic data, and it establishes guidelines for both the storage and destruction of customer information.

Change Management

Businesses must anticipate changes to their information systems to comply with the new regulations, including new equipment, technology, software, updates, or personnel changes that could affect customer information security.


Organizations are required to take steps to protect customer information from unauthorized access. It is recommended that businesses implement continuous monitoring protocols as they must keep a log of all access, including authorized users and unauthorized users, and take proactive steps to prevent it from happening in the first place.

What Does This Mean for Auto Dealers?

June 9, 2023, may sound like just another day on the calendar, but for auto dealerships, it’s an important date to remember as it’s the compliance deadline for the new FTC Safeguards Rule. The rule requires dealerships to have a comprehensive information security program to protect customers’ personal information. While many dealerships already have such programs in place, the new regulations impose new requirements, such as conducting regular risk assessments and providing customers with annual notices of their rights under the rule. Failure to comply with the rule could result in significant fines from the FTC, so if you’re in the business of selling cars, don’t let June 9, 2023, roll around without having a written information security program. If you’re not ready for the new regulations to go into effect, getting some legal advice or talking to a cybersecurity service provider might be a good idea. Meriplex can help you understand the new rules and make sure you’re in compliance.

Interested in Learning More?

"*" indicates required fields

This field is for validation purposes and should be left unchanged.