The Federal Trade Commission is cracking down on deceptive data practices and auto dealerships must comply with the revised FTC Safeguards Rule by June 9th, 2023, or run the risk of some heavy financial penalties.
Extension Update!
The Federal Trade Commission has extended the deadline of their FTC Safeguards Rule from December 9th, 2022 to June 9th, 2023. The article will reflect the adjusted date.
Summary
This article will detail the revisedĀ FTC Safeguards RuleĀ implemented to ensure businesses handleĀ customer informationĀ properly and keep it safe from misuse. You will learn who is covered by the safeguard rule, what anĀ information security programĀ looks like, and what this all means forĀ auto dealerships.
What Is the FTC Safeguards Rule
TheĀ FTC Safeguards RuleĀ is a set of updated regulations announced by theĀ Federal Trade CommissionĀ in late 2021 that requiresĀ financial institutionsĀ to develop andĀ implement a comprehensiveĀ information security program. The Safeguards Rule is an integral part of the FTCās efforts to protect the security, confidentiality, and integrity of customer-sensitive informationĀ fromĀ cyberattacks,Ā identity theft, and other forms of fraud. Beginning June 9, 2023, theĀ FTC Safeguards RuleĀ will officially take effect, and allĀ financial institutions, including ānon-banking financial institutionsā likeĀ auto dealerships, will be required to prove their compliance.
The rule applies to all businesses that collect or maintain sensitive customer information, including large institutions like banks, credit card companies, and small businesses. The FTC has enforcement authority over the safeguards rule and can punish companies failing to comply with the rule requirements.
The revised safeguards rule is the FTCās update to the Gramm-Leach-Bliley Act (GLBA), implemented in 1999.
What Businesses Fall Under The New Rule?
Financial institutions are covered by the amended safeguards rule, which requires them to take measures to protect consumersā personal information. The rule covers banks, credit unions, and other lenders, as well as broker-dealers, investment advisers, and mutual fund companies. In addition, the rule applies to companies that hold or process consumersā personal information, whether a traditional financial institution or a ānon-bankā financial institution such as auto dealers, payday lenders, or an online banking services provider. In short, if a company has access to consumersā personal information, it must take steps to safeguard that information.
Required Information Security Program
The new regulations require financial institutions to implement an information security program, a set of policies, procedures, and guidelines that an organization uses to protect its customer information. The program includes plans for managing access to data, detecting and responding to security incidents, security awareness training, and risk management. In addition, it sets forth the roles and responsibilities of the security team. The goal of an information security program is to protect information from unauthorized access or data breaches and can be an important part of an organizationās overall security strategy. Make sure to include these safeguards in your information security program:
Access Controls
Businesses must implement and periodically review access controls, which are security measures designed to administer who can access your customersā information. For example, an organization might require employees to log in with a unique user ID and password, or they might use an electronic key card system. The key is to ensure that only authorized individuals can access customer information and that they can only access the information they need to do their job. Once access controls are in place, remember to review them regularly.
Inventory
One of the first steps in protecting your data is to conduct a periodic inventory, noting where and how data is gathered, stored, and transmitted. This will help you keep an accurate list of all systems, devices, platforms, and personnel that have access to your data. By keeping track of these things, you can quickly identify any potential security risks and take steps to mitigate them.
Encryption
Encryption is a process of transforming readable data into an unreadable format. It prevents anyone who does not have the key from being able to access the information. Encryption is critical to any comprehensive data security program and is necessary to comply with the FTC Safeguards Rule.
Custom Apps
If your business has developed custom applications that store, access, or transmit customersā personal information, it is critical that you evaluate whether they meet FTC safeguarding standards.
Multi-Factor Authentication
Organizations are required to implement Multi-Factor Authentication (MFA) to access company applications or customer data. MFA adds an extra layer of security to data access by requiring users to provide more than one authentication factor when logging in.
Customer Information Disposal
Businesses must take reasonable measures to protect consumer information by securely disposing of any data within two years of serving a customer. The rule applies to paper records and electronic data, and it establishes guidelines for both the storage and destruction of customer information.
Change Management
Businesses must anticipate changes to their information systems to comply with the new regulations, including new equipment, technology, software, updates, or personnel changes that could affect customer information security.
Logs
Organizations are required to take steps to protect customer information from unauthorized access. It is recommended that businesses implement continuous monitoring protocols as they must keep a log of all access, including authorized users and unauthorized users, and take proactive steps to prevent it from happening in the first place.
What Does This Mean for Auto Dealers?
June 9, 2023, may sound like just another day on the calendar, but forĀ auto dealerships, itās an important date to remember as itās the compliance deadline for the newĀ FTC Safeguards Rule. The rule requiresĀ dealershipsĀ to have a comprehensiveĀ information security programĀ to protect customersā personal information. While manyĀ dealershipsĀ already have such programs in place, the new regulations imposeĀ new requirements, such as conducting regularĀ risk assessmentsĀ and providing customers with annual notices of their rights under the rule. Failure to comply with the rule could result in significant fines from the FTC, so if youāre in the business of selling cars, donāt let June 9, 2023, roll around without having aĀ written information security program.Ā If youāre not ready for the new regulations to go into effect, getting some legal advice or talking to aĀ cybersecurity service providerĀ might be a good idea.Ā Meriplex can help you understand the new rulesĀ and make sure youāre in compliance.