Data breach after data breach, the FTC enforced its own Safeguards Rule, which took effect in 2003. Witnessing that companies were not living-up to expectations, the FTC changed the Rule in October to remove any doubt as to minimum requirements. Now, the FTC Safeguards Rule sets forth very specific requirements and processes that must be followed, and there are stiff penalties for non-compliance. The FTC has also made clear that “automobile dealerships” must comply, just like lenders, finance companies, and related finance companies.
The new provisions to the FTC Safeguards Rule take effect on December 9, 2022. In summary, the requirements are:
- The designation of a “Qualified Individual” to implement, oversee, and enforce administrative, physical, and technical safeguards
- Mandatory and documented employee training
- Creation and management of the following documents:
- A risk assessment
- An information security program
- An incident response plan
- An annual report to the board of directors (or equivalent executive management)
- IT requirements:
- Enabling multi-factor authentication (MFA) on systems containing customer information
- Encrypting systems containing customer information
- Performing:
- Continuous monitoring of information systems
- Absent effective continuous monitoring, annual penetration testing and vulnerability scans at least every 6 months
- Continuous monitoring of information systems
- Ongoing monitoring of:
- Access controls to documents and data
- Customer information storage
- Disposal procedures
- Change management procedures
- Security practices
- Assessing the risks of vendors with access to customer information, and contractually requiring them to meet or exceed the Safeguards Rule standards
For some smaller dealers, there may be a limited exception to certain provisions of the revised Rule. If a dealer maintains customer information concerning fewer than 5,000 consumers, then the dealer will not need to:
- Create a written risk assessment
- Create a written incident response plan
- Create a written annual report
- Conduct conduct continuous monitoring of systems, penetration testing, or vulnerability scans
If you are a smaller dealer, be careful. Exceeding the 5,000 figure is easily surpassed and it will be the dealers burden to prove the exception. Think about all of the places where customer information may be warehoused, such as:
- Credit applications
- Deal jackets
- DMS
- CRM
- Emails
- Social media accounts
- Websites
Plus, there are data and record retention requirements, so data and documents cannot be immediately purged. For example, credit applications are federally required to be maintained for 25 months under the Equal Credit Opportunity Act (ECOA), but your document retention schedule should be at least 5 years to exceed the time-frame for bringing federal claims under the ECOA and the Fair Credit Reporting Act (FCRA). For credit applications alone, it takes only 83.33 applications per month to exceed the 5000 limit if the retention schedule is 5 years.
The FTC has made clear that if you do not have someone capable of implementing, overseeing, and enforcing your information security program, then hire someone. Also, if your vendors are not fulfilling their obligations or cooperating with assessments, you will need to find new vendors.
Most dealerships are wondering where to start, and it begins with assembling a team that periodically collaborates to identify risks, and designates roles and responsibilities for mitigating those risks, developing the program, and adjusting the program. This team should be comprised of the dealership’s qualified individual, a compliance expert, and an IT expert. The team will take control and let you get back to what you do best – selling and servicing vehicles.