How the FTC's Revised Safeguards Rule Impacts Automotive Dealerships
In the fall of 2021, the Federal Trade Commission announced a significant update to the 2003 Safeguards rule, which required financial institutions to take strict measures to protect customer data. The update didn't just include new requirements addressing emerging risks and technological changes. It also expanded the rule to include non-financial institutions that conduct financial transactions, including auto dealerships.
The change has sent many dealerships scrambling to comply. Not only do very few auto dealerships have the resources and IT knowledge to meet the FTC's stringent requirements, but there is also a lack of specific security and privacy rules for dealerships to follow. The Act has also impacted previous regional rules that dealerships may have followed. By establishing a new national standard that defines an acceptable information security program, regional requirements such as the cybersecurity standards issued by the California Consumer Privacy Act or the NY State Department of Financial Services become moot.
Let's take a closer look at what the change means for auto dealerships and what steps they can take to become compliant.
What Is the Safeguards Rule?
The FTC Safeguards Rule, also known as the Safeguards Rule for the Protection of Customer Information, is a regulation implemented by the Federal Trade Commission (FTC) under the Gramm-Leach-Bliley Act (GLBA). The rule sets requirements for financial institutions to protect the privacy and security of customer information.
The Safeguards Rule initially applied to financial institutions. This includes banks, credit unions, mortgage lenders, insurance companies, and certain other businesses offering financial products or services.
The primary goal of the Safeguards Rule is to ensure that businesses take the necessary steps to protect their customer's information from unauthorized access, use, or disclosure. Over 5 million US citizens have had their personal information leaked in the first quarter of 2023 alone, often with devastating consequences. As the Safeguards Rule was established in 2003, an update was necessary to reflect the new cyber reality that businesses operate in. This brought a new wave of compliance requirements. Businesses now need a comprehensive written information security program in place, employee training, incident response plans that detail how to respond to data breaches or other incidents, and regular monitoring of the security program.
Non-compliance with the Safeguards Rule can result in regulatory actions and penalties imposed by the FTC.
With the new update, any organization "engaging in an activity that is financial in nature or incidental to such activities" is now considered a financial institution and has to comply.
What Is Considered a Financial Institution?
Most businesses have evolved since 2003 when the Safeguards Rule was originally implemented. Dealerships might have started offering finance and collecting more sensitive data as they grew. This means that even if a business wasn't required to follow the regulations when they first launched, they may be required to now. The updated definition implicates even more businesses than those that are normally referred to as financial institutions: retailers extending a credit card, dealerships leasing a car long-term (90 days or more), travel agencies, etc.
Auto dealerships that collect, process, store, or transmit customers' NPI (nonpublic personal information) have to comply with the Safeguards Rule. NPI data includes anything that can identify a person, such as driver's license numbers, financial information, and social security numbers. The Safeguards Rule applies to franchised, independent and buy-here-pay-here dealerships alike.
What Are the Consequences of Not Complying?
Auto dealerships that don't comply with the Safeguards Rule will face hefty fines and penalties, as well as possible legal action from customers. The FTC may also investigate the dealership's overall data security practices and can fine a dealership up to $46,517 per incident if additional failures are spotted.
The consequences can include:
1. Penalties for Consent Violations
While first offenses will probably not be fined, the FTC can seek damages for violations of confidentiality and consent totaling $43,000 per day per violation. If a breach occurs, dealerships will face up to $11,000 per day per occurrence. Suffice it to say, it's a significant sum for any dealership.
2. Legal Risks
The list of penalties is long, and the FTC has never shied away from enforcing those penalties to their maximum extent. Dealerships that aren't compliant could face long-term consent decrees or even substantial injunction, which could have a huge impact on their operations and bottom line. Businesses may even be forced to cease activities related to the violation until they meet requirements. If a data breach occurs, the dealership may be forced to notify victims, further increasing their risk of litigation.
3. Reputational Damage
Word of a breach or non-compliance impacts a business relationship with suppliers, affiliates, and, of course, their customers. Many automotive dealerships rely on bank financing to support their operations, particularly in providing loans to customers. Banks, being financial institutions, are highly sensitive to risks associated with security breaches. Suppose a dealership's security breach raises concerns about data protection. In that case, banks may become hesitant to provide financing or demand additional assurances and safeguards before continuing to purchase loans from the dealership.
4. Cyber Attacks
It's important to remember that the Safeguards Rule exists for a reason. 15% of all dealerships were subjected to cyber attacks in 2022 alone. Dealerships have to contend with increasing hacking attempts, phishing attacks, and even supply chain attacks through compromised third-party systems. Aside from the real threat of customer data breaches, dealers may face ransomware attacks where malicious software encrypts their critical information and demands a ransom for its release. Cybercriminals can easily implement attacks that can cause millions of dollars in damage. Being compliant means being protected.
What Controls Do Dealerships Need to Implement?
The FTC's guidelines outline three objectives that every dealership's security program has to achieve:
- Ensure that customer information remains secure and confidential
- Protect customer information against threats/hazards
- Secure customer information from unauthorized access
Every program needs to contain nine specific elements. We'll break them down in this next section in more detail:
1. Dealers Have To Designate A Qualified Person To Implement And Oversee Their Information Security Program
When the update was being drafted, there was talk of requiring businesses to appoint a dedicated CISO to oversee the information security program. Luckily, the final requirement is that the dealership merely has to appoint a qualified person without any stipulation of a level of education, experience, or certification that person needs to have. The designated person is allowed to have other duties within the dealership as well. You can hire an outside contractor to help the dealership understand how to improve its existing IT security policies, act as a cybersecurity advisor. The contractor can also prioritize spending and cybersecurity efforts in an optimal way.
2. Conducting And Documenting Risk Assessments
Under the new FTC Safeguards rules, a risk assessment must be conducted and documented annually to inform management about the state of the dealership's security preparedness. The report should identify potential future risks and attack scenarios, and explain how to defend against them. These reports should be developed based on the previous year's vulnerability and penetration testing and have to communicate weaknesses in the IT security plan and how these weaknesses can be addressed. The goal is to ensure that the management team is engaged with and well-informed about the state of the dealership's IT security program. Knowing these weaknesses and how they should be addressed can be extremely helpful when determining annual cybersecurity budgets.
3. Design And Implement Safeguards To Address Risks
After a risk assessment has been done, any issues uncovered have to be addressed. The FTC also outlined eight items for safeguarding customer information that must be in place to ensure that the dealership complies with the SafeGuards rule, namely:
- Control access: Only allow authorized people to access customer information. Regularly review who has access to it.
- Keep track of data: Dealerships have to understand and document where data is stored on the network and review it regularly.
- Encrypt data: Dealerships must ensure customer information is encrypted both when it's stored on the system and when it's being transmitted so it can’t be stolen and read easily.
- Secure apps: If any applications are used to store or transmit customer information, those apps must have proper security measures in place.
- Use multi-Factor authentication: Dealerships should implement multi-factor authentication for accounts that have access to customer information to add an extra layer of security.
- Dispose of Information Safely: Data should be securely disposed of within two years of its last use unless there are legitimate business needs or legal requirements to keep it.
- Adapt to Changes: Dealerships have to stay prepared for any changes to hardware or software in their network and adjust their IT program accordingly.
- Monitor and Log Activity: Dealerships should keep a record of authorized user activity when accessing customer information and regularly monitor their network for any signs of unauthorized access.
4. Regularly Monitor And Test The Effectiveness Of Your It Security Program
After a risk assessment has been done and an IT security policy put in place, dealerships should take time to ensure that the changes they've made have effectively addressed any security concerns the risk assessment highlighted. It's hard to believe, but implementing cybersecurity measures can inadvertently create new security gaps and vulnerabilities. The smallest chink in your cyber armor - from a firewall that wasn’t setup properly to a skipped software update - is all it takes for a hacker to infiltrate your network.
The best way to assess whether or not safeguards are working is to conduct a penetration test (pen test) and vulnerability assessment with an outside provider. The FTC Safeguards Rule demands an annual pen test and bi-annual vulnerability assessment unless dealerships practice continuous monitoring (more on that later).
Pen testing is an IT security test in which evaluators imitate attacks to see if they can circumvent any security features.
Pen testing is extremely useful for any organization. According to a study by Verizon, 90% of ransomware and cybersecurity incidents involve someone clicking on a phishing email link. Pen testing usually includes using phishing simulation software to test whether employees are susceptible to social engineering attacks. Employees that click on links can be sent for further awareness training.
Vulnerability assessments scan the entire IT environment to identify and check all installed software for publicly known vulnerabilities. Under FTC guidelines, free, open-source tools like OpenVAS can be used to conduct this assessment. Still, it'sit's best for a dealership to consult with an IT security expert before attempting to install and run these tools on their own.
While the FTC does make an exception to the annual pen testing and biannual vulnerability scans
if a dealer is performing continuous monitoring, very few dealerships can meet that requirement. As per the FTC guidelines, continuous monitoring includes real-time, ongoing configuration scanning and vulnerability assessments, not just monitoring for security threats (like an EDR, MDR, or SIEM might do). An FTC Workshop mentioned that the type of continuous monitoring referenced in the Safeguards Rule could cost a small or midsized company up to $600,000 per year and requires a dedicated IT staff to monitor the logs and activity around the clock.
The prohibitively high cost and level of expertise required is precisely why the FTC allows dealerships to complete an annual pen test and bi-annual vulnerability test instead of continuous monitoring.
5. Staff Training
Employees are sometimes referred to as the number one threat to cybersecurity. And with good reason. According to Kaspersky, 46% of cybersecurity incidents can be attributed to careless staff. One in every 10 of cybersecurity incidents involved wreckless employees.
But with a little education, a dealership can create a cyber aware culture in their business and keep their customer data safe from threats. Under the revised rule, dealers should provide regular security awareness training to all employees and verify that their IT security personnel have and maintain up-to-date knowledge of current cybersecurity threats/countermeasures.
6. Vendor Assessments
It's not enough for dealers to assess their own risks and safeguards. They also have to assess the adequacy of their vendors' IT security measures. Before signing any new service provider, the vendor must complete a risk assessment questionnaire that assesses their overall risk and their ability to maintain the necessary, appropriate physical, administrative, and technical safeguards.
Existing service providers will also need to periodically complete a new risk assessment questionnaire as new risks or safeguards are identified.
Any vendor who collects or processes NPI has to sign a GLBA Service Provider Addendum promising to implement reasonable safeguards, bearing in mind that any business whose services facilitate financial operations on behalf of a dealership is considered a financial institution (and therefore subject to the Safeguards Rule).
7. Dealerships Have To Keep Their It Security Program Current
The threat landscape is constantly changing. To meet the Safeguards Rule requirements, dealerships must maintain a flexible cybersecurity program that can adapt to new threats and vulnerabilities over time. Changelogs have to be kept updated, and the security team has to remain well-informed about critical vulnerabilities affecting the dealership’s software.
By actively monitoring and staying informed about emerging threats, dealerships can proactively address vulnerabilities and implement necessary changes, updates, and modifications to their security measures.
8. Create A Written Incident Response Plan
The Safeguards Rule requires all organizations under its mandate to draft and maintain an incident response plan according to FTC standards. An incident response plan is a document that outlines the steps a dealership will take to identify, contain, and recover from a cybersecurity incident.
It usually contains information like:
- A definition of what constitutes an incident
- A list of roles and responsibilities for incident response
- A communication plan
- A process for identifying and reporting incidents
- A process for containing and mitigating incidents
- A process for recovering from incidents
- A process for learning from incidents
An incident response plan in place is a must-have for any business.It can go a long way toward minimizing the impact of a cybersecurity incident and boost the odds of a successful recovery.
9. Reporting To The Board Of Directors/Senior Management
The FTC Safeguards Rule requires that the person in charge of the IT Security Program report to the board of directors, governing body, or senior management at least once a year.
Their report must cover the overall status of the IT Security Program, the dealership's compliance with the revised rule, and any related matters. This could include the results of risk assessments, the results of testing, or any security events or violations, along with recommendations for changes that should be implemented.
Dealerships don’t have time to waste. The deadline for compliance with the updated rule is June 9, 2023. If your dealership hasn't started, it's time to seek assistance.
ComplyAuto is a leading, dealer-owned software-as-a-service (SaaS) RegTech platform that helps dealerships become compliant with the FTC Safeguards Rule. ComplyAuto doesn't just have more than 60 years of automotive compliance experience. They have integrated with Coro to provide dealerships with a comprehensive set of tools and resources. Dealerships can rely on Coro to develop and implement an information security program, and monitor their compliance on an ongoing basis.
By partnering with Coro, ComplyAuto can offer an all-in-one solution that helps dealerships meet the legal and administrative requirements of the Safeguards Rule and the technical cybersecurity requirements. Dealers can access a dozen different FTC-compliant data protection tools in a single platform with just one login — including multi-factor authentication, penetration testing, vulnerability scanning, phishing simulations, and more.
This means that dealerships of all sizes can protect their devices, email, networks, users, and applications while meeting compliance standards with just one comprehensive,affordable platform.
Some of the features of ComplyAuto include:
- A risk assessment tool that helps dealerships identify and assess the risks to their customer information
- A library of best practices and resources to help dealerships develop and implement an information security program
- A compliance dashboard that provides dealerships with real-time visibility into their compliance status
- Data encryption that encrypts customer data at rest and in transit
- Intrusion detection and prevention systems that can identify and block attacks before they can cause damage
- Malware protection to detect and remove malware from their systems
- Vulnerability scanning can identify and fix security weaknesses before attackers can exploit them.