Although they are not financial institutions, auto dealers handle sensitive information about their customers. From banking information to social security numbers, driver’s license numbers to credit information, this information can be used by criminals to steal a customer’s identity.
While banking institutions have been required to comply with the Federal Trade Commission’s (FTC’s) Safeguards Rule, it has been amended to include non-banking institutions that handle Personally Identifiable Information (PII) to increase protections for consumers.
So, what does that mean for your dealership? It means you are now required to report specific data incidents to the FTC and to your affected customers.
In this article, we’ll dive into the details without getting technical. We’ll cover the information that owners, managers and IT folks need and outline 4 steps you can take to achieve compliance.
What Does The Amended FTC Safeguards Rule Require Of Your Auto Dealership?
The Amended FTC Safeguards Rule requires non-banking institutions that handle sensitive information to report unauthorized access of information that affects a minimum of 500 customers, whether or not you can confirm that their information has been compromised.
The FTC must be notified within a 30-day window of the detection of an incident.
Related article: FTC Safeguards Rule: Most Frequently Asked Questions For Dealerships
4 Steps Your Dealership Can Take To Comply With The Amended FTC Safeguards Rule
Your dealership may have cybersecurity safeguards in place. The most important thing to remember about cybersecurity is that what worked last year, last week, or even last month, may no longer be enough to address the constantly emerging threats.
Continuous improvement of your protections is essential to helping keep your data and that of your customers safe.
With that in mind, here are four steps you can take to implement or improve your dealership’s cybersecurity posture:
Step 1 - Identify & Assess Risks
First, identify the information that your dealership collects, stores, and shares. This information often includes:Customer information
Addresses, telephone numbers, social security numbers, driver license numbers, and financial and credit card information
Vehicle information
Vehicle Identification Numbers (VINs), service history, and repair records
Employee Information
Name, address, banking details, social security numbers and payroll information
Related article: Conduct A Cybersecurity Risk Assessment For Your Business: 6 Steps
Once you’ve identified the information your dealership collects, stores, and shares, it’s time to assess your risk that this data could be exposed by unauthorized parties. Think about:
System Vulnerability
Are you using outdated software or old infrastructure? Do you have strong security protocols in place? Have you installed updates and patches on systems and devices?
Related article: Why Do I Need To Patch & Update Business Software & Operating Systems?
Access Controls
Who is authorized to access sensitive and confidential information within your dealership’s infrastructure? Are the access controls related to job function?
Related article: What Is Role-Based IT Access? (Benefits For IT & Users)
Third Party Vendors
How robust are the data security practices of your vendors? How do you know?
Related article: Could A Supplier’s Cybersecurity Deficiencies Put My Business At Risk?
Step 2 - Implement & Strengthen Data Security Measures
After you identified and assessed your risks, the next step is to implement and strengthen your cybersecurity protocols. Begin by encrypting sensitive data that you store or share within your dealership.
Implement other strong physical and electronic access control measures. Protect physical areas with tools like badge-only access and surveillance cameras. Protect sytems and devices with electronic access controls like multi-factor authentication, antivirus software and role-based access as well as the latest firewalls.
Regularly administer vulnerability scans and penetration tests to identify security gaps in your infrastructure. Understand the vulnerabilities you discover and remediate them to limit your exposure.
Step 3 – Provide Employee Security Awareness Training
Did you know that human error accounts for 90-95 percent of cyber incidents? Your employees are crucial to data security. Use security awareness training to empower them to act as your dealership’s first line of defense against cyber attacks.
Providing frequent training modules on topics like phishing, strong passwords, multi-factor authentication, and social engineering can keep cybersecurity top of mind for everyone.
When employees know what to look for, how to treat sensitive information, and how to report suspicious activity, they become your dealership’s greatest cybersecurity asset.
Step 4 – Develop, Maintain and Improve Business Continuity & Incident Response Plans
Even after taking precautions, an incident can still happen. I’m often asked the best way to respond to a cyber incident. The truth is that the best way to respond is by taking proactive action now to develop an incident response plan before anything happens.
When you take on this challenge of developing procedures and processes without the pressure of an existing emergency, you allow your team the opportunity to think through different scenarios and appropriate response and actions.
Having a plan in place and testing it often allows you to tweak any ineffective elements before an incident happens, meaning you'll be able to respond quickly and effectively to minimize damage when an incident occurs.
Your plan should include:
Regular data backups
Know how often backups occur and where they are stored. Practice retrieving a recent backup so that you know how to access your data. Ensure that the backups contain the information you think they do so that you can respond quickly to restore operations if and when an incident occurs.
Clear Steps For Identifying & Containing A Cyber Incident
What actions are necessary? In what order will they be performed?
Communication Strategy
Who needs to be informed (include customers, regulatory agencies, and other stakeholders)? Which external service providers will you need (legal, public relations, etc.)?
How will your dealership adhere to the FTC’s reporting requirements and timeframe?
Responsibility
Who is responsible for which actions? How quickly do they need to happen?
Post-Event Debrief
Have frequent reviews of your processes and procedures. Conduct dry runs and adapt your procedures and processes accordingly. Whether it's a rehearsal or an actual incident, have a review.
- How did things go?
- What are the procedures you’ll use to investigate the root cause and prevent future incidents?
- What else can you improve?
What’s The Bottom Line?
After reading this article, you know what the amended FTC Safeguards Rule means for your auto dealership. You know what’s required and you know four steps you can take to ensure that your car dealership will be compliant.
By taking proactive steps now, you will be better able to protect sensitive information for your customers and your organization, build trust, and minimize the likelihood that your dealership will become a victim of cyber crime. As an added benefit, you’ll have an easier time complying with the amended FTC Safeguards Rule.
The most important takeaway from this article is that cybersecurity threats are constantly evolving. There is no such thing as “finishing.” Cybersecurity is of utmost importance and is a moving target.
Some organizations have dedicated internal staff available to support their cybersecurity efforts. Others look to external IT providers to fill in the gaps.
If you are considering external IT support, the one suggestion I have is to explore several options so that you find one that is the right fit for your organization.
Be leery of any provider who comes in and starts telling you what you need without first engaging in a conversation about your business, your goals, your current technology situation, and your technology pain points.
As important as it is to get cybersecurity best practices in place, don’t rush into an agreement that you might regret down the line.
If you are wondering how your cybersecurity practices measure up, use the button below for a checklist you can use to assess your cyber readiness.
Or if you are feeling overwhelmed and just want to talk to a person, use the button below to provide your contact information so that one of our IT experts can reach out to schedule a 15-minute call to chat about your situation.
