Protecting customer data is crucial for any business. Car dealerships are no exception. This information is so important that the Federal Trade Commission (FTC) has amended its Safeguards Rule to strengthen the requirements for data security for dealerships.
In this article, I’ll explain the amended Safeguards Rule, when it took effect, the types of data incidents it covers, and the reporting threshold.
We’ll discuss the kinds of information that dealerships are required to report and the potential penalties for non-compliance. And, finally, we’ll explore 3 steps you’ll need to take for compliance.
At Kelser, we are committed to providing the information business leaders need to keep technology infrastructures safe, available, and efficient.
And don’t worry, this isn’t a hidden sales pitch. We know there are a lot of providers out there and that our managed IT service offering isn’t the right solution for every organization.
The way we see it, we can’t possibly know whether we’d be a good fit to work together until we have a conversation to understand your business, your current situation, and your technology pain points.
We know it’s a different approach, but we truly believe in the value of effective partnerships.
If we push you to work with us and we aren’t the right fit to work together, it doesn’t do either of us any good. Instead, we provide the information you need in a straightforward way knowing that it will help you make the best technology decisions for your organization.
What’s Included In The FTC Safeguards Rule?
According to the FTC, the amended Safeguards Rule mandates specific reporting procedures and requirements for non-banking financial institutions, including motor vehicle dealers, to develop, implement, and maintain a comprehensive security program to keep customer information safe.
“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.
“The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data,” he added.
When Did The Amended FTC Safeguards Rule Take Effect?
The amended Safeguards Rule took effect in December 2023.
What Reporting Requirements Are Outlined In The FTC’s Amended Safeguards Rule?
The amendment requires non-banking financial institutions to notify the FTC as soon as possible (and no later than 30 days after) the discovery of a security incident involving the unauthorized access of unencrypted customer information of at least 500 consumers.
The notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected.
Other reportable security incidents included in the FTC Safeguards Rule include loss or theft of devices containing customer information (including laptops and smartphones).
What Are The Potential Penalties For Non-Compliance With The FTC Safeguards Rule?
Failure to comply with the FTC Safeguards Rule can have severe repercussions, including:
-
Financial Penalties
The FTC has the authority to levy significant financial penalties through civil fines.
-
Reputational Damage
Security incidents can severely damage the reputation of your dealership and your entire organization resulting in customer distrust.
-
Business Loss
Loss of customer trust will result in lost sales and could ultimately lead to the failure of your business.
3 Steps To Take Toward Compliance For Dealerships
While the amended Safeguards Rule focuses on reporting data incidents, there are proactive measures auto dealership owners and managers can take to safeguard customer information including:
-
Robust cybersecurity protocols
People often ask the best way to recover from a cyber incident. My advice is always to be proactive. By putting in place key cybersecurity protocols and tools, you harden your defenses and become a less attractive target for hackers. Here are some of the tools to consider:
Encryption
Encryption scrambles data to help protect information from hackers or other unauthorized people. A decryption key (which can consist of a password or series of numbers) is required to decode the data when it arrives at its destination.
Anti-spam Filters
Anti-spam filters check your emails against industry-standard and your specifically defined criteria for spam and virus controls.
Inbound and outbound items that fail these checks are quarantined and not delivered to reduce dangerous and unnecessary email and prevent the distribution of malware, spam and viruses to your contacts.
Anti-malware
Anti-malware thwarts attacks that would penetrate standard antivirus software.
Anti-malware defends before, contains during, and helps remediate after an incident. It constantly tracks programs, so you know exactly what’s running where and when across your endpoints and sends alerts if a program suddenly turns malicious.
Multi-Factor Authentication (MFA)
MFA is a security tool that requires users to provide multiple pieces of identification before they can access an application, website, or other IT service, providing another layer of security for your infrastructure.
-
Employee Security Awareness Training
When it comes to cybersecurity, users can be your strongest defense or the weakest link.
Scheduled security awareness training keeps cybersecurity top of mind for all employees and alerts them to the most common and emerging threats, helping them become attuned to recognizing and reporting suspicious activity.
Security awareness training is the most cost-effective and under-used cybersecurity tool.
-
Risk Assessments
It’s difficult to protect against threats that you don’t anticipate. That’s where risk assessments come in.
Honestly assessing the inherent risk of your organization and your industry will position you to put in place the cyber protections you need.
And, tools like vulnerability scans and penetration tests ensure that you understand the weaknesses in your infrastructure so you can shore up your defenses.
Related article: Two Tools To Help Assess & Address Cybersecurity Risks
Risk assessments put your organization ahead of the curve and make your business a less attractive target for criminals.
Learn 6 steps you can use to conduct a cybersecurity risk assessment for your organization.
What’s The Bottom Line?
After reading this article, you understand what the amended FTC Safeguards Rule requires. You know what’s included, when it took effect, the requirements outlined, the potential penalties and 3 proactive steps you can take toward compliance.
Navigating the complexities of the amended FTC Safeguards Rule requires some proactive planning and implementation.
You may have internal resources that can help put in place the security measures you need to keep your business safe and compliant or you may need external help. Either way can work, the most important thing is that you take proactive action to protect your data and that of your customers.
If you are considering working with an external IT provider, we encourage you to check out several options so you can find one that is the right fit for your organization. Ideally, you’ll want a partner who has worked with dealerships in the past and understand the intricacies inherent to the industry.
I wouldn’t be honest if I didn’t mention some of the advantages a managed service provider offers when it comes to the FTC Safeguards Rule in particular.
For example, managed services typically include proactive monitoring, threat identification, and incident response protocols. In addition, organizations have access to a wide range of experts with broad cyber experience at a fraction of the cost of hiring a dedicated IT team for your organization.
No matter how you choose to move forward, take the time to honestly assess your risk, evaluate your current infrastructure for vulnerabilities, and mitigate as many weaknesses as you can.
Wondering if your cyber safeguards are up to the latest threats? Use the button below for a free cybersecurity checklist you can use to assess your organization.
