<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">

  Back to the Learning Center

FTC Safeguards Rule: Most Frequently Asked Questions For Dealerships Blog Feature
Patrick Martin

By: Patrick Martin on March 13, 2024

Print/Save as PDF

FTC Safeguards Rule: Most Frequently Asked Questions For Dealerships

The Federal Trade Commission (FTC) Safeguards Rule has been amended to include non-banking institutions that handle consumer financial information; car dealerships fall into this category.

If you own or manage an auto dealership or handle the technology for one, this article has the answers to the most frequently asked questions about the Safeguards Rule.  

At Kelser, we provide IT services for auto dealerships and other customers. In this article, we explore how the Safeguards Rule pertains to dealerships and provide honest answers to the questions we’ve heard from dealerships most frequently. And, most importantly, we do it without a whole lot of technical language.  

We want you to have the information you need, and we want it to be understandable.  

What Is The Amended FTC Safeguards Rule? 

The amended FTC Safeguards Rule has been updated with requirements for notification when the data of at least 500 consumers is exposed to a security incident, whether or not the consumer is actually affected. 

 

How Does The FTC Safeguards Rule Apply To My Car Dealership? 

Like other nonbanking financial institutions, auto dealerships handle Personally Identifiable Information (PII) including driver’s license, social security, bank account, telephone, and credit card numbers, as well as addresses and birthdates. As a result, all auto dealerships are subject to the rule and must comply with its data security and reporting requirements.  

What Are The Notification Requirements Spelled Out In The FTC Safeguards Rule And How Do They Apply To Car Dealerships? 

The amendment requires non-banking financial institutions to notify the FTC as soon as possible (and no later than 30 days after) the discovery of a security incident involving the unauthorized access of unencrypted customer information of at least 500 consumers, whether or not the exposure results in a misuse of the information. 

What Type Of Data Encryptions Does The FTC Safeguards Rule Require Of Auto Dealerships? 

The amended FTC Safeguards Rule does not mandate specific encryption tools or techniques but does require institutions to implement “a strong information security program” to safeguard customer information both at rest (or stored) and in transit (or transmitted) using strong encryption methods.  

How Can Dealerships Achieve Compliance With The FTC’s Amended Safeguards Rule?  

Auto dealerships can follow these steps to initiate compliance with the amended Safeguards Rule, auto dealerships: 

  • Understand Requirements  

Review the amended Safeguards Rule so that you understand exactly what’s required. 

  • Assess Your Data Security Posture 

Conduct a comprehensive risk and vulnerability assessment of your network and devices regularly. Use the information gathered to strengthen your cybersecurity profile and harden your defenses. This will help make your organization a less attractive target for criminals. Tools that will help with this include vulnerability scans and penetration tests

Related article: Conduct A Cybersecurity Risk Assessment For Your Business: 6 Steps 

  • Develop & Implement A Strong Cybersecurity Program 

If you don’t already have them, implement policies, procedures, and controls to protect customer data.  

Incorporate encryption tools and practices to protect sensitive data that is stored or shared. Protecting your most valuable data behind multiple firewalls can also be a deterrent against cyber crime.  

Infrastructure monitoring is another proactive tool you can use to identify unauthorized user access on your network and devices, so you can quickly respond and remediate any damage.   

Related article: 7 Characteristics Of A Successful Cybersecurity Policy  

  • Educate Employees About Cybersecurity Best Practices 

One of the most cost-effective and underused cybersecurity tools is regular training sessions for employees. Providing this training empowers your users to identify and report suspicious activities. The training can be provided either in-person or via interactive modules sent electronically.  

Providing this training regularly keeps cybersecurity top of mind, educates users about the latest threat vectors, and gives them the tools to become active participants in protecting your organization.  

Related article: Cybersecurity Awareness Training:  Why It’s Important & How To Take Action Today 

  • Have A Data Incident Response Plan 

The best response to a cyber incident is one that is planned in advance. Rather than responding in an emergency situation, your organization can take the time to think through and plan for every eventuality. A key part of your proactive response plan should be frequent data backups.  

Make sure the steps and action owners are clearly spelled out and that you take into account applicable federal and state regulations as well as key internal and external stakeholders.  

Related article: What is a Business Continuity Plan? Disasters & More 

What’s The Bottom Line?  

After reading this article, you know the answers to the most commonly asked questions about the amended FTC Safeguards Rule. You know what the rule is, how it applies to your dealership, what the notification requirements are, encryption requirements and steps to compliance.  

At this point, you may realize that you have some of the tools already in place to comply with the amended FTC Safeguards Rule. Or you may realize that you have work to do.  

Either way, cybersecurity needs to remain top of mind because it is not a “set it and forget it” exercise. The threats continue to change, and new ones evolve. Your tools must keep pace with the changing landscape.  

If you aren’t sure whether your cybersecurity tools are keeping pace, use the button below for a checklist you can use to assess your current state and identify areas for improvement.  

Get Your Cybersecurity Checklist You may have internal resources that can help your dealership maintain or improve your cyber readiness. If not, external resources can support your internal team or handle things for you.  

The one thing I’d recommend if you are considering external IT support is to explore several options to find a provider that is the right fit for you. You’ll want to engage with a provider that takes the time to get to know your business, your goals, your industry, and your current technology state.  

Here are the 10 best questions to ask any IT provider.

About Patrick Martin

As vice president, engineering services, Patrick tackles technical challenges on a daily basis. He enjoys working with customers to help them use technology effectively to achieve their strategic business goals and objectives.

Suggested Posts

Case Study

How Long Does NIST 800-171 Compliance Take? 4 Key Stages And Factors

As a business leader you have a lot on your plate. If you are an organization that works with the government, you most likely are aware that you are...

Read More »

Case Study

Firewalls: What You Need To Know (Function, Features, Capabilities)

Firewalls often fall into that “out-of-sight, out-of-mind” category; quietly operating to keep your network safe without too much thought from...

Read More »

Case Study

NIST 800-171 vs CMMC:What’s The Difference? How Do They Work Together?

If you are a company that works with the government you are familiar with the rules and regulations that surround information labelled as sensitive,...

Read More »

Visit Our Learning Center