Summary

Have you heard about the Federal Trade Commission (FTC) recent amendments to its Safeguards Rule, which require dealers to undertake a series of procedural, technical and contractual steps? The Rule's requirements must all be completed by December 9, 2022.

Updated March 17, 2023

Have you received notice from GM that, as a dealership you must meet the FTC Safeguards Rule by June 9th, 2023?

The FTC has stated that the Safeguards Rule applies to all businesses that control or process nonpublic personal information about consumers for whom they provide goods or services, or whose data they hold. It also applies to any business that is affiliated with another company that falls under the Safeguards Rule requirements.

What are the Safeguard Rule’s Requirements?

1. Designate a Qualified Individual to implement and supervise your information security program

This person should have significant knowledge of information security. The FTC recommends that you make sure this person has the ability to:

• Identify possible security risks
• Evaluate potential solutions
• Develop policies and procedures to address those risks
• Ensure that the policies and procedures are followed
• Add project management and organization
• Report clearly and concisely to the board of directors 

2. Conduct a risk assessment

The risk assessment is to be performed periodically and must be used to guide the continued updating and enforcement of your information security program. A written record of these risk assessments must be maintained.

3. Design and implement safeguards to control the risks identified. Including:

• Implement and periodically review access controls
• Know what you have and where you have it
• Encrypt customer information on your system and when it’s in transit
• Assess your apps
• Implement multi-factor authentication for anyone accessing customer information on your system
• Dispose of customer information securely
• Anticipate and evaluate changes to your information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• Regularly monitor and test the effectiveness of your safeguards

Importantly, customer information is defined very broadly under the Safeguards Rule so the safest practice is to consider any information a customer provides (even simply their name) as covered customer information.

4. Train your staff

Everyone in your dealership needs to understand the importance of protecting customer data. Dealerships must implement policies and procedures to ensure employees are properly enacting and carrying out the information security program, including through security awareness training, utilizing qualified information security personnel to carry out and oversee the information security program, and keeping staff up to date on newly-identified risks or threats so that the information security program can be continuously fine-tuned and updated to address emerging risks. Staff at different levels will need different training based on role.

5. Monitor your service providers

Dealerships must ensure that service providers or third parties that have access to their customer information maintain safeguards commiserate with a dealership’s own information security program and periodically assess their level of access to such information and whether the safeguards they maintain are sufficient. Dealerships must take steps to monitor their service providers’ compliance with this rule.

6. Keep your information security program current (this must be updated yearly at a minimum)

Evaluate security programs and adjust them in light of the results of testing and monitoring. It should always be a priority to stay updated on everything that’s going on with your security systems.

7. Create a written incident response plan

A written incident response plan is a document that details how your dealership will respond if there is an unanticipated breach of your information systems or exposure of customer data. The plan should include, but is not limited to:

• The goals of your plan
• Guidelines for internal and external communications and information sharing regarding the incident (e.g., what to say to customers, the media, and other stakeholders)
• Clear delineation of roles and responsibilities for decision-makers in dealing with the incident
• An internal process for responding to an incident (e.g., determining whether or not it was caused by someone within your organization) and correcting any issue that has arisen
• An internal process for investigating when it looks like something has happened but no one knows exactly what happened yet
• Training materials so that everyone can learn what their role is in responding to an incident
• A post mortem of what happened and a revision of your incident response plan and information security program based on what you learned

8. Require your Qualified Individual to report to your Board of Directors

The designated Qualified Individual must report in writing, at least annually, to the dealership’s board of directors or equivalent governing body on the status of your dealership’s information security program and compliance with the Safeguards Rule as well as material events related to information systems security and the implementation and enforcement of your information security program.

What are the consequences if the Safeguard Rule’s Requirements aren’t met by June 9th, 2023?

Failure to abide by requirements can come at a price. Companies that receive this Notice and nevertheless engage in prohibited practices can face:

• Lengthy oversight periods or disabling access to information systems
• Civil penalties of up to $46,517 per violation
• Prison time of up to five years

( Notices of Penalty Offenses | Federal Trade Commission (ftc.gov))

CIT Helps Your Auto Dealership Remain in Compliance with The FTC Safeguards Rule

There isn’t a DIY fix to meet these requirements. Our Cybersecurity and Managed Services teams have worked with Minnesota and Western Wisconsin GM dealerships to make sure they are ready for these requirements, and any future compliance needs. Avoid the consequences coming June 9th and contact our team today.