FTC Safeguard Rule Updates — Dealerships, We Are Here to Help

Regardless of your business or industry, consumer data protection should be high on your list for 2023. If you are dealing with consumer information, your industry will come under fire. Auto dealerships are currently facing this challenge which goes into effect on December 9th as part of the FTC’s updated 2003 Gramm-Leach-Bliley Act Safeguards Rules.

These December 9th changes include nine policies and procedure updates that all car dealerships, regardless of size, must implement. The goal is to protect consumer information while protecting dealerships from the threat of a data breach. Financial institutions and healthcare facilities have long had to enforce principles of data security and prove technical requirements; it’s now car dealerships’ turn. These nine updates are referred to below. However, it’s key to remember that each point contains several bulleted descriptions that should be outlined and discussed in a discovery meeting.

If you are a dealership owner, c-suite leader, manager, or IT director, how you operate your business on a day-to-day basis will be impacted by these nine specific requirements. One of you will need to act as a “qualified individual”. This person will serve as the project manager of a fluid and flexible security program and provide written reports to a governing board, along with information on the current status of the dealership’s security program. On an ongoing basis, the security program will need to adjust to overcome any new threat.

Because dealerships work with a large volume of protected data (Names, Birthdates, Addresses, Driver’s License Numbers, Bank Account Numbers, Credit/Debit Card Numbers, and Credit Reports), they are targets for cybercrime and all the related risks. This data must be encrypted. But now, they will need to prove it through regular risk assessments of systems and those of any vendors.

Creating a rigorous data security program and cybersecurity training for all employees can be difficult for dealerships already facing staffing shortages and turnover. However, the potential fines are significant. At $50,000 per infraction, the risk of non-compliance is substantial. And it’s not just about the creation of a program. Dealerships must identify and control all current risks through encryption, access management, and multi-factor authentication. These changes are not one-time fixes. Requirements include continuous monitoring and vulnerability tracking.

Because auto dealers often work with several outside service providers, they will be faced with maintaining and monitoring safeguards in those relationships as well. This monitoring will need to include an enhanced selection process for new providers, updated contract reviews, and ongoing assessments.

Overarching all this, dealerships now must prove the capacity to provide a well-written incident response plan in case of a breach or other security incident. That plan will outline all roles, responsibilities, and remediation actions taken.

If you are already facing staffing shortages and need a cybersecurity professional, working with a partner can be the wisest decision in 2023. Often these partnerships can be established at a lower cost than a full-time employee relationship and provide you with the expertise you need to avoid risks and fines.

At Reclamere, our CSO 360 program can deliver everything outlined above. We assess your needs, develop a roadmap to achieve best practices, help implement your security program, craft metrics that monitor value, and provide periodic testing.

Whether it’s an audit request, regulatory inquiry, or your daily security management duties (qualified individual), our executives give your team the cybersecurity support and leadership needed to stay compliant with the new FTC Safeguard Rule Updates and prevent data breaches.

CSO360 options include:

• Security program & risk assessments, roadmap planning, policy development, processes & controls.
• Evaluation and recommendation of security products & technologies.
• Coordination of data breach and incident investigations.
• Assistance with security engineering for any company project requiring security input, such as network changes, mergers, system upgrades, and website changes.
• Access to a secure client portal for the latest security news, recommendations, and best practices. This includes support ticket entry and tracking.

For a discovery call regarding the FTC Safeguard Rules, email us today at joseph@reclamere.com.