FTC Safeguards Rule: What Every Auto Dealer Needs to Know

Jesse White

The FTC Safeguards Rule aims to protect consumers' sensitive information held by financial institutions, which includes everyone from payday lenders to auto dealers.

So, what exactly is this rule? Does your business need to comply? And if so, how are you supposed to get started?

While this has been top of mind for many automotive general managers and IT leaders, many are still puzzled in knowing where to start.

This guide will give you a plain-English overview of the FTC Safeguards Rule, including the first steps you can take to ensure you’re staying compliant.

Since compliance is an ongoing process (more like routine maintenance than a one-off job), we recommend choosing a long-term partner to help. It doesn’t have to be us, but you do need to make sure someone has your back on this. We’ll explain what to look for in a minute, but first, let’s dive in. 

Compliance & Rule Checklist for Car Dealerships

The basics of the FTC Safeguards Rule (in simple English)

What is the FTC Safeguards Rule (2023)?

The FTC Safeguards Rule is a set of guidelines that certain businesses must follow to protect their customers' private information. More specifically, these businesses are required to “develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.”

In other words, these businesses need to create and follow a security program to keep customer data safe. This plan will be in writing and needs to be appropriate to the size and type of business, as well as consider the importance of the information being protected.

The original effective date was extended, so now businesses subject to the Safeguards Rule must comply with certain provisions by June 9, 2023.

Who is subject to the FTC Safeguards Rule? Does it affect me?

The FTC Safeguards Rule applies to financial institutions under the FTC's jurisdiction, but "financial institution" is defined more broadly here than you might expect. It includes any businesses involved in activities that are financial in nature, like mortgage lenders, payday lenders, and check cashers, but it doesn’t stop there.

Auto dealers are affected by the FTC Safeguards Rule if they are engaged in activities that are considered financial in nature, such as offering financing or leasing options to customers.

So if you’re a mortgage check cashier or auto dealer, with over 5000 customers, you’re subject to the rule.

What does an “information security program” entail?

The rule talks about setting up and running an information security program. You might be tempted to implement this program yourself, but it’s no simple task. As you read the list here, bear in mind you still have a business to run.

A “reasonable information security program” under the Safeguards Rule should include:

  1. Designating a Qualified Individual to supervise the program.

  2. Conducting a risk assessment to identify security risks and threats.

  3. Designing and implementing safeguards to control identified risks, such as access controls, encryption, app assessment, multi-factor authentication, secure disposal of customer information, change management, and monitoring user activity.

  4. Regularly monitoring and testing the effectiveness of safeguards, including penetration testing and vulnerability assessments.

  5. Training staff to recognize risks and providing specialized training for those responsible for information security.

  6. Monitoring service providers to ensure they maintain appropriate safeguards.

  7. Keeping the information security program up-to-date with changes in operations, threats, or personnel.

  8. Creating a written incident response plan that outlines goals, processes, roles, communication, system fixes, documentation, and reporting of security events.

  9. Requiring the Qualified Individual to report to the Board of Directors or a senior officer on the company's compliance with its information security program.

Are there any exceptions to the FTC Safeguards Rule?

The FTC has exempted financial institutions that maintain customer information concerning fewer than 5,000 consumers from certain provisions of the Safeguards Rule. If a business has 5,000 or more consumers, they are fully subject to the rule and must follow all the requirements.

What is the goal of the FTC Safeguards Rule?

The main goals of the plan are to keep customer information private, defend against possible threats or problems, and prevent unauthorized access, which could cause harm or inconvenience to customers.

What are the penalties for violating the FTC Safeguards Rule?

The penalties for breaking the rules can be different depending on how serious the violations are. The penalties for violating the FTC Safeguards rule may include:

  • Paying a fine
  • Issuing a cease and desist order for your organization
  • Mandating specific actions be taken
  • And more

Businesses that fail to comply with the Safeguards Rule might face reputational damage and even potential lawsuits from affected customers. Keep in mind this is a rough overview – actual legal and financial ramifications may vary and you should seek legal counsel for further insight in this area.

How can I make sure my dealership is compliant with the Safeguards Rule?

To ensure compliance with the FTC Safeguards Rule, businesses should take the following steps:

  1. Download the Compliance and Rule Checklist: Identify any gaps between your dealership’s current practices and the requirements of the Safeguards Rule. A self-assessment test is a good starting point, but it's not enough to guarantee compliance

  2. Conduct an FTC risk assessment: Work with a reputable provider to assess your risks and ensure compliance. You don't have to tackle this alone; even if you don’t use our "FTC-as-a-service" offer, you will still need to find a provider to help you achieve and maintain compliance.

When selecting a provider, consider these factors:

  • Comprehensive services: Choose a provider that offers more than just compliance assistance. By partnering with a company that also handles risk management and IT for instance, you can consolidate your services and reduce the number of third parties involved in your IT environment. This will reduce your risk overall.
  • Predictable pricing at scale: Opt for a provider with transparent pricing that scales with your business growth, such as per-user pricing. This allows you to plan for future expenses and maintain compliance as your company expands.
  • Long-term, comprehensive support: Compliance with the Safeguards Rule is an ongoing process, not a one-time event. Select a provider that offers continuous support to ensure your organization remains compliant and can adapt to changes in regulations and technology.

Remember, achieving compliance is about more than meeting the minimum requirements—it's about improving your organization's overall security posture to mitigate risk and avoid the potentially devastating consequences of a cyber breach.

Treat compliance as an ongoing process — like an insurance policy — to protect your business and customers in the long run.

Jesse White

VP, Strategic Partnerships Jesse leads the client and business development teams at Katalyst. His experience spans multiple technology platforms and infrastructure. He is skilled at helping customers solve business challenges, navigate market trends and make smarter decisions with disruptive technologies.