The FTC Safeguards Rule aims to protect consumers' sensitive information held by financial institutions, which includes everyone from payday lenders to auto dealers.
So, what exactly is this rule? Does your business need to comply? And if so, how are you supposed to get started?
While this has been top of mind for many automotive general managers and IT leaders, many are still puzzled in knowing where to start.
This guide will give you a plain-English overview of the FTC Safeguards Rule, including the first steps you can take to ensure you’re staying compliant.
Since compliance is an ongoing process (more like routine maintenance than a one-off job), we recommend choosing a long-term partner to help. It doesn’t have to be us, but you do need to make sure someone has your back on this. We’ll explain what to look for in a minute, but first, let’s dive in.
Compliance & Rule Checklist for Car Dealerships
The FTC Safeguards Rule is a set of guidelines that certain businesses must follow to protect their customers' private information. More specifically, these businesses are required to “develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.”
In other words, these businesses need to create and follow a security program to keep customer data safe. This plan will be in writing and needs to be appropriate to the size and type of business, as well as consider the importance of the information being protected.
The original effective date was extended, so now businesses subject to the Safeguards Rule must comply with certain provisions by June 9, 2023.
The FTC Safeguards Rule applies to financial institutions under the FTC's jurisdiction, but "financial institution" is defined more broadly here than you might expect. It includes any businesses involved in activities that are financial in nature, like mortgage lenders, payday lenders, and check cashers, but it doesn’t stop there.
Auto dealers are affected by the FTC Safeguards Rule if they are engaged in activities that are considered financial in nature, such as offering financing or leasing options to customers.
So if you’re a mortgage check cashier or auto dealer, with over 5000 customers, you’re subject to the rule.
The rule talks about setting up and running an information security program. You might be tempted to implement this program yourself, but it’s no simple task. As you read the list here, bear in mind you still have a business to run.
A “reasonable information security program” under the Safeguards Rule should include:
Designating a Qualified Individual to supervise the program.
Conducting a risk assessment to identify security risks and threats.
Designing and implementing safeguards to control identified risks, such as access controls, encryption, app assessment, multi-factor authentication, secure disposal of customer information, change management, and monitoring user activity.
Regularly monitoring and testing the effectiveness of safeguards, including penetration testing and vulnerability assessments.
Training staff to recognize risks and providing specialized training for those responsible for information security.
Monitoring service providers to ensure they maintain appropriate safeguards.
Keeping the information security program up-to-date with changes in operations, threats, or personnel.
Creating a written incident response plan that outlines goals, processes, roles, communication, system fixes, documentation, and reporting of security events.
Requiring the Qualified Individual to report to the Board of Directors or a senior officer on the company's compliance with its information security program.
The FTC has exempted financial institutions that maintain customer information concerning fewer than 5,000 consumers from certain provisions of the Safeguards Rule. If a business has 5,000 or more consumers, they are fully subject to the rule and must follow all the requirements.
The main goals of the plan are to keep customer information private, defend against possible threats or problems, and prevent unauthorized access, which could cause harm or inconvenience to customers.
The penalties for breaking the rules can be different depending on how serious the violations are. The penalties for violating the FTC Safeguards rule may include:
Businesses that fail to comply with the Safeguards Rule might face reputational damage and even potential lawsuits from affected customers. Keep in mind this is a rough overview – actual legal and financial ramifications may vary and you should seek legal counsel for further insight in this area.
To ensure compliance with the FTC Safeguards Rule, businesses should take the following steps:
Download the Compliance and Rule Checklist: Identify any gaps between your dealership’s current practices and the requirements of the Safeguards Rule. A self-assessment test is a good starting point, but it's not enough to guarantee compliance
Conduct an FTC risk assessment: Work with a reputable provider to assess your risks and ensure compliance. You don't have to tackle this alone; even if you don’t use our "FTC-as-a-service" offer, you will still need to find a provider to help you achieve and maintain compliance.
When selecting a provider, consider these factors:
Remember, achieving compliance is about more than meeting the minimum requirements—it's about improving your organization's overall security posture to mitigate risk and avoid the potentially devastating consequences of a cyber breach.
Treat compliance as an ongoing process — like an insurance policy — to protect your business and customers in the long run.