Back in 2021, The Federal Trade Commission (FTC) revised to the “Standards for Safeguarding Customer Information” previously issued under the Gramm-Leach-Bliley Act in 2002. The updates are a result of increased cyber threats since the COVID-19 pandemic.

The purpose is to protect consumer information from misuse or a data breach, and ultimately identity theft or privacy violations.

The Safeguards Rule applies broadly to all “financial institutions,” including other entities that provide or facilitate financial services.   The first FTC compliance deadline for automotive dealerships has been extended to June 9, 2023.

Updated Standards for Safeguarding Customer Information requires dealers to develop, implement and maintain a comprehensive written information security program by June 9, 2023.

Below is a brief outline of the compliance requirements:

Accountability & Ownership

  • Designation of a “qualified” employee to oversee information security.
  • This person may be an employee, or a third party overseen by a senior member of your personnel

Preparation & Evaluation

  • Written documentation & best practices evidencing compliance:
    • Security Risk Assessment
    • Information Security Program
    • Incident Response Plan
  • Ongoing written reports to board of directors (or equivalent) on IT & Security, at least annually, prepared by the designated “qualified” employee or third party

Implementation of Security Tools

  • Implementation of required tools supporting encryption (at rest and transmission), multifactor authentication, and system monitoring
  • Partnerships & documentation for penetration testing and vulnerability scans

Implementation of Best Practices, Controls, & Procedural Requirements (including ongoing monitoring)

  • Access controls to customer information
  • Inventory of systems that access customer information
  • Secure software development & utilization practices
  • Disposal procedures for customer information
  • Change management plan

Change Management & Employee Training

Establish Routines for Auditing & Reviewing Cybersecurity Provider’s Best Practices

This is a simple outline of the compliance regulation. For compliance help and a cybersecurity assessment, please call us at 951-319-4080.