In 2021, The Federal Trade Commission (FTC) revised to the “Standards for Safeguarding Customer Information” previously issued under the Gramm-Leach-Bliley Act in 2002. The updates are a result of increased cyber threats since the COVID-19 pandemic.

The purpose is to protect consumer information from misuse or a data breach, and ultimately identity theft or privacy violations.

The Safeguards Rule applies broadly to all “financial institutions,” including other entities that provide or facilitate financial services.   The first FTC compliance deadline for automotive dealerships is on June 9, 2023.

Updated Standards for Safeguarding Customer Information requires dealers to develop, implement and maintain a comprehensive written information security program by June 9, 2023. This includes an accountability component with the designation of a “qualified” employee to provide information security or a third party (like a MSP) overseen by a senior member of your personnel.

The FTC is refining their definitions including Multi-Factor Authentication (MFA) based on recent enforcement actions by the FTC combined with input from the the Cybersecurity and Infrastructure Security Agency (CISA). The commission has specified that MFA methods must be resistant to phishing attacks and required for all employees who have access to customer information.

The National Automotive Dealer Association (NADA) summarizes the specific requirements as follows:

“The specific requirements of the current Rule are outlined in several NADA guides, but, in brief, the
Rule requires financial institutions to “develop, implement, and maintain a [written] comprehensive
information security program” that “contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”
In other words, you should today have a written document that you have developed for your store, after reviewing your systems and the information you maintain, that contains a series of steps you are taking to protect that data. Notably, this current requirement allows dealers the flexibility they need to protect data in a manner that is appropriate to the size and scope of their operations.”

JR-Tech specializes in cybersecurity and compliance for companies in the Inland Empire. For qualified businesses, JR-Tech will conduct a free cybersecurity threat assessment to identify gaps so dealerships and other financial institutions can start to document their IT systems and evaluate their security risk. Please call us at 951-319-4080.