Dealerships’ Obligations under the FTC Safeguards Rule Increase and Expand
By W. Kirby Bissell
At this point, all dealerships should be familiar with the Federal Trade Commission’s “Standards for Safeguarding Customer Information” or the FTC’s Safeguards Rule. That rule originally took effect in 2003 and has required dealerships to develop and maintain a comprehensive written information security program. The purpose behind the Safeguards Rule is to ensure businesses that maintain consumer information, especially financial-related information, protect that information from misuse or data breaches and prevent identity theft of customers. On December 9, 2021, the FTC published updates to the Safeguards Rule that add additional requirements for dealerships, some of which became effective on January 10, 2022 and the remainder of which require compliance by December 9, 2022. Dealerships should begin preparing now to meet the December deadline as the additional steps required for compliance cannot be accomplished overnight.
The additional requirements that became effective on January 10, 2022, were minimal and only required slight changes to the program that your dealerships had already implemented. Specifically, dealerships are now required to conduct risk assessments to threats to the security of customer information on a periodic basis. And, dealerships are also required to test to detect actual or attempted attacks or intrusions into their information systems. Dealerships were already required to conduct risk assessments to establish sufficient safeguards on their systems – the new language just makes clear that this process should be ongoing. Similarly, dealerships were previously required to test or monitor systems used to safeguard information and the new language clarifies that this testing should also include checking for actual intrusions. These additions likely only required minimal efforts on the part of dealerships, but the requirements that go into effect in December 2022 require much more substantial work.
The December 2022 requirements cover eight (8) different actions dealerships need to take. First, dealerships must dedicate a “Qualified Individual” responsible for developing, overseeing, monitoring, and enforcing your dealership’s information security program. This person does not have to actually implement the program at a technical or technological level, but they should be responsible for ensuring that the IT Department or outside vendor takes these steps. Second, and an extension of the January 2022 requirements, the periodic risk assessments must be used to guide the continued updating and enforcement of your information security program. A written record of these risk assessments must be maintained. Third, your dealership must implement customer information safeguards to control the risks identified in the risk assessments. These safeguards must include: access controls, systems inventory, encryption, secure development practices, multifactor authentication, disposal procedures, change management procedures and monitoring of authorized users’ activities. Importantly, customer information is defined very broadly under the Safeguards Rule so the safest practice is to consider any information a customer provides (even simply their name) as covered customer information.
Fourth, and also an extension of the January 2022 requirements, testing of vulnerabilities within your information systems must include either continuous monitoring or annual penetration testing and bi-annual (i.e., every six (6) months) vulnerability assessments. Fifth, dealerships must implement policies and procedures to ensure employees are properly enacting and carrying out the information security program, including through security awareness training, utilizing qualified information security personnel to carry out and oversee the information security program, and keeping those personnel up to date on newly-identified risks or threats so that the information security program can be continuously fine-tuned and updated to address emerging risks. Sixth, dealerships must ensure that service providers or third parties that have access to their customer information maintain safeguards commiserate with a dealership’s own information security program and periodically assess their level of access to such information and whether the safeguards they maintain are sufficient. We expect this to be the most difficult and time-consuming requirement that dealerships will have to implement under this Revised Safeguards Rule. Some service providers will already be up to date on these requirements (e.g., banks and other financing companies), but others (e.g., third party warranty providers or other after market vendors) will likely need to be educated, pushed and prodded to meet these requirements, including by adding contractual requirements to enforce the Safeguards Rule’s standards. Seventh, dealerships must develop and implement a written incident response plan to lay out the process for responding to any breach of your information systems or exposure of customer information that your dealerships maintain. The plan should include, among other things, guidelines for internal and external communications and information sharing regarding the incident, clear delineation of roles and responsibilities for decision-makers in dealing with the incident and an internal process for responding to an incident and correcting any issue that has arisen. Finally, the designated Qualified Individual must report in writing, at least annually, to the dealership’s board of directors or equivalent governing body on the status of your dealership’s information security program and compliance with the Safeguards Rule as well as material events related to information systems security and the implementation and enforcement of your information security program.
Violations of the updated Safeguards Rule’s requirements can result in consent decrees with the FTC (a monitored, strictly-managed settlement agreement where the FTC periodically evaluates the dealerships’ compliance with the same), monetary fines for violating a consent order and increased enforcement by the FTC more broadly. Fines cannot be levied for first-time violations of the Safeguards Rule, but the FTC will use such violations to justify more extensive investigation of your operations to find other violations for which it could fine your dealerships.
NADA has published “A Dealer Guide to the FTC Safeguards Rule” that explains the Rule’s new requirements in more detail and has a sample written information security program. Additionally, dealerships can work with their information technology vendors and other outside consultants to have these subject-matter experts aid the dealership in implementing an information security program that meets the requirements of the FTC Safeguards Rule (and in some cases these consultants or vendors may even be able to handle compliance from start to finish). However, we cannot stress enough the necessity of involving experienced counsel to ensure your dealership’s program meets the legal requirements of the Safeguards Rule and to address how to create a program that fits your dealership’s needs based on its size, volume of consumer information maintained and other unique considerations for your business.