On June 23, 2022, the FTC proposed the Motor Vehicle Dealers Trade Regulation Rule, which seeks to “protect consumers and honest dealers by making the car-buying process more clear and competitive.”

Introduction

In the wake of the recent data breaches at Facebook and other large corporations, it's clear that cybersecurity is top-of-mind for consumers and regulators alike. As a result, all businesses that handle consumer information are now subject to strict new rules under the FTC Safeguards Rule. Failure to comply with these rules can result in millions of dollars in fines for your dealership.

So what does this mean for you? Your dealership must have policies and procedures that protect against unauthorized access or use of customer information; a written information security program (WISP) that identifies reasonably foreseeable internal and external risks to customer data; safeguards designed to control those risks; and service providers who also abide by these requirements when working on behalf of your business.

Rules to consider

1. Designate a Qualified Individual to implement and supervise your information security program.
2. Conduct a risk assessment.
3. Design and implement safeguards to control the risks identified. Including:
4. Implement and periodically review access controls.
5. Know what you have and where you have it.
6. Encrypt customer information on your system and when it’s in transit.
7. Assess your apps.
8. Implement multi-factor authentication for anyone accessing customer information on your system.
9. Dispose of customer information securely.
10. Anticipate and evaluate changes to your information system or network.
11. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
12. Regularly monitor and test the effectiveness of your safeguards.
13. Train your staff.
14. Monitor your service providers.
15. Keep your information security program current.
16. Create a written incident response plan.
17.  Require your Qualified Individual to report to your Board of Directors.

Your dealership's policies and procedures must protect the security, confidentiality and integrity of customer information.

You must have policies and procedures in place to protect the security, confidentiality and integrity of customer information. Your WISP must be written and include at least the following:

• Policy statements
• Management commitment
• Organizational roles and responsibilities for implementing security controls
• The process for reviewing the effectiveness of your WISP on an ongoing basis

A written information security program (WISP)

A written information security program (WISP) is a critical part of protecting your dealership’s sensitive personal information and ensuring compliance with the FTC Safeguards Rule. To ensure that you have one, follow these steps:

• Review your WISP annually. Your WISP should be reviewed at least annually, including a review by an independent third party if you have one on staff who is qualified to perform such reviews. The reviewers should consider whether the safeguards in place are reasonable and appropriate for your business to protect against unauthorized access or use of sensitive personal information. Any changes made as a result of these reviews must be documented and retained for at least five years from the date they were made or implemented.

Compliance Scorecard can help you get started with our FTC Safeguards Policy Pack.

We can help you identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information

The FTC Safeguards Rule requires you to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or another compromise of such information.

You must assess the risk based on a comprehensive analysis of your systems and processes that includes:

• The sensitivity of the personal information maintained by you;
• The cost and difficulty associated with mitigating vulnerability;
• How quickly you must respond after discovering an event involving unauthorized access or disclosure;

The controls put in place to address these risks should be appropriate given their severity (the probability they will occur) and likelihood (the extent to which a particular occurrence is expected). Controls should be implemented at points where there is a reasonable possibility for compromise or potential loss. For example: encryption for high-value data; two-factor authentication for remote access; database partitioning for sensitive data such as credit card numbers; limiting network shares permissions appropriately on servers containing PII data.

Design and implement safeguards to control these risks

The FTC Safeguards Rule requires you to:

• Identify internal and external risks, and design and implement safeguards to control those risks.
• Ensure that your service providers have safeguards in place for customer data they may access while working on behalf of your dealership.

Ensure their service providers have safeguards for customer data.

Service providers that process, maintain or otherwise handle your dealerships’ customer data should also have the same level of security. These service providers may include:

• Software developers who build apps that interact with your dealership’s software
• Email marketing and text messaging services you use to contact customers
• Third-party vendors who offer services like CRM and reporting tools

Preventing loss or theft of private customer information is costly. The costs are passed along to customers in the price of the vehicle purchased.

The costs of security breaches are passed on to customers in the price of the vehicle purchased. In addition, when your dealership is required to pay fines or compensate customers for a security breach, those costs are also passed on to customers.

Additionally, a breach can result in loss of business as well as customer trust. Your customers may not return and could suffer financially if they don't receive compensation after their information was stolen.

Conclusion

The FTC Safeguards Rule is designed to protect customers by requiring dealerships to implement safeguards against loss or theft of private customer information. The costs associated with implementing these safeguards are passed along to consumers in the price of their vehicle purchase.