The FTC Safeguards Rule for auto dealers presents clear standards for data safety measures to protect financial institutions from cyber-related breaches. The Federal Trade Commission requires dealerships to follow these rules, which originated in the Gramm-Leach-Bliley Act.

Following the FTC Safeguards Rule requirements is not only lawful and ethical, but it is also a great way to maintain customer confidence in your business. When you choose Strolid, you’re choosing digital marketing services with a deep understanding of how important it is to adhere to these compliance rules in the dealer industry.

Why Do Dealerships Need to Adhere to the FTC Safeguards Rule?

Auto dealerships are known for being easy hacker targets, mainly due to the broad scope of private information they gather over years or decades of financial transactions. Cybercriminals also target dealers because of out-of-date IT infrastructure, the sheer volume of personally identifiable data, and poor cybersecurity awareness.

When customers purchase or lease at your dealership, they entrust you with their most sensitive personal information. You can increase the chances of them returning by following the rules laid out by the FTC to prevent breaches from happening in the first place. Here’s a quick overview of the FTC Safeguards Rule for auto dealers to get you started.

FTC Safeguards Rule Requirements

In December 2021, the Federal Trade Commission expanded its Safeguards Rule to address more rigorous protections against cyberthreats. These regulations cover your customers’ information and data that other financial institutions share with your business. Notably, the FTC altered the definition of a “financial institution” so that auto dealerships would count.

Here are the nine security requirements your dealership must follow to be compliant with the FTC Safeguards Rule.

1. Qualified Supervisor

To protect the integrity of your customers’ most private information, you must hire a qualified professional to implement your security program. A member of your IT staff specializing in security or a Chief Information Security Officer can be eligible.

2. Risk Assessment Protocol

Several steps must be taken to complete a risk assessment. A complete inventory of customer data and the locations where it is stored must be created. The severity of your information security measures must be evaluated. The risk assessment must be recorded in writing. Finally, periodic risk “audits” must be performed to prevent additional risk.

3. Comprehensive Security Program

Once the level of risk has been determined, the next step is to form a plan to mitigate it. If you notice any red flags during the assessment, your information security program must be tailored to these risks. The following must be included:

• Access controls
• Multi-factor authentication
• Monitoring user login activities
• Encryption
• Long-term data disposal plan
• Secure development procedures
• Change management procedures

4. Regular Testing

In the eyes of the FTC, it is not enough to do one risk assessment and call it a day. You must closely watch your safeguards over time to confirm they are effective. Regular testing can help you notice security threats as they arise. You must also conduct:

• Penetration testing (once per year)
• Vulnerability assessments (at least twice per year)

5. Proper Training

Your dealership’s employees must be trained on security awareness periodically. Desk employees are especially vulnerable to phishing scams, malware, and viruses. With proper training, they may avoid a security breach.

6. Vet Security Providers

Take a close look at your service providers, particularly cloud or software vendors. Any company that collects and processes customer data must have an up-to-date understanding of the risks.

7. Regularly Update Your Information Security Program

Your information security program must reflect current cybersecurity standards. As your business changes, so should your plan. From new personnel to new applications, the one constant should be a security program that fits your dealership’s current processes.

8. Have an Incident Response Plan

In the worst-case scenario, does your business have a response plan? According to the Safeguards Rule, it should. Make sure your dealership has a response protocol to prepare for a breach or mishandling of your data.

9. Report to Your Board of Directors

Last but not least, the Federal Trade Commission requires auto dealers to report to their Board of Directors at least once a year on the current information security protocols.

FTC Safeguards Rule Penalties

If you are noncompliant with the Safeguards Rule, the Federal Trade Commission can take action against you. Failing to protect customers’ private information is a serious offense.

If you are found noncompliant, the Federal Trade Commission can seek one penalty fee per violation and, in extreme cases, may even file a civil lawsuit against your business. Public trust in your dealership is also compromised, as your customers can feel unsure whether or not they can trust you with their data.

Although the deadline for compliance regarding rule updates has passed at the time of this writing, you should make every effort to catch up with the required protocols to legitimize your company and build more credibility moving forward. Your business thrives when you put security and privacy first.

FTC Safeguards – The Red Flags Rule

Identity theft is all too common nowadays, so the Federal Trade Commission targeted this issue in the Fair and Accurate Credit Transactions Act. This rule requires certain businesses to enforce an Identity Theft Prevention Program in writing. It should detect any red flags of identity theft in business operations so that the company can act accordingly.

Given how volatile the world of cybersecurity can be, the program should be updated periodically to ensure it catches any potential warning signs of identity theft. By monitoring any red flags before they become real problems for your business, you can continue to prove your dealership to be reliable and trustworthy for your buyers. This solid relationship with customers is an outcome Strolid strives to provide all our clients.

How Strolid Can Help With FTC Compliance

Strolid is a digital agency that offers online marketing services. Enhance your dealership’s reach with our comprehensive database of partners and tools you can use to streamline, market, and organize information for your dealership.

We can help you align your marketing strategy with the complex Federal Trade Commission rules to ensure total compliance and a smartly run data protection plan. If you’re curious about our success rate, check out our customer reviews to get a sense of our wide community of satisfied clients!

Contact us today to learn more about our digital marketing services and products. By following the FTC Safeguards Rule for auto dealers, you will continue to build a solid bedrock of trust with returning and prospective customers.

Frequently Asked Questions

When is the FTC Safeguards Rule compliance deadline for auto dealers?

The deadline for complying with the FTC Safeguards Rule was on June 9th, 2023, but even dealerships that missed the deadline are expected to make every effort to adhere to the nine requirements. These make dealerships less vulnerable to cyberattacks and protect their customers against data breaches. Keep your buyers’ personal information safe by becoming familiar with the FTC Safeguards Rule.

What are the FTC rules for dealers in 2024?

In order to comply with federal regulations for protecting customers’ data, dealerships are required to follow each FTC Safeguards Rule. 2024 brings no amendments to the Gramm-Leach-Bliley Act, which designates guidelines for handling customer data. For example, each dealer must conduct a risk assessment, train their staff to a certain level, and hire qualified candidates for handling information systems.

What are the penalties of FTC Safeguards noncompliance for car dealers?

Noncompliance with the FTC is taken seriously. If you fail to meet the guidelines, your dealership and customer data are vulnerable to cyberattacks. The FTC can also seek civil penalty fees per violation and file a civil lawsuit. The business is also at risk of a damaged reputation and broken trust with its customers if their private information is stolen.