The landscape of security threats is ever-changing, necessitating the adaptation of more comprehensive security policies. In the face of this reality, the Federal Trade Commission (FTC) has extended its Safeguards Rule, originally developed for financial institutions, to include automotive dealerships. This rule is designed to maintain safeguards that protect the security of customer information, making businesses more resilient to cybersecurity incidents.

The New FTC Safeguards Rule

The revised Safeguards Rule applies to all customer information in your possession, whether it pertains to individuals with whom you have a customer relationship or to the customers of other financial institutions that have provided information to you. This change expands the types of businesses now required to follow this rule, including auto dealerships with over 5,000 customer records. Importantly, this includes all records, not just transaction ones.

What Are the New Requirements?

The FTC has set a deadline of June 9th, 2023, for all dealers to meet the following requirements if they have over 5,000 customer records:

1. Designate a qualified individual to oversee, implement, and enforce your Information Security Program.
2. Conduct risk assessments on information security and existing safeguards.
3. Implement mandatory safeguards to control risks, including access controls, systems inventory, encryption, secure development practices, multi-factor authentication (MFA), disposal procedures, change management procedures, and monitoring and logging of authorized user activity.
4. Regularly test or audit the effectiveness of your safeguards, key controls, systems, and procedures.
5. Implement policies and procedures for personnel to implement your Information Security Program.
6. Oversee service providers to ensure they are compliant with your security policies.
7. Draft your Incident Response Plan to prepare for potential cybersecurity incidents.
8. Prepare an annual report to the board or equivalent entity, detailing your cybersecurity efforts and any incidents that may have occurred during the year.

Understanding the Risks

No industry is safe from cyber attacks. Small, medium, and large companies alike are targeted for phishing, ransomware, or other cyber-attacks that put personal information at risk. The consequences of such breaches can range from identity theft and document tampering to misappropriation of data.

If your auto dealership suffers a security incident, you may be subject to an audit by the FTC for compliance. Non-compliance could result in fines. Furthermore, your cybersecurity insurance provider may also conduct an audit. If they find you are not compliant with the new Safeguards Rule, they may not cover the incident.

Steps to Compliance

While the June 9th, 2023 deadline may seem far away, now is the time to start implementing these critical security regulations. Here are some steps to consider:

1. Start with a network assessment that includes testing your security and other key provisions in the Safeguards Rule.
2. Develop a plan that is not a one-time exercise. The Safeguards Rule requires regular testing, updates, and reports to your board or equivalent entity.
3. Ensure you have the right person on staff who is qualified to create and manage your Information Security Plan. If you do not have one, look for a qualified partner that can provide the services you need.
4. Apply your plan to all of the systems you use, including third-party vendors. The earlier you implement these critical security regulations, the safer your dealership will be from experiencing a cybersecurity attack and non-compliance issues.

Conclusion

The FTC’s new Safeguards Rule aims to protect the security of customer information and increase resilience to cybersecurity incidents. The rule's extension to car dealerships is indicative of the increasing importance of cybersecurity across all industries.

With the June 9th, 2023 deadline quickly approaching, it’s vital to understand the requirements of the FTC Safeguards Rule and take the necessary steps to ensure compliance. By doing so, you are not only protecting your business from potential cybersecurity incidents and compliance issues but also securing the trust and confidence of your customers. It's a win-win situation - improving your business's security posture while enhancing the customer experience.

Remember, cybersecurity is not a one-off project but a continuous journey. The environment is dynamic, and threats are continually evolving. Therefore, it is essential to regularly review and update your Information Security Plan and stay informed about the latest cybersecurity trends and best practices.

Stay safe and stay compliant. Your customers are counting on you.