Skip to main content
Rows of new cars on a dealership car lot.

Dealerships to Comply with FTC Data Breach Safeguards Rule

The updated FTC’s Safeguards Rule deadline for compliance was June 9, 2023. Read on for details.

The deadline for compliance with the the Federal Trade Commission (FTC) Safeguards Rule was June 9, 2023, requiring U.S. auto dealerships to comply with the FTC’s amended data security safeguards put in place to protect personal customer information. (See Code of Federal Regulations Part 314.1 – 314.6.)

The “Safeguards” Rule was developed in response to the number of widespread data breaches that continue to occur in the current threat landscape. Events like ransomware have continued to be rampant with no slowdown in the foreseeable future. These events typically have two components: 1) they steal data that can be sold on the Dark Web, and 2) they encrypt networks to extort additional monies from affected organizations where consumer financial information has been breached during cybersecurity incidents.

What does the Safeguards Rule mean for U.S. auto dealerships?

Any auto dealership that handles sensitive customer financial information will be required to comply with the newly updated FTC Safeguards Rule. The original FTC Safeguards Rule was effective on January 10, 2022 but changed to a new deadline of June 9, 2023 to provide organizations with more time to adopt these compliance requirements.

Here is a breakdown of the key Safeguards Rule components to help you understand the new compliance impacts on dealerships.

  1. U.S. auto dealerships will need to dedicate a “qualified individual” (QI) responsible for developing, overseeing, monitoring, and enforcing the dealership’s information security program (ISP). The QI can be an external business advisory firm or internal staff person who is already capable or can be trained over time to perform this role.
  2. Conduct IT Risk Assessments to help ensure:
    • A data classification policy exists and is used to assess the following key areas:
      • Vendor, application, and infrastructure (on-prem and cloud) criticality and availability, which are tied to a simple business impact analysis (BIA)
      • Threat assessment based on the current cybersecurity threat landscape
      • Check that all employees, vendors, or third parties with access to customer information “maintain safeguards commensurate with the Dealership’s ISP.” This information can be obtained through an annual GLBA/Risk Assessment to assess the level of access to PII information and whether sufficient safeguards are being maintained. The requirements also include “periodically assessing the security practices of service providers.” This information could be obtained by using third-party assessors (Forvis Mazars) or security questionnaires, or reviewing vendor’s System and Organization Controls (SOC) reports (if they have them)
      • Dealerships should implement additional IT controls that have a moderate to high residual risk level identified as part of the IT Risk Assessment exercise
  1. In addition to having an ISP which contains every dealership’s documented policies and procedures, maintaining a formal written Incident Response (IR) Policy that is tested annually via table-top exercise is paramount to complying with the FTC Safeguards Rule. All dealerships should be able to execute an IR plan when a cybersecurity incident arises that allows all key stakeholders to:
    • Prepare for all cybersecurity threats
    • Identify threats quickly so you can contain the lateral spread throughout other information systems
    • Inoculate and remove threats from the entire network
    • Recover any affected systems data and restore the continuity to all impacted information systems
    • Debrief on lessons learned in both the attack vectors used and opportunities where the executions of the IR plan did not go smoothly
  2. Encrypt all traffic traversing the network and information systems and enable multifactor authentication (MFA) for any sensitive business information systems that handle sensitive customer financial information, as defined by the dealership’s data classification policy. MFA should be enabled in all of the following key areas:
    • Applications and vendors who process or store either confidential information such as the DMS, credit applications, or other confidential customer information that could affect customer data
    • Business sensitive information that transmits or stores information such as on-prem or cloud-based email, instant messaging, or other applications similar to Office 365 Suite, including managed service providers’ access into the dealerships’ networks
    • These practices also should cover BYOD devices (tablets or phones) along with enrolling BYOD devices into a mobile device management (MDM) solution, which containerizes all dealership data and customer information and can be removed quickly and easily for dealerships’ termed employees or lost phones

Note: Forvis Mazars also recommends using this opportunity (above) to align the dealership’s consumer information it processes and transmits with current U.S. state data privacy laws requirements. Many dealerships outside of California have not focused on all breach requirements based on individual state laws.

    • The key areas dealerships should be aware of for the current individual state’s enacted data privacy law are:
      • Enacted/enforceable dates, who enforces the law (Attorney General, Private Rights of Action, or other groups), personal data definitions, whether you push a privacy review down to your QI, data protection requirement, individual state’s data breach notification requirements, and third-party vendor service requirements, as they relate to the screening of third-party vendors along with their data protection programs (vendor management)
  1. Perform an annual Network Security Assessment “test to detect actual or attempted attacks or intrusions into any information systems,” along with vulnerability scanning at least every six months.

Note: Forvis Mazars recommends dealerships consider moving this up to quarterly and eventually monthly scans, which the dealerships’ QI should immediately evaluate to ensure vulnerabilities are documented and tracked through remediation completion. This situation is especially true when third-party vendors perform these services via a service-level agreement (SLA).

  • It also should be noted that dealerships can skip the “Annual Network Security Assessment” requirement provided that dealerships have the following compensating controls listed below:
    • “Continuous Monitoring” with real-time intrusion detection and prevention (IDS/IPS) in the form of Managed Detection and Response (MDR), Extended Detection and Response (XDR), or a Security Operations Center (SOC) where continuous systems security (monitoring) is performed in real time (24x7x365)
  1. Perform End-User Security Assessments (Social Engineering) to include:
    • End-User Awareness Program, which helps ensure “All Employees are properly enacting and carrying out the ISP”
    • Testing all end-users periodically via email phishing with “fake” websites, voice phishing or “vishing,” and physical security walkthroughs
    • Providing additional training for any employee who fails these assessments throughout the year

Note: In addition to the training above, this solution also should be used during the onboarding of new employees coupled with periodic touchpoints throughout the year, so the employees are knowledgeable about cybersecurity threats and act as an actual first line of defense to keep the dealerships’ information systems secure from external threat actors.

  1. The QI must report in writing, at least annually, to the dealership’s board of directors or governing body concerning:
    • Status of the dealership’s ISP
    • Compliance with the FTC Safeguards Rule, which is outlined below in this article
    • Material events related to information systems security
    • Implementation and enforcement of the dealership’s entire ISP and remediations of gaps identified during its annual assessment of these Rule areas

Safeguard Rule Requirements

During the year, the QI will need to either outsource or oversee the following Safeguards Rule requirements:

Overall, the QI should oversee and formally document the customer safeguards throughout the year and report them annually. Maintaining documentation would create a “Book of Evidence” for the dealership to provide to the FTC in the event of a security incident that led to a data breach affecting consumer financial information. Having this “Book of Evidence” could potentially be viewed by the FTC post data breach as negligence versus gross negligence, i.e., if the dealership(s) were breached and had no “Book of Evidence.”

First-time failures would typically not result in fines. Still, the FTC could use such violations to justify a more extensive investigation into your dealership’s compliance with the FTC Safeguards and GLBA Rules. In addition to fines, the FTC also could create an agreement with the affected dealerships where periodic compliance evaluations were to be assessed. Any agreement violation also could increase enforcement and higher fines for violating consent.

For more resources related to this article or other inquiries, please contact Forvis Mazars’ Dealership Group.

Source: Code of Federal Regulations Part 314: Standards for Safeguarding Customer Information

Related FORsights

Like what you see?
Subscribe to receive tailored insights directly to your inbox.