What US Auto Dealers Should Know
FTC SAFEGUARDS RULE
Whether you operate an auto dealership or are a Managed Service Provider supporting auto dealers in the United States, there's an impending deadline of June 23, 2023 to address information security.
WHAT IT IS
The FTCs Standards for Safeguarding Customer Information, also known as the Safeguards Rule, is designed to ensure that institutes protect the security of customer information. The Rule took effect in 2003, and was amended in 2021 to provide more concrete guidance for businesses. June 23, 2023 is the effective date for compliance.
WHO IS AFFECTED?
The FTC Safeguards Rule is intended to cover "financial Institutions" including any companies engaged in activities financial in nature. The 2021 amendment added a new example - finders, meaning companies that bring together buyers and sellers who negotiate the transaction amongst themselves. The FTC specifically names "auto dealerships" as a non-banking financial institution that would fall under the purview of these new revisions. There is an exemption for those that "maintain customer information concerning fewer than five thousand consumers." This now makes auto dealerships likely subject to the Rule. We recommend checking Section 314.2(h) of the Rule to help you determine whether your company is affected.
WHAT IS REQUIRED?
The Safeguards Rule formalizes good cyber practice - developing, implementing and maintaining an information security program with safeguards to protect customer information.
For example, any nonpublic personal information. Your information security program must be written and appropriate for your business and the sensitivity of information you process or store. Nine recommended elements for your program are listed below.
The use of ITC solutions will assist in your journey to compliance by implementing several of the safeguards needed - access controls, creation of a unified audit to know what files have been accessed and by whom, as well demonstrating the effectiveness of controls as reasonable precaution to prevent misuse of your trusted applications or loss of data.
The deadline is coming quickly, so now is the time to contact ITCentral. ITC staff will work with you to ensure your endpoints are locked down and your qualified individual is on boarded and ready to operate. Safeguarding your customer data provides the level of assurance to keep your customers coming back and your business operating both now and well into the future.
NINE RECOMMENDED ELEMENTS OF YOUR SECURITY PROGRAM
1. Have a qualified individual to implement and
supervise your information security program
2. Conduct a risk assessment
3. Design and implement safeguards to control risks
• Review access controls
• Know what you have and where you have it
• Encrypt customer information
• Assess your apps
• Implement multi-factor authentication for users
• Dispose of customer information securely
• Anticipate and evaluate changes to your system
• Maintain a log of authorized users' activities
4. Regularly monitor and test the effectiveness of
5. Train your staff
6. Monitor your service providers
7. Keep your information security program current
8. Create a written incident response plan
9. Require your qualified individual to report to your
Board of Directors