Recent changes to an important Federal Trade Commission (FTC) Rule makes auto dealership cybersecurity even more critical. The Federal Trade Commission (FTC) has introduced new cybersecurity standards auto dealerships must implement by December 9, 2022. Protecting customer information is at the core of the FTC Standards for Safeguarding Customer Information – aka the Safeguards Rule. The FTC amended the 2003 Rule in 2021 to keep pace with current technology. The revised Rule provides updated, concrete guidance for businesses and requires companies covered by the Rule to implement important security measures to keep customer data secure. Creative Consultants Group can assist your dealership with meeting compliance with these rules. Here’s what you need to know.
According to Section 314.1(b), your dealership is considered a financial institution if it’s engaged in financial activity or incidental to such financial activity. If your business is subject to the FTC’s jurisdiction and isn’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 USC § 6805, the answer is probably yes.
The Rule defines a financial institution broadly and bases it on the types of activities your business undertakes. In addition to the list of businesses already deemed financial institutions, the 2021 amendments to the Rule adds a new category – finders. If your dealership brings together buyers and sellers and the parties negotiate and consummate the transaction, the dealership is considered a finder.
The Safeguards Rule requires your dealership to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards designed to protect your customers’ information. Dealerships that don’t comply by December 2022 face up to $46,517 per consent order violation. The FTC can take an expansive view of a violation, depending on the circumstances, particularly if there are issues involving multiple customer records.
The three main objectives of your information security plan are:
Customer information refers to any record containing nonpublic personal information about a financial institution customer, whether in paper, electronic, or another form, that you or your affiliates handle or maintain.
The size and complexity of your dealership, the nature and scope of your activities, and the type of data and information you collect will determine what must be included in your information security program.
The importance of cybersecurity goes beyond the Rule. Cyber incidents like ransomware or data breaches can cause bring a dealership’s computers offline, making business-as-usual impossible. If a customer’s data is breached, they could be at risk for identity theft and other scams.
December will be here before you know it. You can learn more about the FTC Safeguards Rule and general guidance on data security on the FTC’s website. Reach out to Creative Consultants Group with your compliance questions and learn how our suite of products and expert team can protect your business. We are offering a free assessment of auto dealerships’ cybersecurity as a starting point. To request your FREE assessment complete the form below.