Auto Dealership Cybersecurity

Cybersecurity and IT solutions to protect auto dealerships and maintain FTC Safeguards Rule compliance.

Is Your Auto Dealership Prepared for the FTC Rule Changes?

Recent changes to an important Federal Trade Commission (FTC) Rule makes auto dealership cybersecurity even more critical. The Federal Trade Commission (FTC) has introduced new cybersecurity standards auto dealerships must implement by December 9, 2022. Protecting customer information is at the core of the FTC Standards for Safeguarding Customer Information – aka the Safeguards Rule. The FTC amended the 2003 Rule in 2021 to keep pace with current technology. The revised Rule provides updated, concrete guidance for businesses and requires companies covered by the Rule to implement important security measures to keep customer data secure. Creative Consultants Group can assist your dealership with meeting compliance with these rules. Here’s what you need to know. 

Is My Dealership Required to Comply With the Safeguards Rule?

According to Section 314.1(b), your dealership is considered a financial institution if it’s engaged in financial activity or incidental to such financial activity. If your business is subject to the FTC’s jurisdiction and isn’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 USC § 6805, the answer is probably yes. 

The Rule defines a financial institution broadly and bases it on the types of activities your business undertakes. In addition to the list of businesses already deemed financial institutions, the 2021 amendments to the Rule adds a new category – finders. If your dealership brings together buyers and sellers and the parties negotiate and consummate the transaction, the dealership is considered a finder. 

What Actions Should We Take to Be Compliant?

The Safeguards Rule requires your dealership to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards designed to protect your customers’ information. Dealerships that don’t comply by December 2022 face up to $46,517 per consent order violation. The FTC can take an expansive view of a violation, depending on the circumstances, particularly if there are issues involving multiple customer records. 

The three main objectives of your information security plan are: 

  • Ensuring the security and confidentiality of customer information; 
  • Protecting against anticipated threats or hazards to the security or integrity of that information; and 
  • Protecting against unauthorized access to that information that could substantially harm or inconvenience to any customer. 

Customer information refers to any record containing nonpublic personal information about a financial institution customer, whether in paper, electronic, or another form, that you or your affiliates handle or maintain. 

The size and complexity of your dealership, the nature and scope of your activities, and the type of data and information you collect will determine what must be included in your information security program.  

Nine Elements of the FTC Safeguards Rule Dealerships Need to Know

The Safeguards Rule identifies nine elements that your dealership’s information security program must include. Creative Consultants Group has solutions to help with all or any combination of your dealership’s needs to ensure compliance. 

The components of the Rule and Creative Consultants Group’s solution to meet the requirements involve:

1. Designate a Qualified Individual


Designating a qualified Individual to implement and supervise your company’s information security program.
The Qualified Individual can be an employee of your company, or a senior team member can work with an affiliate or service provider like Creative Consultants Group.  

2. Conducting a Risk Assessment


Your risk assessment must be written and include criteria for evaluating those risks and threats. Because the risks to information constantly morph and mutate, the Safeguards Rule requires dealerships to conduct periodic reassessments as operations change, and new threats emerge. Creative Consultants Group's TotalCare with Advanced Security
includes comprehensive testing and auditing solutions to test and access your systems for threats. 

3. Designing and Implementing Safeguards


Designing and implementing safeguards to control risks identified through your risk assessment. Requirements include:
 

With Creative Consultants Group's TotalCare with Advanced Security, our experts provide all your IT services with IT Managed Services (MSP) and Security Services with Managed Security Solutions Provider (MSSP). We’ll be your complete IT and Cybersecurity team to keep your dealership in compliance and make sure servers, networks, and workstations are up and running and fully protected so you can focus on running your business. 

4. Regularly Monitoring and Testing


Regularly monitoring and testing the effectiveness of your safeguards either through continuous monitoring of your system or annual penetration testing, as well as vulnerability assessments. 
 AirAudit keeps dangerous vulnerabilities in check to ensure your systems aren’t vulnerable to attack. When your organization takes the opportunity to see your security posture through the eyes of your most significant threat, you prevent them from taking over your infrastructure. Our expert auditing helps you discover exploitable flaws in your security through our vulnerability scanning, assessment, ransomware simulation, and penetration testing options. 

5. Training Your Staff


Your dealership’s security program is only as effective as its least vigilant staff member, and it’s critical to train your team to spot risks and safeguard customer data.  We provide full Cybersecurity Training and Compliance Monitoring to insure all your employees are fully trained and all training is fully documented.

6. Monitoring Your Service Providers


Your contracts must spell out your security expectations, build ways to monitor your service provider’s work and provide periodic 
reassessments of their suitability for the job. Airiam will work with your dealership to cover all the bases, so your contracts with us are compliant.
 

7. Keeping your Information Security Program Current


Security requirements change, and security programs must be flexible enough to accommodate necessary modifications. Airiam offers support services for IT management, monitoring, and cybersecurity, bundled for complete infrastructure management. 

8. Creating an Incident Response Plan


An Incident Response Plan clearly defines roles, responsibilities, actions, and communication in advance of an Incident to provide clear guidance and system priorities for responding to any Cybersecurity Incident.  It should include:
 

Should you experience a breach, Creative Consultants Group's TotalCare Emergency Response can help you get your business back up and running and protect your infrastructure from future attacks. And to prevent attacks, TotalCare Managed Services with Advanced Security managed detection and response (MDR) protects your business with bundled cybersecurity and IT services. 

9. Reporting to the Board of Directors or Governing Body

Requiring your Qualified Individual to report to your Board of Directors or governing body in writing, at least annually. If your dealership doesn’t have a Board or equivalent, the report must go to a senior officer responsible for your information security program. 

The report should address: 

  • An overall assessment of your company’s compliance with its information security program.
  • Specific topics related to the program such as risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.

Creative Consultants Group will assist with all your reporting requirements based on our TotalCare services your dealership requires to stay compliant.  

Don’t Wait to Make Auto Dealership Cybersecurity a Top Priority

The importance of cybersecurity goes beyond the Rule. Cyber incidents like ransomware or data breaches can cause bring a dealership’s computers offline, making business-as-usual impossible. If a customer’s data is breached, they could be at risk for identity theft and other scams.

December will be here before you know it. You can learn more about the FTC Safeguards Rule and general guidance on data security on the FTC’s website. Reach out to Creative Consultants Group with your compliance questions and learn how our suite of products and expert team can protect your business. We are offering a free assessment of auto dealerships’ cybersecurity as a starting point.  To request your FREE assessment complete the form below.

Request Your Free Cybersecurity Assessment