As auto dealers have likely been made aware through recent news sources, such as Automotive News, and various other automotive industry trade publications, last fall the federal Trade Commission (“FTC”) finalized its amendments to the 2001 Safeguards Rule under the Gramm–Leach–Bliley Act (“GLB”). These rule changes followed a prolonged regulatory process that sought to strengthen security for consumer financial information in the wake of the increased incidence of data breaches.
By way of background, the Safeguards Rule was enacted to implement the GLB. Auto dealerships, considered “financial institutions” under the GLB due to the offering of credit transactions, have always been subject to the Safeguards Rule and required to assess the risk to the security and privacy of consumer financial information, maintain a program to secure that data, regularly monitor and update that program, and designate who is responsible for the program. The amended Rule contains several major changes and new requirements and specific criteria that auto dealers must satisfy. Dealers and financial institutions and their vendors are urged to prepare now and begin implementing the changes called for by the amended Rule well in advance of the December 9, 2022 deadline.
The updated Rule requires dealerships to address specific areas in their security program risk assessment and produce a written report of the assessment. It further requires that each safeguard plan must address several specific items, including without limitation: access controls; data inventory and classification; encryption; secure development practices; authentication; information disposal procedures; management, testing, and incident response; and measures to monitor the effectiveness of the safeguard plan, required employee training, and services from external third-party providers.
To assist dealers’ understanding of how the amended Rule affects their business operations, the following summarizes some of the more significant changes to the Safeguards Rule so that dealerships can evaluate and prepare to modify their existing programs. These include required written risk assessments, certain program changes, written incident response plans, the designated “Qualified Individual” and related requirements.
The dealership’s information security program under the amended Rule must be based on a written risk assessment. This written assessment includes criteria to evaluate and categorize identified security risks or threats; to assess the integrity, confidentiality and availability of information systems and customer information which includes the proper controls in place to identify security risks or threats; and a description how identified risks will be mitigated and addressed by the information security program. Using these criteria, dealerships must assess reasonably foreseeable security risks to the security of customer information which could occur with the unauthorized disclosure, use, destruction and other security threats to this information and establish and implement proper safeguards.
The amended Rule requires certain program changes necessitating certain elements be included within the dealership’s safeguard program. This extends to encrypting customer information held or transmitted by the dealership and implementing a process for authentication requiring at least two factors from the following: knowledge authentication (e.g., password), possession factors (e.g., token), or inherence factors (e.g., biometric).
A written incident response plan must also be established and implemented to ensure both response to and recovery from a security incident and the plan is required to embody several aspects ranging, without limitation, from the response plan goals to reporting and response functions related to security incidents.
Additionally, another significant change in the amended Rule relates to accountability. While the current Rule allows dealerships to designate one or more employees to be responsible for the information security safeguard program, the amended Rule requires the designation of a single “Qualified Individual,” as defined, along with periodic reports to the boards of directors or governing bodies of the dealership entity.
The amended FTC Safeguards Rule raises the stakes for dealership owners and managers, by requiring direct involvement from senior leadership in safeguarding customer data. In the event of a data breach or incident, failure to comply with the new requirements will provide a clear basis for a federal enforcement action and may support costly civil lawsuits.
Dealerships should take action now to be in compliance by the deadline and on an ongoing basis. There are additional changes under the amended Rule and therefor, it is important to consult with the dealership’s legal counsel and technology vendors to ensure application of the amended Rule in its entirety is addressed and all necessary steps are being taken to fully satisfy compliance obligations.