Newly Updated FTC Safeguard Rules & The Impact to Dealerships

Newly Updated FTC Safeguard Rules & The Impact to Dealerships

 

Auto dealerships have a plethora of business-related items to deal with on a day-to-day basis. With the level of customer data needed to transact most dealership services and sales, the security of systems and information is a key area that can greatly impact a business’s reputation and bottom line. For the auto industry, there are a number of regulatory requirements to take into consideration when it pertains to customer data. While regulatory standards, such as the Federal Trade Commission’s (FTC) Part 314 – Standards For Safeguarding Customer Information, are not new, there are continued updates to understand in order to stay in compliance.


Staying on top of the continual updates may be a little frustrating, but the ongoing changes are necessary. Threats to systems and data continue to evolve as businesses and consumers use more technology. The expanded use of technology and large volumes of data creates an opportunity for those who want to take advantage of others. While companies implement solutions to protect systems and data, hackers use advanced technology, techniques, and processes to cause problems.

As a result, reasons for updates to regulations, such as the FTC part 314 can be summarized as follows:

What Are The New FTC Rules?

The most recent of the FTC’s amendments went into effect on January 10, 2022, and requires implementation by December 9, 2022. While a full overview of what an information security program may look like for a business is referenced on the FTC website and includes additional details for the items listed below, the information security program can be summarized as follows:

  • Designate a qualified individual to implement and supervise your company’s information security program.
  • Conduct a risk assessment.
  • Design and implement safeguards to control the risks identified through your risk assessment. This includes eight detailed, security-related solutions, tasks, or action items.
  • Regularly monitor and test the effectiveness of your safeguards.
  • Train your staff.
  • Monitor your service providers.
  • Keep your information security program current.
  • Create a written incident response plan.
  • Require your qualified individual to report to your Board of Directors.

What Does This Mean For Your Dealership?

For dealerships to address the new requirements outlined in the information security program and reduce risks, key steps to take include:

  1. Training your workforce to understand the purposes of security processes, monitoring results, and enhancing the training to address changing threats and risks.
  2. Implementing multi-factor/two-factor solutions for all users, contractors, and vendors accessing the company systems. This would apply to customers accessing their personal information that the company may host/manage.
  3. Implementing and/or updating security-related software.
  4. Defining and implementing backup and resiliency plans, including disaster recovery (DR) and business continuity plans (BCP).
  5. Having dedicated IT and security resources (in‑house or outsourced) to help address the business needs for managing and monitoring systems and solutions.
  6. Having a process and resources involved with monitoring unusual activities and escalating activities as needed. This can also be in-house, co‑sourced or outsourced

Due Diligence For 3rd Party Vendors is a Must

Of particular note in the amendments is item f. monitor your service providers. As systems and even organizations are “connected” for business solutions, monitoring your service providers is a standard that needs structure and processes. When co-sourcing or out-sourcing services, this does not eliminate the risk to the Company for those activities. Service providers have been defining shared responsibilities, which means the Company is required to perform tasks or is responsible for activities, even though a process has been outsourced. As part of the service provider monitoring, and due diligence process you should understand:

  • Does the provider have a SOC2 report or security assessment report?
  • Has the provider engaged a third party to test or assess the control environment or services related to the outsourced solutions the Company is using?
  • Does the provider have cyber insurance?
  • Does the provider require everyone to use multifactor solutions?
  • Does the provider have unique login identification?

Security threats to systems and data will continue as technology use expands and evolves, so dealerships need to be prepared to address issues on an ongoing/regular cadence, not just from an annual perspective. To help reduce the risk of a possible event, dealerships need to train staff to understand and embrace security practices, make strategic investments in updating security solutions and processes (both in-house and outsourced), and design, implement and test incident response and/or backup plans. By understanding the FTC standards and following the security program guidance, dealerships can address the potential system and security risks in addition to protecting your organization’s data, reputation, and daily business activities.

 

Copyright © 2022 BDO USA, LLP. All rights reserved. www.bdo.com

Back to Blog