Everything Auto Dealerships Need to Know about the FTC Safeguards Rule

Man reading through papers at his desk

If you’ve been tuned into compliance discussions in the automotive industry lately, you’ve likely heard conversations surrounding the Revised Safeguards Rule. This updated standard, imposed by the Federal Trade Commission (FTC), introduces new requirements for qualifying businesses to ensure the protection of consumer data.

While fulfilling these guidelines may demand time, effort, and financial investment from dealerships, remember that it’s not too late to act. Let’s get into what dealerships should know about the Revised Rule, and how to take the first step to get your business in compliance.

Table of Contents

What is the FTC Safeguards Rule?

The FTC Safeguards Rule was originally issued in 2003 to enforce a uniform standard of consumer protection across financial institutions. It puts responsibility on businesses to take steps to develop, implement, and maintain a comprehensive information security program.

However, recognizing the rapidly evolving digital landscape and the increasing sophistication of cyber threats, the FTC published significant revisions in December 2021. These updates went into effect in June 2023 and aim to strengthen consumer information protection by preventing data breaches, with many new recommendations directly addressing vulnerabilities exposed in recent incidents.

The Revised Rule introduces more specific requirements, such as encryption of customer data, multi-factor authentication, and the appointment of a qualified individual to oversee the information security program.

For auto dealerships that haven’t yet started implementing these new measures, it’s time to take action. Compliance isn’t just about avoiding potential FTC penalties– it’s about building trust with customers and demonstrating responsible business practices.

Definitions of key terms 📖

As many business owners are finding, some of the language in the Revised Safeguards Rule is relatively open-ended. Therefore, in order to form an accurate interpretation, it’s important to understand the meaning of the terms that come up most frequently.

Financial institution

According to the FTC, a financial institution is “any institution the business of which is engaging in an activity that is financial in nature” or incidental to financial activities. In the auto industry, this is understood to include all companies that hold or process consumers’ personal information, including auto dealers, payday lenders, or online financial services providers.

While there are certain exemptions for businesses that maintain information for fewer than 5,000 consumers, that only applies to specific requirements.

Customer information

The FTC’s definition of customer information is “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”

In auto dealerships, this includes personal documents like drivers licenses, ID cards, declaration pages, and bank statements.

Nonpublic personal information

The FTC defines nonpublic personal information in two groups:

  1. Personally identifiable financial information: Data that can be used to identify, contact, or locate a specific individual; includes names, addresses, social security numbers, and bank account numbers
  2. Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available: Includes customers grouped by credit score, income levels, loan history, or net worth

Why Does It Matter to Auto Dealerships?

As previously discussed, the FTC’s definition of “financial institution” goes beyond the conventional meaning. It covers dealerships that offer or assist with financing, as well as those that lease vehicles beyond 90 days. More subjectively, any dealership that collects financial information to pass on to lenders could also be subject to the rule.

The FTC also advises that even though the Revised Rule doesn’t change the requirements for who’s included, many businesses have likely undergone significant changes since the original Rule. Therefore, the organization suggests revisiting the definition periodically to see if you’re required to comply.

Data mishandling within auto dealerships

While auto dealerships play a crucial role in facilitating vehicle purchases and financing, they also face significant challenges in managing the vast amount of personal and financial information they handle. This risk of breaches is compounded by the volume of sensitive customer data they process on a daily basis, including driver’s licenses, financial records, credit reports, and insurance documents.

Some also speculate that dealerships are seen as easy targets by cybercriminals due to a few factors:

  1. Open Wi-Fi Networks: Many dealerships offer free Wi-Fi to customers, which can create security vulnerabilities if not properly secured.
  2. Weak IT Infrastructure: Some dealerships, especially smaller ones, may lack robust IT systems capable of adequately protecting sensitive data.
  3. Outdated Cybersecurity Systems: Rapid advancements in cyber threats mean that outdated security systems may not offer adequate protection against new types of attacks
  4. Access to Financial Data: The presence of valuable financial information makes dealerships attractive targets for cybercriminals.
  5. Multiple Points of Data Entry: Information is often entered and accessed at various points throughout the dealership (sales floor, finance office, service department), increasing the risk of data exposure.

Data breaches in the auto industry

In June 2024, the auto SaaS provider CDK Global was hit by a ransomware attack, affecting roughly 15,000 dealerships across North America. In addition to the $25 million ransom that the tech company paid, the incident incurred $1 billion in estimated financial losses for the affected dealerships.

While this particular incident was out of the hands of the dealerships impacted, it underscores the importance of working with reliable service providers, as stated in the Revised Rule. As a result of breaches like this, many businesses suffer loss of sales, operational disruptions, legal troubles, and hits to their reputation. In some cases, they may even be subject to penalties from the FTC, which can reach up to $51,744 per violation.

What Are the New Rules for Auto Dealerships?

For dealerships that already set up their business practices around the original FTC Safeguards Rule, it’s important to understand what’s changed as of 2023. Here are some major additions that business owners should be aware of.

Conducting periodic risk assessments

The Revised Safeguards Rule requires dealerships to conduct periodic written risk assessments, not just a one-time evaluation. These assessments must establish criteria for evaluating security risks, assess the adequacy of controls, and describe how identified risks will be mitigated.

While the rule doesn’t specify a frequency, annual reviews are generally recommended, or whenever there are material changes. Embracing ongoing risk assessments shows a proactive approach to data security and helps ensure compliance as the threat landscape evolves.

Testing system security

The Revised Safeguards Rule builds on previous requirements to regularly test and monitor controls, systems, and procedures for safeguarding customer information. Dealerships must now specifically test for detecting actual and attempted attacks or intrusions on their information systems.

This could involve continuous monitoring or periodic penetration testing and vulnerability assessments. Rigorous system security testing helps identify and address vulnerabilities, demonstrating a commitment to proactive data protection as required by the updated FTC regulations.

Vetting service providers

Dealerships were already required to ensure their service providers implemented reasonable security measures. Now, dealerships must periodically assess providers based on the risk they present and the continued adequacy of their safeguards. This could involve reviewing providers’ security practices, service changes, and any vulnerabilities or failures.

Due to the risks of entrusting data with unreliable vendors, the FTC will hold dealerships responsible for giving customer information to providers without ensuring appropriate protections. In other words, rigorously vetting your partners is essential to comply with the new guidelines and avoid penalties.

Documenting an incident response plan

The original FTC Safeguards Rule required dealerships to have procedures in place to respond to security events, or incidents affecting customer information. The Revised Rule expands on this, mandating that dealerships establish a comprehensive, written incident response plan.

The written plan must address goals, internal processes, roles and responsibilities, communication protocols, remediation of weaknesses, and procedures for evaluating and revising the plan after a security incident. Maintaining a detailed incident response plan is crucial for demonstrating compliance and the ability to effectively manage data breaches.

Reporting to the board of directors

The original FTC Safeguards Rule required dealerships to oversee their information security programs, but did not specify detailed reporting obligations. The Revised Rule now mandates that the designated Qualified Individual provide written reports on at least an annual basis to the company’s board of directors or a senior official.

These reports must cover key elements such as risk assessments, risk management decisions, service provider arrangements, penetration testing results, security events and violations, and recommended changes to the information security program. Establishing this formal reporting structure ensures accountability at the highest levels of the organization and demonstrates a commitment to data protection in line with the FTC’s updated Safeguards Rule.

Flagging notification events

The Revised Rule mandates that dealerships notify the Federal Trade Commission if a “notification event” occurs – defined as the acquisition of unencrypted customer information without authorization. Additionally, if a notification event involves the information of at least 500 consumers, the dealership must inform the FTC as soon as possible, but no later than 30 days after discovery.

This timely reporting requirement underscores the FTC’s focus on transparency and accountability when it comes to protecting consumer data. Maintaining compliance with this notification protocol is an essential part of the updated Safeguards Rule.

How CheckMy Driver Can Help

One major source of data vulnerabilities across auto dealerships today is in the insurance verification process. For many dealers, this task is still manual and involves the exchange of sensitive customer documents, including declaration pages and ID cards.

In fact, if you’re still using the traditional method of insurance verification, you’re probably in one of two groups– (1) you haven’t implemented your Safeguards Rule protocol yet, or (2) your verification process is out of compliance with your security procedures.

⚠️ Common FTC violations in the F&I process

  • Taking a photo of a customer’s drivers license, ID card, or declaration page
  • Making a phone call to the carrier in a non-sound-proofed room
  • Leaving customer information in the company fax machine

CheckMy Driver is a modern insurance verification solution that handles the entire end-to-end process within a secure, consumer-centric application. To initiate the process, your customer will open a link on their device and log into their insurance carrier to provide access to their policy– similar to how apps like Plaid create a connection with your bank account.

From there, the AI-powered adequacy engine automatically reviews the policy details against your requirements. In less than 30 seconds, you and your customer will both receive an easy-to-read report with results indicating whether their coverage is active, accurate, and adequate. This entire process is SOC-2 compliant, encrypting the customer’s data at transit and at rest.

CheckMy Driver steps

By following this procedure, your team can simplify the inventory step of the Safeguards Rule. With data centralized in one place, your qualified individual can more easily locate customer information. Additionally, CheckMy Driver ensures that access to the dashboard is protected by multi-factor authentication (MFA), ensuring that only authorized individuals can view data.

Get compliant with CheckMy Driver

Want to learn more about the steps we take to ensure our partners are compliant with the FTC? Set up some time with our team to chat.

Criminal Report

Criminal records coverage may vary due to (1) jurisdictions limiting what records are eligible to return and (2) TransUnion limiting records that do not meet its data quality standards. As of the Rev. Date, criminal records are available to return in:

Alaska, Arkansas, Arizona, California, Colorado, Connecticut, Florida, Georgia, Illinois, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Nevada, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Tennessee, Texas, Utah, Virginia, Washington and West Virginia.

Rev. Date 01/10/24