Late last year, the Federal Trade Commission (FTC) released revisions to the Safeguards Rule. Created in 2003, the Safeguards Rule requires financial institutions (any company engaged in the activities described here) to develop, implement and maintain a written information security program for customer data.
Though the new revisions became effective Jan. 10, 2022, businesses have until Dec. 9, 2022, to implement the bulk of them.
What do you need to do in the next four months? Here is an explanation of the rule and five action items you can take to ensure you are in compliance.
Before jumping into what you can do to comply with the Safeguards Rule, first identify
the rule’s requirements and why the FTC revised them.
Today, customer data is stored in many systems either in their infancy—or ones that did not exist—in 2003. In other words, the 2003 customer information security standards no longer hold up. That is why the FTC updated its requirements and why the updates are so extensive. The agency is accounting for nearly 20 years of technological innovation.
Your dealership’s information security program must now include these nine elements, according to the FTC:
Designate a Qualified Individual. This person will implement and supervise your company’s information security program. The FTC said this individual can be an employee
for your dealership or work for an affiliate or service provider. The previous rule version allowed multiple people to fill this role.
Conduct a written risk assessment. The assessment must include criteria for evaluating risks and assessing customer information security as well as ways the company will address identified risks.
Design and implement specific safeguards to control the risks identified through your risk assessment. The FTC lists eight specific safeguards required in your information security program. The takeaway here is, once you have identified risks, you must create comprehensive safety practices to limit them.
Regularly monitor and test the effectiveness of your safeguards. Do not treat your safeguards with a “set it and forget it” mentality.
Train your staff. Your team is a valuable resource. Help them help you by investing in their training.
Monitor and periodically assess your service providers. Your service providers could have access to all your customer information. Apply the same security measures to these providers as you do for your dealership.
Keep your information security program current. Changes happen all the time, from hiring more team members to adopting a new dealer management system. Use these changes as an opportunity to reevaluate and adjust your information security program.
Create a written incident response plan. Just as your safety data sheets provide explicit details on the materials at your dealership, your incident response plan should cover every action to take if a breach occurs at your dealership.
Require your Qualified Individual to report to your board of directors. Two notes here: The reporting must be written and must happen at least once a year. Also, reporting must include an update on the overall information security program status.
Why should dealership leaders care about these updates? They are extensive, so you cannot put them off until Dec. 8, 2022. The time to start implementing and testing them is now. Here are the five steps you need to take to prepare:
- Create a comprehensive data and system inventory
This is a logical first step. How can you update your written information security program without knowing the places where or the systems used to store data?
Creating a comprehensive inventory is the process of identifying and tracking customer information at your dealership. As part of this endeavor, have your Qualified Individual identify the information types you are collecting from customers, why and how you are collecting the information, where the information is stored and what devices access that data.
A helpful reminder: Inventory is the foundation for every future action you take to achieve Safeguards Rule compliance. Ensuring you complete the inventory accurately pays off.
The stronger the foundation, the stronger your security program.
- Complete your written risk assessment
After completing your data and systems inventory, conduct an assessment to identify any possible internal and external risks to your customers’ information. Do so by following these steps:
Examine system security vulnerabilities and ways unauthorized parties can access customer information. Exposure risks could occur from little to no password protection on company devices, unencrypted customer data or unsecured devices a bad-faith actor could steal from your dealership.
Describe how to mitigate risks and how your program will address those risks. In the case of inadequate password protection, risk mitigation description might revolve around using multifactor authentication or generating
new passwords for team members’ accounts every six months.
Put the risk assessment
in writing and regularly reassess
its effectiveness, especially after introducing operational changes such as purchasing new computers or using different servers.
- Write or update your incident response plan
What happens after a cybersecurity breach? That is a question your incident response plan needs to answer. The FTC lists clear elements your plan should cover:
The goals of your plan.
The internal processes your company will activate in response to a security event.
Clear roles, responsibilities and levels of decision-making authority.
Communications and information sharing inside and outside
A process to fix any identified weaknesses in your systems
Procedures for documenting and reporting security events and your company’s response.
A post-mortem about what happened and revising your incident response plan and information security program based on what you learned.
Your response to a data breach is the most important factor you can take to minimize its harm. Investing time in a comprehensive incident response plan protects your customers and your reputation.
- Assess your service providers’ adequacy
Just as you monitor your systems’ risk, you need to vet your service providers’ security.
Their efforts to protect customer information are just as important as yours—and the consequences for security gaps are just as severe.
The best avenue to ensure your service providers stay risk-free is by following these steps:
Select providers you know can maintain appropriate safeguards for their work.
Require providers, by contract, to implement and maintain safeguards.
Assess service providers periodically based on their risk and their safeguards’ adequacy.
Service providers offer valuable expertise and enable you to provide better service to your customers. Consider them an extension of your team needing safeguards to do their job safely.
- Implement your IT requirements
One part of the Safeguards Rule’s recent update pertains to data deletion. The revision requires financial institutions to securely dispose of customer information two years after its most recent use (unless doing so is impossible or a legitimate business need or legal requirement exists to keep it).
That is not the only change to how dealerships should treat their customers’ information. The Safeguards Rule update requires financial institutions to implement multifactor authentication for anyone accessing customer data on your system. The rule mandates at least two authentication factors. Here are three you may see:
Something you know, for example a password.
Something you possess, such as a generated token.
Something you are, for instance recognizing physical features via biometric authentication.
The only exception to implementing these authentication factors is when your Qualified Individual identifies an equally, or more rigorous, secure access form.
The rule now requires either continuous system monitoring or annual system penetration testing (a security test designed to mimic a cyberattack to find new potential vulnerabilities) and biannual vulnerability assessments (a system scan for known vulnerabilities).
Maintaining digital security at your dealership requires employee training. You might write the most comprehensive customer information security program possible at the beginning
of the year, but your team keeps the program sharp by spotting risks over the following months.
Investing in training your employees and anyone who works at your dealership helps you maximize your security program’s impact. After a year in which data breaches increased by 68 percent, the investment could pay off quickly.
Commit to training. Create simulated breaches. Offer refresher courses. Empower your team to refine your security program. A safety culture starts with employee buy-in and rests
on employee vigilance.
Robert Ebin is a senior manager of legal affairs for KPA, an EHS and workforce compliance software and services provider for midsize businesses. KPA’s on-site services and online tools help dealerships, automotive sales and F&I comply with state and federal regulations, protect the reputations of their brands, minimize legal liability and maximize customer satisfaction.