A recent car dealer-focused poll has confirmed it: If you’re not yet compliant with the Federal Trade Commission Safeguards Rule, you’re not alone.
According to a dealer-focused webinar poll cited by AutoSuccess, 36 percent of respondents said they’re just getting started with their Safeguards Rule compliance plans, and only 25 percent were close to done.
If you’re not yet compliant, you’re not alone. That said, the Federal Trade Commission can enforce steep fines of up to $100,000 per violation now that the June 9 deadline has passed; it’s critical to put in place your compliance plan now.
Here’s why auto dealers should care, and what steps to take to get compliant.
The revised FTC Safeguards Rule put an emphasis on data protection and robust security measures.
To comply, dealerships must strengthen access controls and implement multifactor authentication on accounts with access to customer financial data.
A key part of the Safeguards Rule requirements is a data security program with identity and access management support.
Since nearly all dealerships store customer financial information, the Safeguards Rule applies. Although there is an exception for dealerships with 5,000 or fewer customer records, industry leaders such as the National Automobile Dealers Association believe “few, if any, dealers will be able to take advantage of this exception.”
Failure to comply puts your dealership at risk of lawsuits in the event of a data breach. This means that on top of FTC penalties, the financial impact of a data breach can span hundreds of thousands to millions of dollars.
The spirit of the Safeguards Rule is to help organizations address the root causes of risk within complex IT systems.
To accomplish that, your car dealership’s IT and data security strategy must embody three objectives:
1. Securing customers’ nonpublic, personal identifiable information
2. Designing and implementing security controls to prevent and mitigate cyber threats
3. Limiting and monitoring access to systems that store personal identifiable information.
With these objectives in mind, the Safeguards Rule contains multiple components companies must include in their information security program to comply with Gramm-Leach-Bliley Act.
Assign cybersecurity expert
Every company needs an experienced cybersecurity professional who “owns” its security program.
This person is responsible for implementing, maintaining and championing the security program. One primary part of their job is providing at least one annual report to a board of directors or senior leadership that assesses compliance success and risks within the security program.
Companies must first conduct a comprehensive risk assessment before they create their information security program.
This formal written assessment will detail all potential internal or external risks and threats to consumer data, as well as the criteria used to assess those risks.
Over time, risks and threats will change. Under the Safeguards Rule, companies will need to periodically reassess their security posture so they can continuously amend their security program, controls and incident response plan to mitigate threats.
Putting solid security controls in place helps organizations reduce the likelihood of a data compromise. The Safeguards Rule requires companies to have controls that support multiple security functions, including:
- Data management and storage, where companies need a detailed inventory of data collected, stored and transmitted across the entire IT infrastructure
- Access management, where companies define which users are authorized to access which resources and maintain an ongoing activity log to monitor access behavior
- Data encryption, where companies maintain confidentiality for data at rest and in transit
- Data retention and disposal, where companies design policies and timelines to securely store and automatically destroy customer data
- Third-party application management, where companies regularly evaluate what information they’re sharing with vendors and whether it’s necessary to share that data
- Identity verification, where companies maintain granular multifactor authentication capabilities to validate user identities and verify access to company resources using at least two authentication factors.
Monitor and test controls
Controls are only useful if they successfully mitigate threats. With today’s rapidly evolving threat environment, companies need to continuously stress test and fine-tune their controls to keep their organization secure and compliant.
Alongside continuous monitoring, you should introduce regular vulnerability scanning and penetration testing to confirm that your controls are effective.
Incident response strategy
Compliance with the Safeguards Rule means your auto dealership needs to maintain a written plan detailing how you will respond to and recover from a security incident. This document must address:
- The goals of your response plan
- Defined roles, responsibilities and a chain of command for decision-making
- Internal processes to activate during an incident, including processes around how to address security gaps and how to communicate or share information with stakeholders
- Procedures dictating how to document and report security incidents
- Updates following each security incident, including a post-mortem assessment of each incident and the organization’s response.
Everyone who handles your company’s sensitive data must be adequately trained to recognize risks, mitigate the impacts of security incidents and respond appropriately. Regular training helps keep both internal teams and external vendors aware of risks and prepared to respond to emergencies.
Monitoring behavior and consistently assessing the ability to prevent or mitigate risk also can help teams see where additional training is needed.
For most auto dealerships, the biggest change to the Safeguards Rule is the new mandate to implement multifactor authentication. This amendment demonstrates how zero trust architecture — which follows the guiding principle of “never trust, always verify” — is becoming essential for effective data security.
Unauthorized access to sensitive data — whether through stolen credentials, insider threats or other security gaps — poses a significant threat to customers’ personal identifiable information.
Enacting and enforcing the principle of least privilege is one step in limiting access to sensitive data.
But now, companies must go a step further.
By introducing multifactor authentication, companies can verify and validate user identities for every user and every access attempt, ensuring that only authorized users can access certain systems.
How companies set up their multifactor authentication solution makes a big difference when it comes to mitigating risk. The FTC suggests leveraging phishing-resistant methods to maximize security. For example, risk-based contextual controls, authentication apps and hardware keys often are more secure than text message codes or push notifications.
The broadened application of the FTC Safeguards Rule across more industries than ever before is, for lack of a better phrase, a very big deal. Dealerships that, for whatever reason, hadn’t yet added best practices such as multifactor authentication to their cybersecurity toolkit will face fines for non-compliance.
What does all that mean? Between fines, potential lawsuits and reputational damage, ignoring compliance with the FTC Safeguards Rule will come at a price — one most dealerships will find much higher than they thought and far too high to ignore.