Douglas Jambor, CISSP, ISFCE, CCE
Senior Cybersecurity Manager over FORVIS Technical Client Services
U.S. Auto Dealerships will be required to comply with the Federal Trade Commission’s (FTC) amended safeguards rules (See Code of Federal Regulations Part 314.1 – 314.6.). The FTC is requiring additional security, “Safeguards,” for consumer financial information in response to the number of widespread data breaches that continue to occur in the current threat landscape.
What does this mean for U.S. Auto Dealerships?
Any Auto Dealership that handles sensitive customer financial information will be required to comply with the newly updated FTC Safeguard Rules which were effective on January 10, 2022 and have required compliance by December 9, 2022.
Here is a breakdown of some of the Key Safeguard Rules to help you understand the new compliance impacts:
- U.S. Auto Dealerships will need to dedicate a “Qualified Individual” (QI) responsible for developing, overseeing, monitoring, and enforcing your Dealership’s information security program (ISP). This person can be an external business advisory firm or internal staff who is either already capable or can be trained over time to perform this role.
- This Qualified Individual must report in writing, at least annually, to the Dealership’s board of directors or governing body with regard to:
- Status of the Dealership’s ISP
- Compliance with the FTC Safeguard Rules
- Material events related to information systems security
- Implementation and enforcement of the Dealership's entire ISP, which is documented during assessment throughout the year
During the year, the Qualified Individual will need to either outsource or oversee the following Safeguard Rule requirements:
- Conduct IT Risk Assessments
- Ensure a Data Classification Policy exists and is used to access the following key areas:
- Vendor Criticality
- Server Criticality
- Application Criticality
- Threat Assessment based on Current Threat Landscape
- Dealerships should implement additional IT controls that have a moderate to high residual risk level identified as part of the IT Risk Assessment exercise. This would also be a great opportunity to align the Dealership’s consumer information with current state data privacy laws.
- Annual Network Security Assessment “test to detect actual or attempted attacks or intrusions into [the] information systems,” along with vulnerability scanning every six months or after the public disclosure of vulnerabilities that could affect the Dealership’s IT infrastructure (workstation/server endpoints, applications, networking devices, etc.).
Dealerships can also skip the “Annual Network Security Assessment” requirement above provided they utilize “Continuous Monitoring” with real-time IDS/IPS in the form of Managed Detection and Response (MDR), Extended Detection and Response (XDR), or a Security Operations Center (SOC) where continuous systems security (monitoring) is performed 24/7/365 in real-time.
- Perform End-User Security Assessments to include:
- End-User Awareness Program which ensures “All Employees are properly enacting and carrying out the ISP”
- Testing all end-users periodically
- Providing additional training for any employee who fails these assessments throughout the year
- Dealerships must ensure that all vendors or third parties that have access to customer information “maintain safeguards commensurate with the Dealership’s ISP.” This is obtained through an annual GLBA/Risk Assessment to assess the level of access to PII information and whether sufficient safeguards are being maintained.
- Maintaining a formal written Incident Response (IR) Policy that is tested on an annual basis via table-top exercises
Overall, the Qualified Individual should be overseeing and formally documenting the customer safeguards throughout the year and reporting them annually. Maintaining documentation would create a “Book of Evidence” for the Dealership to provide to the FTC in the event of a security incident that led to a data breach affecting consumer financial information. Having this “Book of Evidence” could potentially be viewed by the FTC post data breach as negligence versus gross negligence (i.e., if the Dealership was breached and had no “Book of Evidence.”)
First-time failures would typically not result in fines, but the FTC could use any such violations to justify a more extensive investigation into your Dealership’s compliance with the FTC Safeguard and GLBA rules. In addition to fines, the FTC could also create an agreement with the affected Dealership in which a periodic evaluation of compliance was assessed, and any violation of the agreement would result in increased enforcement and higher fines for violating a consent.
For more resources related to this FORVIS article, please reach out to FORVIS’ Dealership Group.
Code of Federal Regulations Part 314: Standards for Safeguarding Customer Information