Person driving a vehicle

Building sustainable compliance for dealerships in response to the new FTC Safeguards Rule

The Federal Trade Commission (FTC) “Standards for Safeguarding Customer Information” (Safeguards Rule) under Section 501(a) of the Gramm-Leach Bliley Act (GLBA) define compliance requirements to protect consumer information from misuse or a data breach, and ultimately protect customers from identity theft or privacy violations. The Safeguards Rule underwent revisions on Dec. 9, 2021, which expanded many requirements of the original rule, including requiring dealerships to revise their programs and implement new compliance measures. Under the new Revised Safeguards Rule, dealerships must comply with the new requirements by Dec. 9, 2022.

If these new requirements are not met, the FTC can initiate an enforcement action against an auto dealer. Such enforcement might include long-term consent decrees with the company or executives as well as monetary fines over $46,000 per violation. Further legal costs make this a significant issue that needs to be carefully addressed. Dealers need to act now to ensure compliance and avoid such penalties. Baker Tilly is ready to help you achieve compliance with the new FTC Safeguards Rule with our approach tailored to the needs and concerns of dealerships.

The new FTC Safeguards requirements:

The Revised Safeguards Rule requires a number of documented policies and procedures as well as implementation of security processes including the following:

  • Designation of a qualified employee to oversee and manage the information security program
  • A written security risk assessment
  • A formally written information security program
  • A formally written incident response plan
  • A formally written report to the board of directors about information security controls
  • Encryption of all customer data at rest and in transit
  • Multifactor authentication
  • System monitoring
  • Penetration testing
  • Vulnerability assessments
  • Access controls over customer data
  • Inventory of all systems that store and process customer data
  • Secure system and software development life cycle processes
  • Data retention and disposal procedures
  • Change management procedures
  • Security awareness training
  • Oversight over vendor security controls
The journey to compliance and how we can help

Your journey to compliance should start with a diagnostic assessment to ensure you have a comprehensive roadmap for compliance. Afterward, you may identify the need for additional services to fully comply.

Many service providers may communicate changes and solutions to certain of the mandatory safeguards. However, several of the Safeguards Rule requirements include recurring assessments, training and support that are not covered by all providers. For this reason, it’s imperative you have a comprehensive roadmap to compliance.

It is vital for all auto dealers to ensure their compliance with new Safeguards Rule by Dec. 9, 2022.

Nick Goodman
Matt Gilbert
A. Michael Mader

Related sections

Team working to analyze data and software
Next up

New HITRUST assessments rise to meet the need for varying assurance levels