As of June 2023, auto dealerships are required to develop and implement an information security program to protect customer data under the Federal Trade Commission’s (FTC) Safeguards Rule. For many dealerships, the Safeguards Rule marked a major shift in how they approached and implemented cybersecurity protections. Suddenly, they had to meet more complex security standards like conducting risk assessments, implementing multi-factor authentication, and providing security awareness training. Since the 2023 deadline, many dealerships have been slow to meet the new FTC requirements or struggling to maintain compliance.
In this blog post, we’ll go over the Safeguards Rule, what it requires, and how a managed service provider (MSP) can help you stay compliant.
why dealerships need to worry about cybersecurity and compliance
Auto dealerships handle sensitive customer data every day: Social Security numbers, bank account information, loan documents, and more. That makes them a prime target for cybercriminals. In fact, in recent years, dealerships have become a popular target because they tend to have limited security defenses. Most dealerships typically have unsecured wireless networks, outdated IT infrastructure, and low employee security awareness. All of this makes auto dealerships vulnerable to cyberattacks like phishing, data theft, and ransomware.
The FTC Safeguards Rule recognizes this risk and defines auto dealerships as financial institutions. For instance, here is an example of a financial institution as per the Safeguards Rule, “An automobile dealership that, as a usual part of its business, leases automobiles on a non-operating basis for longer than 90 days is a financial institution with respect to its leasing business.”
For dealerships, falling out of compliance not only risks civil penalties of up to $50,0120 per violation, but also puts customers’ data—and their company’s reputation—on the line. Some 84% of customers say they would not buy another vehicle from a dealership if a breach compromised their data.
what dealerships must do to comply with the Safeguards Rule
The Safeguards Rule was designed to ensure covered entities have protections in place to safeguard the confidentiality of customer data. To secure customer data, the Rule requires companies to develop and implement an information security program. Here is an overview of the nine key elements of what the Safeguards Rule defines as a reasonable security program.
Designate a “Qualified Individual” to manage your information security program
Dealerships must designate someone responsible for overseeing their data security program. This can be an internal staff member or an external partner, like an MSP.
Conduct risk assessments
Auto dealerships have to conduct periodic, written risk assessments that identify foreseeable internal and external threats to the security of customer information.
Implement access controls and MFA
Dealerships have to review who can access sensitive customer data. Among other things, they also need to encrypt customer information, implement multi-factor authentication (MFA), assess security of apps that store or transmit customer data, maintain a users’ activity log, and securely dispose customer information no more than 2 years after its most recent use.
Continuous system monitoring or regular penetration testing
Dealerships are required to continuously monitor their systems to test the effectiveness of their security procedures, or at a minimum, conduct annual penetrating testing and vulnerability assessments.
Employee security awareness training
The Safeguards Rule requires dealerships to provide security awareness training to staff on security best practices and provide regular refreshers.
Incident response plan
Monitor service providers
Dealerships must consistently monitor service providers and carefully select these vendors that will have access to customer data.
Keep information security program current
Dealerships should consistently review their information security programs and ensure they reflect changes to operations, emerging threats, personnel, and changes based on learnings from risk assessments.
Require Qualified Individual to report to Board of Directors
A dealership’s designated qualified individual must – at least annually – provide a written report to the Board of Directors or any senior official responsible for the information security program. The report should cover compliance with the program, risk assessments, security events and management response, recommendations for changes to the security program, among other topics.
how an MSP can help with Safeguards Rule compliance
Many dealerships don’t have dedicated IT staff or cybersecurity expertise. That’s where a managed service provider (MSP) can help.
Act as your ‘Qualified Individual’
Ongoing risk assessments
An MSP like GraVoc can perform annual risk assessments and help you document everything the FTC expects—without adding more work for your team.
Proactive monitoring and penetration testing
Rather than waiting for something to go wrong, an MSP will monitor your systems 24/7 for suspicious activity and vulnerabilities, applying security updates as needed. MSPs like GraVoc also offer a robust portfolio of services that include penetration testing, external vulnerability assessments, and internal vulnerability assessments to help you test and ensure the validity of your security controls.
Employee security training
MSPs offer security awareness training programs that cover topics like phishing and ransomware so your employees can spot the red flags and proactively respond to a threat.
Integrating your dealership systems
Incident response expertise
is it too late to start compliance?
Not at all. While the FTC’s deadline was June 2023, compliance is an ongoing process. If you haven’t done much since last year—or haven’t even started—it’s crucial to act now. Starting today means you can work with a partner to quickly identify your gaps, build a roadmap, and start checking off the FTC’s requirements.
As a trusted MSP with a skilled security and IT team, we can support your auto dealership with information security and FTC Safeguards Rule compliance. Click below to check out our managed services or contact us to get started!
Related articles
Windows 10 End of Life: What It Means for Your Business
In this blog post, we go over what happens after Windows 10 end of life and what options your business can explore as next steps!
Guide to WordPress Hosting for Business Websites
Here, we break down WordPress hosting for business websites, including types of hosting, benefits, and what to look for in a hosting provider!
Q&A with Blackpoint: Benefits of Managed Detection & Response (MDR) for SMBs
We spoke with Nicole LaDue, Senior Partner Account Manager at Blackpoint, to discuss why MDR for SMBs is a critical security investment!