In today's digital age, data security and privacy have become crucial concerns for both businesses and consumers. The Federal Trade Commission (FTC) has recognized the need for safeguarding consumer information and has implemented various regulations to ensure businesses handle personal data responsibly. In the automotive industry, dealerships handle a vast amount of sensitive customer information, making compliance with the FTC Safeguard Rule essential. However, implementation of the requirements might be easier said than done.
 

What is the FTC Safeguard Rule?

The FTC Safeguard Rule, also known as the Safeguards Rule, is part of the Gramm-Leach-Bliley Act (GLBA) and was enacted to protect the privacy and security of consumers' non-public personal information (NPI) held by financial institutions. While car dealerships may not typically be considered financial institutions, they often handle financial transactions and obtain sensitive consumer information, which brings them under the purview of this rule.

The Safeguard Rule requires covered businesses, including automotive dealerships, to develop, implement, and maintain a comprehensive information security program to protect customer data. This program should include appropriate safeguards to ensure the confidentiality, integrity, and security of NPI against unauthorized access, disclosure, or use.

The Safeguard Rule outlines the following Key Requirements for Dealerships:

• Designation of an Information Security Coordinator - Dealerships must appoint an employee responsible for overseeing the information security program. This individual ensures the program's implementation, evaluates risks, and coordinates security measures.
• Risk Assessment - A thorough assessment of potential risks to the security, integrity, and confidentiality of customer information must be conducted. Dealerships need to identify internal and external risks, including those posed by employees, vendors, and cyber threats.
• Develop and Implement Safeguards - Based on the risk assessment, dealerships must establish and implement appropriate safeguards to protect customer information. These safeguards can include physical, technical, and administrative measures such as secure storage, encryption, access controls, employee training, and vendor management.
• Regular Monitoring and Testing - Dealerships should regularly monitor and test their security systems to identify vulnerabilities and promptly address any weaknesses or gaps in their information security program.
• Employee Training - All staff members who have access to customer information should receive comprehensive training on the dealership's information security program. This training should cover data handling procedures, password security, recognizing phishing attempts, and responding to potential data breaches.
• Service Provider Oversight - If a dealership shares customer information with third-party service providers, it must ensure that these providers also have safeguards in place to protect the information.
   

Challenges for Dealerships

Dealerships deal with a significant volume of customer data, especially since transactions and interactions occur daily. Managing and securing this vast amount of data, both in digital and physical formats, can be complex and resource intensive. Add to that, the diverse types of personal and financial data, rapidly evolving threat landscape, and ongoing monitoring & auditing requirements, dealerships across the country have been scrambling to comply.  Those that have complied often feel they haven’t fully hit the mark.
 
Industry trade organizations have done a great job in educating dealerships, particularly through NADA (National Automobile Dealerships Association) and has produced very relevant material to get dealerships up to speed with the requirements of the regulation, but BDO Digital has seen two requirements that continue to present a challenge and are areas that would be well spent with experts.
 
Risk Assessment – While there is guidance on what to do, there is little guidance on how to do it. There is no set format, or approved way to perform a Risk Assessment. Often times, this simply takes the form of an Excel Spreadsheet, but assembling the information and making sense of the data is often discouraging.
 
Vendor Management - Ensuring that dealership vendors comply with the Safeguard Rule and maintain appropriate security measures can be a challenge, especially since dealerships need to continuously monitor and manage these relationships.  Again, NADA comes to the rescue with guidance, but how do we actually get this done, and what form does it take?  There are no standardized templates, which sometimes creates confusion and frustration.
 
Your IT Service Provider might be able to help get you started in both areas, but a consulting firm that has experience in this area can help close this gap and make the effort relatively painless.
 
A word of caution – don’t adopt the boilerplate policies provided to you by your IT Service Provider, or industry trade groups like NADA without thoroughly reading and understanding them. There are many statements in these documents that will describe systems, procedures, and tooling that you may not have in place. 

Conclusion

While non-compliance with the Safeguard Rule can lead to severe legal consequences, including fines and penalties, compliance is crucial for dealerships since it demonstrates the commitment to protecting customer data, reducing the possibility of data breach and potentially giving them a competitive advantage.
 
Protecting consumer data is of paramount importance in today's digital landscape, and the FTC Safeguard Rule plays a vital role in ensuring the security and privacy of customer information held by dealerships. Complying with the FTC Safeguard rule may be a daunting task, but with the help of a trusted advisor, the process can be streamlined and simplified. Reach out to the BDO Digital team to get started.