Auto Dealerships are Required to Report Data Breaches to the FTC
On October 27, 2023, the FTC amended the Safeguards rule – now, non-banking institutions are required to report specific data breaches and other security events to the agency.
But what does this really mean for your auto dealership?
As a managed security services provider (MSSP) specializing in the unique cybersecurity needs of the auto dealership industry, we leverage our two decades of experience to navigate the complex regulatory environment. Our dedicated team understands the intricacies of the FTC Safeguards Rule and its impact on your business, ensuring you receive the most relevant and effective strategies for compliance and data protection. So in this article, we’ll break down:
- What are the most recent changes in the FTC Safeguards Rule?
- How will these FTC rule changes affect your dealership?
By the end of this article, you’ll know exactly what you need to change to keep up with shifting government regulations.
What is the Recent FTC Amendment?
The FTC implemented recent changes to the FTC Safeguards Rule, primarily expanding on the required security measures and the covered institutions.
However, the most recent amendment in October 2023 requires financial institutions to report data breaches starting May 13, 2024 – specifically, “unauthorized acquisition of unencrypted customer information, involving at least 500 customers.” Auto dealerships, under the previous amendments, are considered financial institutions.
When reporting the breach, you will need to include:
- The name and contact information of the reporting financial institution
- A description of the types of information that were involved
- The date or date range of the event
- The number of consumers affected or potentially affected
- A general description of the event
If applicable, you’ll also need to:
- Clarify whether any law enforcement official informed you that notifying the public will “impede a criminal investigation or cause damage to national security.”
- Provide the contact details of the reporting officer.
In addition, you’ll need to notify the FTC about the breach no later than 30 days via the FTC website.
This report comes on top of all the other changes dealerships need to make.
What Changes Do Dealerships Need to Make?
Dealerships will need to comply with the FTC Safeguards Rule, which includes – but is not limited to – having the following:
- An Information Security Program
- An incident response plan
- A designated OIC (Officer-in-Charge)
- Frequent third-party risk assessments
- Trained security personnel
- Company-wide data encryption and MFA compliance
Overall, your dealership might have to do a complete overhaul of your IT security or keep changes to a minimum.
Need Help with FTC Safeguards Rule Compliance?
Regardless of how many changes you need to make, no one wants to make mistakes when complying with government regulations. It's better to do it right than to do it quickly yet overlook something.
As an MSP with experience providing compliance services, we know how crucial it is to follow government guidelines. Contact our IT specialists for a one-on-one meeting, and let us help you through the process.
However, if you want to learn more about the FTC Safeguards Rule for dealerships, check out the following resources: