Kharmela Mindanao

By: Kharmela Mindanao on January 18th, 2024

Print/Save as PDF

FTC Safeguards Rule for Auto Dealers: What You Need to Know

Cybersecurity

Editor's note: This post was originally published on December 6, 2022 and has been revised for clarity and comprehensiveness.

The Federal Trade Commission (FTC) regulates the automobile industry to protect consumers from unfair and deceptive business practices.    

However, following yet another set of guidelines from another organization can be overwhelming.   

Luckily, the FTC Safeguards Rule is designed to be streamlined and easy to follow for all businesses under its jurisdiction. 

As a managed security service Provider (MSSP), Intelligent Technical Solutions (ITS) has over 20 years of experience in ensuring our clients covered under the FTC regulations have up-to-par cybersecurity. In this article, we’ll break down:   

  • What is the FTC Safeguards Rule?   
  • Why does the FTC Safeguards Rule exist?   
  • Why should auto dealers care? 
  • 5 Questions the FTC will ask your business   

By the end of this article, you’ll know the definition of the FTC Safeguards Rule and how to prepare your business for FTC auditing.    

What is the FTC Safeguards Rule? 

consumer data

The FTC Safeguards Rule is a comprehensive consumer protection initiative that requires businesses to take steps to protect consumer information. It is part of the Gramm-Leach-Bliley Act (GLBA), and it requires financial institutions to protect the security of the personal information they collect from customers.   

The FTC Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021. 

The rule applies to any person or organization that operates an Internet-accessible website, app, or digital platform and collects personal information about consumers for marketing use.   

Why Does the FTC Safeguards Rule Exist? 

The FTC issued the Safeguards Rule because it found that many companies were failing to meet basic standards for protecting consumer data – leaving consumers at risk of having their personal information stolen by hackers.    

In short, the Safeguards Rule exists because of the threat posed by cyber-attacks against businesses – both large and small – across America. 

Schedule a Meeting

How Does the FTC Safeguards Rule Affect Dealerships? 

Essentially, all dealerships are now required to follow the FTC safeguards. Whatever your size, business model, or data collection policies.  

Based on the requirements, your dealership will need to have:  

Failure to follow the FTC safeguards rule can lead to possible fines of up to $46,517 per violation. 

Related: Non-Compliance with FTC Safeguards Rule: What Auto Dealerships Need to Know 

How to Check Your Compliance with the FTC Safeguards Rule 

Like it or not, you’ll have to follow the regulations set out by the FTC. Luckily, there are five easy questions you can ask yourself to verify if you’re ready for FTC certification.     

listicle of questions the FTC will ask you

1. Do you have a WISP? 

In the updated FTC safeguards rule, auto dealers are required to have a Written Information Security Program (WISP). A WISP is a document that describes the policies, procedures, and controls in place for protecting sensitive personal information, and it is the #1 FTC Safeguard must-have.   

This document will help you identify your company’s internal and external risks related to security breaches of customer personal information and theft of dealer assets. It should include:   

  • A description of how you assess these risks at least annually,   
  • An analysis of your most significant internal and external risks, and 
  • The steps you plan on taking to mitigate those risks.   

2. Do you have an OIC (Officer-In-Charge) for your dealership’s WISP? 

The OIC is the person who will run your dealership’s WISP and is responsible for making sure the WISP is planned and implemented properly. He or she should be someone with a lot of experience in the automotive world and a strong IT background.    

Because they will also serve as the point of contact for the FTC, they need to have strong communication skills and must have worked on the WISP from the beginning. They’ll need to know your IT security protocols inside-out, and if there are ever any breaches, be confident enough to explain the situation to FTC representatives.  

3. Do you periodically assess your cybersecurity?

how to do it. Many companies today have a dedicated team or person who helps them with their cybersecurity assessment.     

Cybersecurity assessments aim to check for any vulnerabilities within your network. Hackers and other cybercriminals can exploit these vulnerabilities to access sensitive data such as credit card numbers, social security numbers, and other personal information.  

Your OIC can take responsibility for the routine assessments but must have a dedicated team to back him up when going through the process.   

Getting a professional assessment done on your network is essential because these professionals know what they are looking for when they perform this type of service for clients. While you thoroughly know your company’s network, some things could still be overlooked when conducting a cybersecurity assessment due to this familiarity.     

4. Do you conduct security awareness training for your staff?  

It is a good idea to conduct security awareness training for your staff. This can help them understand the importance of cybersecurity and how they should protect their accounts and computers. It is also an excellent way to educate them on what to do if they suspect they have been hacked or compromised.  

awareness training

5. Do you assess your third-party providers for their cybersecurity policies?  

If you’re outsourcing any part of your business, make sure that you do some due diligence on them. Ask them about their cybersecurity policies and assess if they have adequate security measures in place. This can help reduce the likelihood that your data will be compromised by a third party.   

Related: Kronos Ransomware Attack: Lessons on Third-Party Risk Management 

Ready to Implement the FTC Safeguards Rule for Your Dealership? 

The FTC Safeguards Rule is intended to keep consumer data safe, but it can be tricky to follow if you don’t have the right people for the job.    

As an MSSP, we’ve dedicated our resources to finding the best people for the job.    

If you’re ready to implement the FTC Safeguards Rule for your dealership, set up a meeting with our IT experts. However, if you want to do more research about FTC guidelines, check out the following resources:

Schedule a Meeting