FTC Safeguards Rule for Auto Dealerships

In October, 2021, the FTC issued its final amendments to the FTC Safeguards Rule. The Rule contains a significant number of new and expanded procedural, technical, and personnel requirements that auto dealerships must comply with by December 9, 2022.

The Safeguards Rule ("Rule") is a federal data security rule that requires auto dealers to have measures in place to keep customer information secure. Auto Dealers are required to develop their own safeguards. Dealers are responsible for taking steps to ensure that their service providers and affiliates comply with following rules:

Rule 1: Qualified Individual - 16 CFR 314.4(a)
Auto Dealers must designate a qualified individual responsible for overseeing, implementing, and enforcing your information security program.

Rule 2: Written Risk Assessment - 16 CFR 314.4(b)
Requires that a new Risk Assessment document be created, which identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. A written risk assessment must be completed initially and on a periodic basis after that.

Rule 3: Access Controls- 16 CFR 314.4(c)(1)
Requires dealers to implement and periodically review access controls

Rule 4: Data and Systems Inventory - 16 CFR 314.4(c)(2)
Auto Dealers must identify and manage the data, personnel, devices, systems, and facilities that enable the dealership to achieve business purposes in accordance with their business objectives and risk strategy.

Rule 5: Data Encryption - 16 CFR 314.4(c)(3)
Encrypt all customer information held or transmitted by auto dealerships both in transit over external networks and at rest.

Rule 6: Secure Development Practices - 16 CFR 314.4(c)(4)
Adopt secure development practices for in-house developed applications utilized by you for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications you utilize to transmit, access, or store customer information;

Rule 7: Multi-Factor Authentication - 16 CFR 314.4(c)(5)
Auto dealers must implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls;

Rule 8: Secure Data Disposal Procedures - 16 CFR 314.4(c)(6)
Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained and periodically review your data retention policy to minimize the unnecessary retention of data;

Rule 9: Change Management Procedures - 16 CFR 314.4(c)(7)
Auto Dealers must adopt procedures for change management which govern the addition, removal, or modification of elements of an information system.

Rule 10: Systems Monitoring & Logging - 16 CFR 314.4(c)(8)
Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.

Rule 11: Intrusion Detection - 16 CFR 314.4(d)(1)
Regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.

Rule 12: Continuous Monitoring / Periodic Penetration Testing & Vulnerability Assessments - 16 CFR 314.4(d)(2)
For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, you shall conduct:

• Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and
• Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment, at least every six months; and whenever there are material changes to your operations or business arrangements; and whenever there are circumstances you know or have reason to know may have a material impact on your information security program.

Rule 13: Security Awareness Training - 16 CFR 314.4(e)
Implement policies and procedures to ensure that personnel are able to enact your information security program by:

1. Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;
2. Utilizing qualified information security personnel employed by you or an affiliate or service provider sufficient to manage your information security risks and to perform or oversee the information security program;
3. Providing information security personnel with security updates and training sufficient to address relevant security risks; and
4. Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.

Rule 14: Oversee Service Providers - 16 CFR 314.4(f)
Oversee service providers, by:

1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;
2. Requiring your service providers by contract to implement and maintain such safeguards; and
3. Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

Rule 15: Periodic Review of Security Program - 16 CFR 314.4(g)
Evaluate and adjust your information security program in light of the results of the testing and monitoring; any material changes to your operations or business arrangements; the results of risk assessments performed; or any other circumstances that you know or have reason to know may have a material impact on your information security program.

Rule 16: Written Incident Response Plan - 16 CFR 314.4(h)
Auto dealers must adopt a written incident response plan that is specifically designed to promptly respond to, and recover from any security event materially affecting the confidentiality, integrity, or availability of customer information in dealership control.

Rule 17: Annual Report to Board - 16 CFR 314.4(i)
Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such a report shall be timely presented to a senior officer responsible for your information security program. The report shall include the following information:

1. The overall status of the information security program and your compliance with this part;
2. Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the information security program

AutoJini can help meet Safeguard Rule requirements
AutoJini/Octadyne Systems, Inc. has been providing IT services for 20+ years. We have worked with our technology providers to provide a complete solution which will help your dealership to comply with FTC Safeguard Rule. Please call us at 1-877-460-0255 or email sales@autojini.com for more information.