Does the FTC Safeguards Rule Apply to My Accounting Firm?
Barry was annoyed. He had spent all his time and effort on his fledging CPA operation. He had two other accountants on the payroll and
Jay was annoyed. He had a successful auto dealership, with twelve employees on the payroll, and was eyeing expansion.
But now he is going to be regulated by what he considered an obscure regulation: the Federal Trade Commission’s new and updated Standards for Safeguarding Customer Information (16 CFR § 314.1, et seq.), also known as the Safeguards Rule.
Who Does The FTC Safeguards Rule Apply To?
The Rule states that the security of customer information is now imperative for institutions “significantly engaged in financial activities” or “activities incidental to such financial activities,” but not subject to other regulators.
These regulations now subject Jay’s practice to cybersecurity rules that were too technical for him to understand (not to mention sounding costly).
What Are The FTC Safeguards Rule Requirements?
The Rule mandates customer data confidentiality, integrity, and availability (CIA) and contains nine requirements, in brief:
This may be the most difficult requirement to attain if dealerships do not currently have an IT staff member trained as a cybersecurity expert.
The program should not be a static one. A periodic review also requires a “clear understanding of the business dynamics of customer data,” not just a technical exercise.
The Safeguards Rule requires the dealership to assess its security, enact change management, and monitor user activity.
Owners and managers must regularly test or continuously monitor the effectiveness of the dealership’s safeguards.
The dealership must choose either continuous network monitoring or annual penetration testing with twice-annual vulnerability assessments and system scans.
Employees are the weakest link in cybersecurity. Company personnel should receive “security updates and training sufficient to address relevant security risks.”
A dealership must exercise due diligence on the security measures of its vendors that process, record, use, or store any of its customer data as well.
What dealership owners learn and encounter in their operations, technology environment, risk assessments, personnel changes, and emerging threats impact a security operations program, and change management procedures must be in place.
Employees and vendors must integrate changes and evaluate safeguards effectively to address current risks and threats.
In the event of unauthorized access, misuse, or destruction of data, the dealership’s written incident response plan should detail how it will respond to the event.
This plan includes specifics on recovery and should also be available in physical form in a secure yet accessible location as they may not be accessible on a digital system in the event of a security incident.
The qualified individual ((1) above) must structure the written information security program to include stringent monitoring, auditing, and reporting requirements.
The solution should be capable of providing documentation that supports the dealership’s board- or governing body-facing report.
Does The FTC Safeguards Rule Apply To My Dealership?
Automotive dealerships access, store, and transmit customer data, so they are covered under the Rule, unless they fall under the following exemption.
Are Any Dealerships Exempt From Any Part Of The Rule?
There are limits on the applicability of the Rule.
The following provisions “do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers” (Safeguards Rule):
Criteria for the evaluation and categorization of identified security risks or threats.
Criteria for assessing the CIA of information, including the adequacy of the existing controls in the context of the identified risks or threats.
Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.
Regular testing and monitoring of the safeguards’ effectiveness with annual penetration testing and vulnerability assessments.
A written incident response plan.
A regular written report with the status of and compliance with the information security program and related material matters. (Source for all the above bullet points is Safeguards Rule)
Small business entity exemptions do not extend to a dealership’s service providers: “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part” (Safeguards Rule).
If the dealership is, by the above definition, a small business, it can still be subject to the Rule if it provides services to covered businesses or organizations.
Why Was The Safeguards Rule Updated?
The updated requirements were written to stay on top of advancing technology and the increase in cybercrime.
Increasingly, hackers and scammers are gaining unauthorized access to business networks or devices, stealing business and customer information, using it fraudulently, holding it for ransom, or selling it on the dark web.
It may not have been a priority in the past, but auto dealership owners and managers must now strictly maintain their customer data security.
When Is The Deadline For Compliance With The Safeguards Rule?
The deadline for the Rule’s essential requirements is June 9, 2023.
That’s when penalties for non-compliance with the Rule will reach up to $46,000 per day.
Questions Covered Dealerships Should Ask Themselves
Covered dealerships should ask themselves:
Implementing safeguards—such as access controls, multi-factor authentication, penetration testing, or continuous monitoring—is not a trivial requirement.
Covered dealerships must also create, enact, and maintain a written information security program.
This should comprise administrative, technical, and physical controls to protect customer and business data, defined as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or another form, that is handled or maintained by or on behalf of [the company or their] affiliates.”
This data consists of customer names, addresses, driver’s license numbers, passport details, social security numbers, credit histories, loan details, and other credit information.
Covered Dealerships May Need Help To Comply With The Safeguards Rule
Implementing, maintaining, and overseeing these security controls may increase in-house IT resources workload, training, and time commitment.
Even a few extra hours a week can put an excessive workload on in-house teams and increased costs on the dealership. In this case, owners and managers should enlist the support of an experienced security partner.
When carefully considering IT support with cybersecurity services, auto dealer owners and managers should ask:
If the security partner can help them understand and attain compliance with the Rule.
The partner should provide continuous monitoring, or alternately, vulnerability scanning and penetration testing; required reporting and reviews; and regular education of the dealership’s staff on the rapidly changing nature of cyber threats.
The security partner can assign a named point of contact to the dealership who will serve as the qualified individual (1).
If the security partner has prior experience with dealerships like theirs.
If the security partner can oversee all or many areas of the dealership’s security program (handling more than one area of the dealership gives vendors a complete view of the dealership’s IT environment).
If the means of communication with the security partner is through a fast-response ticketing system or scheduled in-person meetings.
Again, the new requirements of the Rule will come into effect on June 9, 2023.
If a dealership still lacks adequate data security protections at that time, its contracts could terminate and owners could incur up to $46,000 per day in penalties for non-compliance.
Conclusion: Use Compliance Requirements To Transform Your Dealership
These requirements may seem overwhelming.
They can be expensive and too complex for typical automotive dealership owners and managers not equipped to meet them. External partners and vendors may add to the complexity.
Dealers may need exceptional external support to meet the Rule’s new and updated, stringent security obligations.
An experienced security partner should go beyond strict compliance and partner with the organization to strengthen systems security while saving money and time.
The threat landscape is evolving. You must change the way you do business in order to comply with the updated Safeguards Rule.
Compliance is an evolving requirement and should be an indispensable part of a company’s cybersecurity posture and readiness.
An experienced security partner can help automotive dealerships attain compliance that will promote a culture of cybersecurity in the company.
For detailed information and requirements in the FTC Safeguards Rule, download Tech Kahunas’ The Auto Dealer’s Guide to the FTC Safeguards Rule, below.
Tech Kahunas is a San Diego Managed IT Services provider which provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.
Tech Kahunas will help you Defend Your Island. Set up a free 30-minute Strategy Session with us now.
This informational piece was derived from the FTC Safeguards Rule, which has 18 revisited or newly defined terms at 16 CFR § 314.2. Tech Kahunas has specific recommendations on the security of data here.