Question? Call Us 858-777-0040
Logo 01

Does the FTC Safeguards Rule Apply to My Auto Dealership?

Who does the FTC Safeguards Rule Apply to?
Download the accountant's guide to the safeguards ruleGet your CPA firm aquainted with new FTC rules.

Read our latest eBook "The Accountant's Guide to the FTC Safeguards Rule"

Jay was annoyed. He had a successful auto dealership, with twelve employees on the payroll, and was eyeing expansion.

But now he is going to be regulated by what he considered an obscure regulation: the Federal Trade Commission’s new and updated Standards for Safeguarding Customer Information (16 CFR § 314.1, et seq.), also known as the Safeguards Rule.

June 9, 2023 is the deadline for FTC compliance!
You must be compliant today!

Who does the FTC Safeguards Rule apply to?

The Rule states that the security of customer information is now imperative for institutions “significantly engaged in financial activities” or “activities incidental to such financial activities,” but not subject to other regulators.

These regulations now subject Jay’s practice to cybersecurity rules that were too technical for him to understand (not to mention sounding costly).

What are the FTC Safeguards Rule Requirements?

The Rule mandates customer data confidentiality, integrity, and availability (CIA) and contains nine requirements, in brief:

1. Designate a qualified individual to implement and supervise the dealership’s information security program risk assessment.

This may be the most difficult requirement to attain if dealerships do not currently have an IT staff member trained as a cybersecurity expert.

2. Conduct periodic risk assessments to inform and guide the continued updating and enforcement of the information security program.

The program should not be a static one. A periodic review also requires a “clear understanding of the business dynamics of customer data,” not just a technical exercise.

3. Design and carry out customer information safeguards that control risks identified through the dealership’s risk assessment.

The Safeguards Rule requires the dealership to assess its security, enact change management, and monitor user activity.

4. Regularly monitor and test company safeguards.

Owners and managers must regularly test or continuously monitor the effectiveness of the dealership’s safeguards.

The dealership must choose either continuous network monitoring or annual penetration testing with twice-annual vulnerability assessments and system scans.

5. Train company staff.

Employees are the weakest link in cybersecurity. Company personnel should receive “security updates and training sufficient to address relevant security risks.”

6. Monitor service providers.

A dealership must exercise due diligence on the security measures of its vendors that process, record, use, or store any of its customer data as well.

7. Keep the information security program current.

What dealership owners learn and encounter in their operations, technology environment, risk assessments, personnel changes, and emerging threats impact a security operations program, and change management procedures must be in place.

Employees and vendors must integrate changes and evaluate safeguards effectively to address current risks and threats.

8. Create and implement a written incident response plan.

In the event of unauthorized access, misuse, or destruction of data, the dealership’s written incident response plan should detail how it will respond to the event.

This plan includes specifics on recovery and should also be available in physical form in a secure yet accessible location as they may not be accessible on a digital system in the event of a security incident.

9. Require the qualified individual to report to the board of directors or other senior authority responsible for the security program.

The qualified individual ((1) above) must structure the written information security program to include stringent monitoring, auditing, and reporting requirements.

The solution should be capable of providing documentation that supports the dealership’s board- or governing body-facing report.

Does The FTC Safeguards Rule Apply To My Dealership?

Automotive dealerships access, store, and transmit customer data, so they are covered under the Rule, unless they fall under the following exemption.

Are Any Dealerships Exempt From Any Part Of The Rule?

There are limits on the applicability of the Rule.

The following provisions “do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers” (Safeguards Rule):

    • Criteria for the evaluation and categorization of identified security risks or threats.

    • Criteria for assessing the CIA of information, including the adequacy of the existing controls in the context of the identified risks or threats.

    • Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.

    • Regular testing and monitoring of the safeguards’ effectiveness with annual penetration testing and vulnerability assessments.

    • A written incident response plan.

    • A regular written report with the status of and compliance with the information security program and related material matters. (Source for all the above bullet points is Safeguards Rule)

Small business entity exemptions do not extend to a dealership’s service providers: “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part” (Safeguards Rule).

If the dealership is, by the above definition, a small business, it can still be subject to the Rule if it provides services to covered businesses or organizations.

Why Was The Safeguards Rule Updated?

The updated requirements were written to stay on top of advancing technology and the increase in cybercrime.

Increasingly, hackers and scammers are gaining unauthorized access to business networks or devices, stealing business and customer information, using it fraudulently, holding it for ransom, or selling it on the dark web.

It may not have been a priority in the past, but auto dealership owners and managers must now strictly maintain their customer data security.

When is the Deadline for Compliance with the Safeguards Rule?

The deadline for the Rule’s essential requirements is June 9, 2023.

That’s when penalties for non-compliance with the Rule will reach up to $46,000 per day.

Questions Covered Dealerships Should Ask Themselves

Covered dealerships should ask themselves:

– Do they need to maintain the CIA of their customer and business data in use, in transit, and at rest?

– Have they implemented MFA and encrypted their files, email, and apps?

– Does the dealership have either continuous monitoring or penetration testing and vulnerability assessments in place?

– Do their partners, affiliates, and third-party vendors have proper safeguards?

– Do they know what applications, users, and devices are on their network right now?

– Does their employee workforce have a dynamic process for updating access permissions?

– Have they tested and trained their staff in cybersecurity?

– Do they need a virtual chief information security officer (CISO) to be their qualified individual under the Rule?

Implementing safeguards—such as access controls, multi-factor authentication, penetration testing, or continuous monitoring—is not a trivial requirement.

Covered dealerships must also create, enact, and maintain a written information security program.

This should comprise administrative, technical, and physical controls to protect customer and business data, defined as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or another form, that is handled or maintained by or on behalf of [the company or their] affiliates.”

This data consists of customer names, addresses, driver’s license numbers, passport details, social security numbers, credit histories, loan details, and other credit information.

Covered Dealerships May Need Help to Comply with The Safeguards Rule

Implementing, maintaining, and overseeing these security controls may increase in-house IT resources workload, training, and time commitment.

Even a few extra hours a week can put an excessive workload on in-house teams and increased costs on the dealership. In this case, owners and managers should enlist the support of an experienced security partner.

When carefully considering IT support with cybersecurity services, auto dealer owners and managers should ask:

    1. If the security partner can help them understand and attain compliance with the Rule.

      The partner should provide continuous monitoring, or alternately, vulnerability scanning and penetration testing; required reporting and reviews; and regular education of the dealership’s staff on the rapidly changing nature of cyber threats.

    2. If the security partner can assign a named point of contact to the dealership who will serve as the qualified individual (1).

    3. If the security partner has prior experience with dealerships like theirs. 

    1. If the security partner can oversee all or many areas of the dealership’s security program (handling more than one area of the dealership gives vendors a complete view of the dealership’s IT environment).

    2. If the means of communication with the security partner is through a fast-response ticketing system or scheduled in-person meetings.

Again, the new requirements of the Rule will come into effect on June 9, 2023.

If a dealership still lacks adequate data security protections at that time, its contracts could terminate and owners could incur up to $46,000 per day in penalties for non-compliance.

Conclusion: Use Compliance Requirements to Transform Your Dealership

These requirements may seem overwhelming.

They can be expensive and too complex for typical automotive dealership owners and managers not equipped to meet them. External partners and vendors may add to the complexity.

Dealers may need exceptional external support to meet the Rule’s new and updated, stringent security obligations.

An experienced security partner should go beyond strict compliance and partner with the organization to strengthen systems security while saving money and time.

The threat landscape is evolving. You must change the way you do business in order to comply with the updated Safeguards Rule.

Compliance is an evolving requirement and should be an indispensable part of a company’s cybersecurity posture and readiness.

An experienced security partner can help automotive dealerships attain compliance that will promote a culture of cybersecurity in the company.

For detailed information and requirements in the FTC Safeguards Rule, download Tech Kahunas’ The Auto Dealer’s Guide to the FTC Safeguards Rule, below.


Tech Kahunas is a San Diego Managed IT Services provider which provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.

Tech Kahunas will help you Defend Your Island. Set up a free 30-minute Strategy Session with us now.

This informational piece was derived from the FTC Safeguards Rule, which has 18 revisited or newly defined terms at 16 CFR § 314.2. Tech Kahunas has specific recommendations on the security of data here.

The four elements of the KahunaVision Technology Assessment are:

– Outsourcing –
Upgrade with our Kahunas. We’ll take your concerns (and problems) so you can do what you do best.

– Modernization –
Throw away that old tech! Take advantage of artificial intelligence, cloud apps, and fortified backups.

– Cybersecurity –
Don’t understand cybersecurity? Strengthen your IT systems with your personal Tech Kahuna.

– Compliance –
Compliance is boring–but many businesses still need to do it! We’ll help you with that, too.

Kahuna Shield will tie it all together.

Get your CPA firm aquainted with new FTC rules.

Read our latest eBook "The Accountant's Guide to the FTC Safeguards Rule"

Leave a comment

Your email address will not be published. Required fields are marked *

Peter Bondaryk
Peter Bondaryk

– Outsourcing –
Upgrade with our Kahunas. We’ll take your concerns (and problems) so you can do what you do best.

– Modernization –
Throw away that old tech! Take advantage of artificial intelligence, cloud apps, and fortified backups.

– Cybersecurity –
Don’t understand cybersecurity? Strengthen your IT systems with your personal Tech Kahuna.

– Compliance –
Compliance is boring–but many businesses still need to do it! We’ll help you with that, too.

Wield the Kahuna Shield

Schedule a strategy session

Get Our FREE C-Suite and Business Owner's Guide
to Cybersecurity
Latest posts
Follow us

Get Our FREE Accountant's Guide to the FTC Safeguards Rule Ebook!

The New FTC Requirements
That Will Change the Way You
Do Business

Get Your FREE Copy!​

Sign up to learn how you can protect against cybercrime

Nullam quis risus eget urna mollis ornare vel eu leo. Aenean lacinia bibendum nulla sed 

If today your business was hacked and you were at risk of losing it all...
Do you have a plan?
We will not spam, rent, or sell your information.

Nullam quis risus eget urna mollis ornare vel eu leo. Aenean lacinia bibendum nulla sed 

Join our newsletter and get a 20% discount
Promotion nulla vitae elit libero a pharetra augue