Driving Compliance: Navigating GLBA Requirements and FTC Safeguards for Auto Dealerships

This post is part of a series of posts related to the amendments added to the Safeguard Rule which required Auto Dealers to undertake a series of procedural, technical (including Information Technology), and contractual steps to protect consumer and other personal data. Initially the amendment had to be completed by December 9, 2022. In Nov 2022, this timeline was extended by FTC to June 9, 2023.

Background:

In 1999, the Gramm-Leach-Bliley Act was introduced as the Safeguard Rule by Congress.

On Oct 27, 2021, the Federal Trade Commission announced a newly updated rule to better safeguard customers' financial information. On this amendment, vehicle dealers were a part of the list of institutions that now have to maintain a security system to keep their customers' information safe.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”

The impact on Auto Dealerships IT Systems

The Safeguard Rule requires Auto dealers to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”

What does a Reasonable Information Security program look like?

Section 314.4 of the Safeguards Rule identifies 9 elements (Section 3 below) that your company’s information security program must include:

• Designate a Qualified Individual to implement and supervise your company’s information security program.
• Conduct a risk assessment.
• Design and implement safeguards to control the risks identified through your risk assessment.1- Implement and periodically review access controls.2- Know what you have and where you have it.3- Encrypt customer information on your system and when it’s in transit.4- Assess your apps.5- Implement multi-factor authentication for anyone accessing customer information on your system.6- Dispose of customer information securely.7- Anticipate and evaluate changes to your information system or network.8- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.9- Regularly monitor and test the effectiveness of your safeguards.
• Train your staff.
• Monitor your service providers.
• Keep your information security program current.
• Create a written incident response plan.
• Require your Qualified Individual to report to your Board of Directors.

Next Steps

Becoming compliant the proper way touches/affects almost all areas of the dealerships, from Executive Management, Warranty, Finance, Sales, Services, Parts, to your Dealer Management System (DMS) such as CDK Global, DealerSocket/IDMS, DealerTrack, VINSolutions, Raynolds, The way your employee's logon to their PCs, and other areas. Below is a short list of the macro-view on how to navigate becoming compliant in our view:

1. Educate yourself on this rule (If you are still reading, you are well on your way in this step).
2. If you have an internal IT staff, it is extremely important to understand what the rule calls out for and to help your staff get properly educated on expectations from them.
3. If you have an outside vendor/person that has historically helped you manage your IT, it is extremely important to ensure they are properly certified and also educated on GLBA rules. This can be crucial towards the amount of time and resources you get charged for, to become compliant.
4. Map out the departments and what needs to happen for each.
5. Assign a timeline to each department and their tasks.
6. Follow up on a preferably weekly basis to ensure your dealership is moving towards being compliant.

We can help

We realize that this regulation brings a number of uncertainties in terms of operational cost and impact to sales, as well as compliance related concerns on making sure the dealerships are compliant with this new regulation. In our experience working with various auto dealerships clients of ours in California, Nevada, Arizona, and Texas helping them become and stay compliant with the new Safeguard Rule, we have carefully map out this process in an actionable way that can be carried out properly without having to waste resources on either side. Feel free to reach out to us if you would like more information and we are happy to help engage with you. Our scope can be tailor-made to your needs from fully managing the dealership's IT and Information Security, to augmenting your current staff and helping them become successful.