On October 27, 2021, the Federal Trade Commission (FTC) announced an amendment to the Standards for Safeguarding Customer Information (Safeguards Rule), stating all institutions “engaging in financial activities” must strengthen their cybersecurity practices to better protect customer data.
Since car dealerships collect a significant amount of personal information about their customers — names, addresses, phone numbers, social security numbers, and credit and financial information — they are required under the Safeguards Rule to protect it from unauthorized access, fraud, and misuse.
If the FTC finds your dealership to be careless with sensitive customer information, you can be fined up to $11,000 per day until compliance requirements are fully met.
While the amended FTC Safeguards Rule doesn’t go into effect until mid-year 2023, preparation can take anywhere from 6 to 12 months. This means car dealers should start looking to implement procedures now so they can avoid substantial fines and penalties for non-compliance later on.
Conduct a written risk assessment that includes risk criteria and how your dealership’s cybersecurity program will address and mitigate risks.
Conduct additional periodic risk assessments.
Create and document an incident response plan containing goals, communications plan, processes, and roles/responsibilities.
Designate or hire a “qualified individual” to oversee your dealership’s cybersecurity program.
Conduct and document a data and system inventory of all information your dealership collects, stores, or transmits.
Provide annual reports to the board of directors on compliance and cyber hygiene status.
Ensure encryption of all customer information in transit and at rest, and document retention and disposal procedures for customer information.
Enable Multi-Factor Authentication (MFA) for all systems containing customer’s sensitive information.
Establish change management procedures for modifying information systems.
Implement policies, procedures, and controls to monitor and log activity.
Provide annual reports to the board of directors on compliance and cyber hygiene status.
Download this checklist to start implementing best practices and establish good cyber hygiene.
If you need help evaluating your dealership’s current cybersecurity plan or want support meeting the amended Safeguards Rule, we have certified experts on stand-by ready to:
Perform a cyber risk assessment and identify areas of vulnerability.
Train your dealership employees on threat identification and prevention.
Help you create incident response and disaster recovery plans.
Implement/establish cybersecurity policies and procedures.
Enroll your dealership in multi-factor authentication (MFA).
Provide a Chief Information Security Officer (CISO) on-demand.