FTC Safeguards Rule
FTC Safeguards Rule
The FTC Safeguards Rule, enforced by the Federal Trade Commission (FTC), imposes requirements on certain businesses to protect the security and confidentiality of customer information. While the rule is not specifically targeted at car dealerships, dealerships are subject to its provisions and three specific obligations when they collect and maintain sensitive customer information.
Informativ’s compliance technology proactively enforces the physical and administrative requirements of the FTC Safeguard Rule
Administrative
Ensure the security and confidentiality of consumer information.
Physical
Prevent the unauthorized access to consumer information that could result in harm or inconvenience to any customer.
Technical
Protect against anticipated threats or hazards to the security or integrity of that information.
Data Protection Requirements:
Car dealerships must implement security measures to protect customer information from unauthorized access, both physical and electronic. This includes measures such as encryption, multi-factor authentication, phishing training, penetration testing, access controls, and secure storage.Risk Assessment:
Car dealerships are required to conduct periodic risk assessments to identify potential vulnerabilities in their systems and processes that could compromise the security of customer information.Develop a Security Plan:
Based on the risk assessment, car dealerships must develop and maintain a comprehensive written information security plan that outlines the specific measures they will take to safeguard customer information and their staff must consistently behave within and follow these plans.Employee Training:
Car dealerships are required to conduct periodic risk Employees who have access to customer information must be trained on the dealership’s security policies and procedures to ensure they understand their role in protecting customer data.Regular Monitoring and Oversight:
Car dealerships must regularly monitor their security measures to ensure they remain effective and up to date. Additionally, they should have oversight mechanisms in place to supervise employees’ compliance with security policies.Vendor Oversight:
If the dealership shares customer information with third-party vendors (such as finance companies or marketing firms), they are responsible for ensuring that these vendors also have adequate safeguards in place to protect the information.Incident Response Plan:
In the event of a security breach or unauthorized access to customer information, car dealerships must have procedures in place to respond promptly and effectively, including notifying affected individuals and appropriate authorities as required by law.FTC SAFEGUARDS RULE FAQ
The FTC’s Standards for Safeguarding Customer Information rule (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA) went into effect on June 9, 2023 and is a regulation designed to protect consumer information held by financial institutions, including auto dealerships. It mandates the establishment of information security programs to safeguard customer data.
A WISP is a set of policies and procedures outlining how an organization will protect customer information. Yes, auto dealerships are required to develop and implement a WISP tailored to their specific risks and operations.
Dealerships should conduct a comprehensive risk assessment covering both digital and physical risks. This includes implementing access controls, secure information systems, and employee training for safeguarding customer information in both online and physical formats.
Designate an individual responsible for overseeing and ensuring compliance with the Safeguards Rule. This coordinator should have knowledge of both digital and physical security measures and should be actively involved in program implementation.
Employees should receive regular training on recognizing and reporting suspicious activities, securing physical documents, and maintaining confidentiality. This training should cover both digital and physical aspects of safeguarding customer information.
Yes, physical safeguards should include measures like locked server rooms, restricted access to document storage areas, and surveillance systems. Access controls should be implemented for both digital and physical assets
Regular monitoring and testing are crucial. Conduct physical security audits, digital system checks, and assessments of employee adherence to security policies regularly. Adapt your measures to address evolving risks and technology.
Vendor management should extend to cover both digital and physical service providers. Ensure third-party vendors adhere to your information security standards, whether handling digital data or physical documents.
Develop and implement an incident response plan covering both digital and physical security incidents. Include procedures for responding to lost or stolen physical documents containing customer information.
other covered entities are required to maintain detailed records of their information security program, including records related to access controls, physical security measures, and training activities, for a minimum of five years. These records should cover both digital and physical safeguards implemented by the dealership to protect customer information.