The FTC Safeguards Rule, enforced by the Federal Trade Commission (FTC), imposes requirements on certain businesses to protect the security and confidentiality of customer information. While the rule is not specifically targeted at car dealerships, dealerships are subject to its provisions and three specific obligations when they collect and maintain sensitive customer information.
Informativ’s compliance technology proactively enforces the physical and administrative requirements of the FTC Safeguard Rule.
Ensure the security and confidentiality of consumer information.
Prevent the unauthorized access to consumer information that could result in harm or inconvenience to any customer.
Protect against anticipated threats or hazards to the security or integrity of that information.
The FTC’s Standards for Safeguarding Customer Information rule (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA) went into effect on June 9, 2023 and is a regulation designed to protect consumer information held by financial institutions, including auto dealerships. It mandates the establishment of information security programs to safeguard customer data.
A WISP is a set of policies and procedures outlining how an organization will protect customer information. Yes, auto dealerships are required to develop and implement a WISP tailored to their specific risks and operations.
Dealerships should conduct a comprehensive risk assessment covering both digital and physical risks. This includes implementing access controls, secure information systems, and employee training for safeguarding customer information in both online and physical formats.
Designate an individual responsible for overseeing and ensuring compliance with the Safeguards Rule. This coordinator should have knowledge of both digital and physical security measures and should be actively involved in program implementation.
Employees should receive regular training on recognizing and reporting suspicious activities, securing physical documents, and maintaining confidentiality. This training should cover both digital and physical aspects of safeguarding customer information.
Yes, physical safeguards should include measures like locked server rooms, restricted access to document storage areas, and surveillance systems. Access controls should be implemented for both digital and physical assets
Regular monitoring and testing are crucial. Conduct physical security audits, digital system checks, and assessments of employee adherence to security policies regularly. Adapt your measures to address evolving risks and technology.
Vendor management should extend to cover both digital and physical service providers. Ensure third-party vendors adhere to your information security standards, whether handling digital data or physical documents.
Develop and implement an incident response plan covering both digital and physical security incidents. Include procedures for responding to lost or stolen physical documents containing customer information.
other covered entities are required to maintain detailed records of their information security program, including records related to access controls, physical security measures, and training activities, for a minimum of five years. These records should cover both digital and physical safeguards implemented by the dealership to protect customer information.
Informativ provides instant, prequalified customers and buyer insights, the only proactive and enforceable compliance platform for dealership showrooms, and industry-leading credit technology to thousands of auto dealerships and businesses. Contact us today to see how our solutions will solve your top challenges.