Back in 2003 the Federal Trade Commission put into effect the FTC’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short. The rule was put into place to make sure that businesses who collect private information from the public are acting responsibly by making sure it does not get into the hands of the wrong people – or any unauthorized person for that matter.
This rule was amended in 2021 to make sure it still applied to the constantly changing state of information technology.
Are Auto Dealers Covered by this Ruling?
The short answer is Yes, they are covered. The rule covers Financial Institutions not subject to the authority of another regulator. Even though you may not consider an auto dealer a “financial institution” it is more about the type of data you collect that is at issue here.
What Is Required?
The following paragraph is from the FTC article cited at the bottom of this article.
“The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” (The definition of “nonpublic personal information” in Section 314.2(l) further explains what is – and isn’t – included.) The Rule covers information about your own customers and information about customers of other financial institutions that have provided that data to you.”
Here is list of some of the things, gathered from the FTC’s website regarding this topic, that you will need to do:
a. Designate a Qualified Individual to implement and supervise your company’s information security program.
b. Conduct a risk assessment.
c. Design and implement safeguards to control the risks identified through your risk assessment.
- – Implement and periodically review access controls.
- – Know what you have and where you have it.
- – Encrypt customer information on your system and when it’s in transit.
- – Assess your apps.
- – Implement multi-factor authentication for anyone accessing customer information on your system.
- – Dispose of customer information securely.
- – Anticipate and evaluate changes to your information system or network.
- – Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
d. Regularly monitor and test the effectiveness of your safeguards.
e. Train your staff.
f. Monitor your service providers.
g. Keep your information security program current.
h. Create a written incident response plan.
Section 314.4(h) of the Safeguards Rule specifies what your response plan must cover:
- – The goals of your plan;
- The internal processes your company will activate in response to a security event;
- – Clear roles, responsibilities, and levels of decision-making authority;
- – Communications and information sharing both inside and outside your company;
- – A process to fix any identified weaknesses in your systems and controls;
- – Procedures for documenting and reporting security events and your company’s response; and
- – A post mortem of what happened and a revision of your incident response plan and information security program based on what you learned.
i. Require your Qualified Individual to report to your Board of Directors.
Exemptions to the Ruling
One thing you can keep in mind is an exception for those who collect and hold less than 5,000 records.
I.T. Services Group, LLC is Here to Help
ITSG, LLC can help you with all these requirements with our Managed IT Services, Managed IT Security and Managed Compliance services. If you would like to see the detailed article on the FTC’s website where the information given here was obtained, you can find it here:
For even more details on the Standards for Safeguarding Customer Information see this article:
https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314
