An overview of the FTC Safeguards Rule

Auto dealerships are nearly irresistible targets for cybercriminals. The vast amount of consumer data collected, processed, and stored within dealer management systems — social security numbers, addresses, credit scores, and financing information — is a data jackpot for bad actors and identity thieves. The Federal Trade Commission recently reported more than 70,000 cases of identity theft related to auto loans and leases in 2021. 

The FTC’s new Standards for Safeguarding Customer Information (called the Safeguards Rule) is a set of data and information security requirements designed to protect consumer and personal data. Any financial institution subject to FTC jurisdiction that isn’t subject to another regulator under the Gramm-Leach Bailey Act must comply with the FTC Safeguards Rule, including auto dealerships. 

The FTC Safeguards Rule announcement has left many dealerships scrambling to understand its requirements and implement security measures before the looming compliance deadline in June. But instead of seeing the rules as more regulatory hoops to jump through, dealerships should view these new requirements as both a short- and long-term benefit to their business and their customers. The FTC Safeguards Rule offers auto dealerships a tantalizing opportunity to streamline their businesses and set the stage for significant business growth. 

An overview of the FTC Safeguards Rule

The FTC Safeguards Rule, which fully takes effect for auto dealerships on June 9, 2023, requires dealerships to take appropriate steps to ensure the security of customer data, including information such as social security numbers, addresses, and driver's license details. 

Dealerships must establish reasonable security procedures for protecting personal information in their possession from unauthorized access, use, or disclosure, as well as against unauthorized destruction or accidental loss.

There are four main components to the FTC Safeguards Rule:

1. Data security requirements: Dealerships must implement reasonable security measures to protect data, and maintain those measures on an ongoing basis. Specifically, they must have written policies and procedures that address the security of customer data and require employees with access to customer data to take steps to protect it. These policies and procedures should include:

• Privacy policy and practices, including where personal information is collected and stored, who can access it, how long it will be kept, and how consumers can access or request corrections of their personal information
• Procedures for protecting customer data from unauthorized access, i.e., data encryption
• Procedures for detecting security incidents
• Procedures for responding appropriately in the event of a security incident

2. Security and privacy training for all employees with access to customer data: Staff must be exposed to best practices for keeping sensitive data safe while being aware of common threats.

3. Annual assessments of the effectiveness of these policies and procedures: Dealerships are responsible for ensuring the safeguards put in place continue to function as intended to reduce risk.

4. Notification requirements: If a dealership experiences a breach of consumer information — meaning there is unauthorized access or disclosure of consumer data — it must notify affected consumers within 30 days unless it has already notified them about an earlier, related breach. 

5 benefits of FTC Safeguards Rule compliance for auto dealerships

While it would be easy for auto dealerships to view the Safeguards Rule as check-the-box tasks to satisfy the FTC, complying with these requirements offers dealerships compelling benefits. A robust security and compliance program will positively impact nearly every aspect of the business, from building customer trust and loyalty, to streamlining operations and reducing risk.  

1. Reduce risk by building a mature security and privacy posture 

Auto dealerships are assaulted by an average of 153 viruses and 84 malicious spam emails every day. It only takes one to result in a potentially devastating data breach. 

Too many dealerships lack the proper checks and balances that accompany a formal security and privacy compliance program. Security risks are everywhere, and they’re only growing more prevalent. As attacks increase in volume, complexity, and severity, auto dealerships must commit to greater maturity for their data security and privacy programs. 

The FTC Safeguards Rule offers valuable guidance for auto dealerships to adopt security and privacy best practices, including formal risk and change management processes, an incident response plan, and access monitoring, among other foundational security controls. Combined, a mature security and privacy posture will help auto dealerships reduce financial, legal, regulatory, and reputational risk in their business.

2. Improve operational efficiency

Lowering organizational risk and establishing sound security and privacy processes ultimately leads to better operational efficiency across the organization. 

Aside from avoiding costly breaches and fulfilling legal and contractual obligations, implementing security and privacy best practices helps dealerships create streamlined, scalable internal processes that support sustainable growth. Compliance activities keep you aware of critical business risks, help you identify redundancies across software and procedures, and ensure staff is properly trained to protect sensitive information. 

The FTC Safeguards Rule mandates that organizations that handle consumer financial information must implement measures to store, process, and dispose of this data securely. A byproduct of becoming compliant with the Safeguards Rule is more effective and efficient data management processes, policies, and practices, resulting in improved data quality and more informed decision-making across the organization. 

3. Modernize processes and eliminate reliance on paper records 

The auto retail model continues to evolve, and dealerships that capitalize on consumers’ desire to move more of the car buying process online stand to gain. Online financing approvals, vehicle appraisals, and purchase offers will all be made more secure with the proper security and privacy controls in place. By adopting the FTC Safeguards Rule, auto dealerships can take significant steps to streamline the purchasing process and improve the customer sales experience. 

During the pandemic, many dealerships invested in improving the transaction process and the associated technology workflows, digitizing the process wherever possible. Yet even with these shifts, many aspects of the car buying process remain paper-based.

A security and privacy compliance platform can eliminate this reliance on paper records and serve as the single source of truth as the dealership’s security and privacy compliance system of record. By continuously monitoring your security posture, tracking employee training and policy acceptance, and automatically collecting evidence, you’ll be able to monitor your security, privacy, and compliance programs from a single tool. If a dealership ever finds itself under audit, it will have everything needed to prove compliance.  

4. Build customer trust and loyalty

According to a survey by Total Dealer Compliance, more than 80% of consumers would not purchase a car from a dealership with a recorded data breach. 

Adhering to the Safeguards Rule allows dealerships to develop and implement industry-standard security and privacy processes in ways that are demonstrable to customers. Security awareness training is just one example — 73% of consumers say they feel more comfortable working with dealership staff who have completed security training and display those certifications on their desks. 

Auto dealerships that can prove they have their customers’ best interests at heart through a robust security and privacy program stand to gain a compelling competitive advantage to gain customer trust, build customer loyalty, and inspire repeat purchases. 

5. Cut costs and reduce consulting spend 

Security consultants may seem like a fast track to a stronger security posture, but over-reliance on a third-party consultant can hinder your team from internalizing security and privacy best practices into their daily work habits and mindsets. 

Consultants can run $200-300 an hour, yet fail to offer a long-term solution to auto dealerships looking to establish information security and data privacy best practices. The consultant may offer expertise in the initial stages, but it’s still up to the dealership to put policies and processes into practice, validate that they’re working, and keep them updated. 

The Safeguards Rule provides auto dealerships with a specific framework for a strong security and privacy compliance posture without relying entirely on consultants. Requirements specify cybersecurity best practices including information asset management, data encryption, access controls, secure data disposal, and other tangible steps to establish a strong security and privacy posture

Seizing the growth opportunity of security and privacy compliance

Auto dealerships that view compliance with the FTC Safeguards Rule as a series of checkboxes risk overlooking its potential value. Implemented correctly, it can unlock rapid growth across multiple fronts: customer acquisition and loyalty, internal scalability, and market differentiation. Forward-thinking auto dealerships that seize this opportunity stand to reap the full rewards that a strong data security and privacy program offer. 

Many dealerships are turning to all-in-one compliance platforms to build their security and privacy programs, draft policies, train staff, and streamline internal security assessments to achieve and maintain compliance with the FTC Safeguards Rule. An all-in-one platform that delivers continuous monitoring, personnel management, vendor management, risk management, and more, paired with a vendor partner that offers deep security, privacy, and compliance expertise to assist in the compliance journey, will help auto dealerships get more mileage out of their security and privacy compliance program and seize this massive growth opportunity.