How CFOs Can Optimize Costs and Risk Management in Commercial Real Estate In today's evolving commercial real estate landscape, chief financial officers (CFOs) face the […]
Navigating the New FTC Regulations for Car Dealerships
What does it mean to have an “Information Security Program”
In the rapidly evolving data security and privacy landscape, the Federal Trade Commission (FTC) has updated its Safeguards Rule. As of June 9, 2023 Car Dealerships are considered a financial institution under the Safeguards Rule. This rule significantly impacts how car dealerships manage customer information.
The rule mandates that dealerships, like all financial institutions, must have an Information Security Program. The FTC plans to begin auditing firms to ensure compliance with these regulations in 2024, so now is the time to bring your dealership up to speed.
Defining Information Security Program
The updated FTC Safeguards Rule outlines specific criteria to ensure the security and confidentiality of customer information. Key elements include:
- Designation of a Qualified Individual: This person, who could be an employee or from an affiliated service provider, is responsible for implementing and overseeing the information security program. Their expertise should match the scale and complexity of the business's needs.
- Risk Assessment: Dealerships must conduct thorough assessments to identify potential threats to customer data, considering both internal and external risks. This step involves understanding what information is held, how it's stored, and potential vulnerabilities.
- Implementation of Safeguards: Based on the risk assessment, dealerships are required to establish robust controls. This includes access controls, data encryption, secure disposal of customer information, and multi-factor authentication for system access.
- Regular Monitoring and Testing: The rule mandates continuous monitoring or regular testing of security measures, including penetration testing and vulnerability assessments.
- Employee Training: Staff should be trained in security awareness, with specialized training for those directly involved in the information security program.
- Service Provider Monitoring: Dealerships must ensure their service providers have adequate safeguards and continuously monitor their compliance.
- Adaptability of Security Program: The information security program must be flexible enough to adapt to changes in operations, emerging threats, or changes in personnel.
- Incident Response Plan: A written plan is required to address security events, outlining roles, responsibilities, communication protocols, and recovery processes.
- Regular Reporting: The Qualified Individual must report regularly to the dealership's Board or a senior officer, detailing compliance and any recommendations for changes in the security program.
Implications for Your Dealership’s IT
The Safeguards Rule significantly influences the IT and cybersecurity strategies of car dealerships. Now, IT must go beyond maintaining your network and devices. The focus now is on implementing technical cybersecurity measures and fostering a culture of security awareness through policy documentation and employee training.
What steps do you need to take immediately:
- Invest in cybersecurity infrastructure, including advanced encryption technologies and multi-factor authentication systems.
- Establish a regular cadence of security audits, including a professional review of policies, and running vulnerability and pen tests.
- Conduct employee training – such as Knowbe4 – to ensure your team follows the policies and can be your first line of defense against cyber threats.
- Create an incident response plan that addresses how data will be stored, backed up, and recovered in case of a cyber breach or other disaster.
Conclusion
The updated FTC Safeguards Rule presents both challenges and opportunities for car dealerships. While it necessitates significant investment in IT and cybersecurity infrastructure, it also offers a chance to strengthen customer trust by showcasing a commitment to data security. By embracing these changes, dealerships can enhance their reputation, foster customer loyalty, and secure a competitive edge in the digital age.
If you are looking for help preparing your business to meet these regulations, LK Tech can provide guidance on how to improve your current IT to meet the standards. Get in touch to learn more and ensure your business doesn’t risk FTC penalties.
