---

---

Safeguards Rule Updates: How the changes impact your information security program

The repercussions of identity theft are disruptive and costly, which is why the Federal Trade Commission (FTC) implemented the Safeguards Rule in 2003. The rule requires “financial institutions” - including automobile dealers under the FTC's definition - to develop, implement and maintain a comprehensive information security program (ISP) to keep their customers' information safe.

The FTC reported a 73% year-over-year increase in identity thefts from 2019 to 2020.* With rocketing statistics and major data breaches - including one involving Equifax that impacted approximately 147 million Americans - the FTC launched an initiative to reassess the Safeguards Rule. In 2019, the Commission sought public comment on proposed changes and held a workshop on those proposals during the summer of 2020.

After two years of public consideration, in a controversial 3-2 vote with Commissioners Noah Joshua Phillips and Cristine S. Wilson dissenting, the FTC announced significant changes to the Safeguards Rule that every dealer needs to know. The FTC's Oct. 27, 2021, official notice with the updated Safeguards Rule is 145 pages long, but I'll summarize the major changes that may impact your dealership.

Most of them involve specific criteria that you must incorporate into your ISP. Dealers have always been required to develop their program based on a risk assessment that identifies potential improper access points to consumer information, but now the risk assessment must be in writing and include the following:

• Criteria for the evaluation and categorization of identified security risks;
• Criteria for the assessment of the confidentiality, integrity and availability of information systems and customer information, including the adequacy of existing controls in the context of the identified risks; and
• A plan that describes how identified risks will be mitigated or accepted based on the risk assessment and how the ISP will address the risks.

The updated Safeguards Rule also requires financial institutions to implement specific safeguards into their ISPs, including:

• encryption for all customer information in transit and at rest - or effective alternative controls if encryption isn't feasible;
• multifactor authentication for anyone accessing any information system - or a reasonable equivalent;
• procedures to dispose of customer information no later than two years after the date the information was last used - with exceptions if regulations mandate otherwise;
• continuous monitoring or periodic penetration testing and vulnerability assessments;
• steps for selecting and retaining service providers capable of maintaining appropriate safeguards for consumer information, including contractually obligating service providers to implement and maintain those safeguards, and periodically assessing service providers based on the risk they present;
• a written incident response plan designed to promptly respond to, and recover from, a security event materially affecting the confidentiality, integrity or availability of customer information in your control.

The changes to the Safeguards Rule will also require your dealership to:

• designate a single “qualified individual” responsible for overseeing, implementing and enforcing the institution's ISP;
• train your employees in processes required to enact the ISP;
• submit periodic reports to boards of directors or an equivalent governing body that address the overall status of your ISP's compliance with the Safeguards Rule.

If there's a silver lining, the FTC included a “small business exemption” for financial institutions that maintain customer information concerning fewer than 5,000 consumers. However, it only applies to certain requirements. If your dealership qualifies for the exemption, you won't have to complete a written risk assessment, prepare incident response plans or complete the annual reporting requirements.

The new rules create additional layers of compliance which of course will cost money, a point I made to the FTC in official comments and conversations with FTC officials. Most of the new Safeguards Rule requirements go into effect Oct. 27, 2022. In the interim, dealers should conduct a thorough assessment of their existing information security programs.

What do you need to do to comply with the changes? You may need assistance from an IT professional. However, that expense may be cheaper than the hefty fines the FTC will levy for noncompliance - or worse, what a class action attorney may get in damages if there's a data breach associated with your dealership.

Learn More

---