The Safeguards Rule affects any company or entity that offers or supports financial services, for example, dealerships and other similar industries that collect customer financial data. The new guidelines were published on December 9, 2021, giving those impacted by the changes a year to comply with the new standards and objectives.
Starting December 9, 2022, amendments to the FTC Safeguards Rule will require non-banking financial institutions to create, implement, and maintain a comprehensive security system to keep customer information safe. Motor vehicle dealers are considered a “non-banking financial institution” for purposes of the Rule. It’s crucial for dealers to understand how these amendments might impact their dealership before renewing or signing a new contract with a data security vendor.
The Revised Safeguards Rule encompasses all customer information, including that of customers of other financial institutions which have shared information with you. The customer information protected under the Safeguards Rule applies to Personally Identifiable Financial Information (PIFI). PIFI encompasses more than just social security numbers and credit card information; it encompasses any transaction which might disclose a customer’s financial information.
There are three primary objectives that an information security program must meet and have written policies in place to support. A security program must:
- Ensure the safety and confidentiality of customer information
- Protect against threats or hazards to the security and integrity of customer information
- Protect against unauthorized access to customer information
Eight Elements to Include in Your Information Security Program
To best meet the primary objectives the FTC has established, there are eight elements that must be included in your dealership’s information security program:
- Hire a cybersecurity expert who oversees and enforces the information security program. A qualified individual must have some level of information security training and knowledge. This individual is held accountable to issues that may arise due to a security event. A Qualified individual can be a third-party vendor.
- Conduct periodic risk assessments on the various security risks to customer information. This must be documented and include the risks or threats found and how each are addressed in the information security program. The documents should include the steps that have been made to ensure confidentiality, integrity and availability.
- Implement customer information safeguards. These safeguards include access control, inventory of all systems, data encryption, secure development practices, Multifactor Authentication (MFA), data disposal procedures, change management procedures, and monitoring and logging authorized user activities. This would be covered through continuous monitoring. If a system for continuous monitoring is not in place, biannual vulnerability assessments must be completed.
- Test or monitor the effectiveness of the various security controls used to detect attempted attacks on the systems that hold customer information regularly.
- Put policies and procedures in place to ensure that employees can enact the information security program. Employees must have sufficient information and training on the security risks. The training program must also integrate the new and evolving security risks.
- Verify that third party service providers are doing everything possible to protect customer information and that providers are assessed based on the risk that they pose to the customer’s information.
- Establish an Incident Response Plan (IRP). The IRP must include the goals of the plan, the internal process for responding to a security event, clear roles and responsibilities of the decision makers, all communication if an event were to occur, how to remediate systems in the case of an event, documentation related to incident response actives and evaluation and revisions of the IRP.
- Assure that the Qualified Individual reports in writing every year the overall status of the information security policy and compliance with the Revised Safeguards Rule. This should include documents that highlight any risk assessments, risk management controls, service provider contracts who handle customer information, penetration testing results, security events and the remediation steps, and changes to the information security program.