Auto-Dealers Will Face Fines for Not Meeting New Security Mandate as of December 9, 2022

Auto dealers may face penalties for not meeting requirements established by amendments to the FTC’s Safeguard Rule.  In 2021, the FTC amended its Safeguard Rule, originally created in 2003, to help protect the security of customer information.  The Safeguard Rule applies to any non-banking financial institution. 

As of December 9^th of this year, the FTC will require all non-banking financial institutions, now including car dealers, to develop, implement, and maintain a comprehensive security program.  The reasoning behind the program is to ensure the security, confidentiality, and integrity of customer information.  Under the Gramm-Leach-Bliley Act, penalties to the organization could be up to $100,000 per violation and up to $10,000 per violation for officers and directors personally liable.

The amendment, created in 2021, allowed one year for auto dealers to put a security program in place (a month away from the time this article was published).  Auto dealer security programs must meet the following requirements (16 CFR § 314.4): 

1. Designate a qualified individual responsible for overseeing and implementing, as well as enforcing, the information security program (for purposes of this part, “Qualified Individual”). The Qualified Individual may be employed by a dealer, an affiliate, or a service provider.

2. Base the information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.

3. Design and implement safeguards to control the risks. Mandatory safeguards include:
   1. Implementing and periodically reviewing access controls
   2. Identifying and managing the data, personnel, devices, systems, and facilities that enable an organization to achieve business purposes in accordance with their relative importance to business objectives and risk strategy;
   3. Protection by encryption for all customer information held or transmitted by both parties in transit over external networks and at rest. Should it be determined that encryption of customer information, either in transit over external networks or at rest, is infeasible, a dealer may instead secure such customer information using effective alternative compensating controls reviewed and approved by the Qualified Individual;
   4. Adopting secure development practices for in-house developed applications utilized for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications utilized to transmit, access, or store customer information;
   5. Implementing multi-factor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls;
   6. Developing, implementing, and maintaining procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained
   7. Adopting procedures for change management
   8. Implementing policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.

4. Regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, an organization shall conduct:
   1. Annual penetration testing of information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and
   2. Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in information systems based on the risk assessment, at least every six months; and whenever there are material changes to operations or business arrangements; and whenever there are circumstances known or have reason to know may have a material impact on an information security program.

5. Implement policies and procedures to ensure that personnel are able to enact the information security program

6. Oversee service providers

7. Evaluate and adjust the information security program in light of the results of the testing and monitoring (as required above, paragraph 4)

8. Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in the organization’s control.

9. Require the Qualified Individual to report in writing, regularly and at least annually, to the organization’s board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a senior officer responsible for the information security program.

Source: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314/section-314.4

Because of the complexity of this new FTC requirement that is taking effect, many auto dealers do not have the staff or resources to meet compliance.  In many cases, the best course of action is to partner with an organization well-versed in compliance requirements.  Appalachia Technologies is familiar with assisting organizations in meeting security compliance requirements across industries.  As a SOC2 Type 2 organization, Appalachia itself is audited to ensure the highest protections for customer data and how the data is handled.  Simply put, selling quality cars is what your organization does - security is what we do.  Our goal is to focus on what we are good at so that you can focus on your business.

Appalachia Technologies has experienced staff to help walk your business toward compliance.  If you would like to have a free consultation on what it might take to become compliant and avoid FTC fines, click here to set up a free 30-minute consultation.

Download the FTC Safeguards Checklist HERE.

For more information on what dealers need to know ahead of the December 9th, 2022 deadline, visit: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

Mike Miller is a cybersecurity professional with 25 years of experience throughout the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.