This week the FTC issued its long-awaited, final amendments to the FTC Safeguards Rule (“Rule”). The amended Rule contains a significant number of new and expanded procedural, technical, and personnel requirements that financial institutions, including dealers, must satisfy to meet their information security obligations.
Many of the amendments will require significant investments from dealers who must now adopt new information security measures. The changes adopted by the FTC to the Safeguards Rule include more specific criteria for what safeguards financial institutions must implement as part of their information security program. They include:
- limiting who can access consumer data and using encryption to secure the data;
- institutions must explain their information sharing practices, specifically the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customers’ secure information; and
- financial institutions will be required to designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.
While several of the new obligations may already be in place at many dealerships, others vastly expand what most dealers have developed and will require additional investments in software, technology, and potentially dealership personnel. The challenges involved in satisfying the new obligations could also increase dealers’ liability exposure.
Dealers, as well as their relevant technology vendors, must comply with the new requirements of the Rule within one year of its upcoming publication in the Federal Register. Several of the new requirements do not apply to financial institutions that maintain customer information on fewer than 5,000 consumers.
The FTC is also seeking comment on whether to make an additional change to the Safeguards Rule to require financial institutions to report certain data breaches and other security events to the Commission.
NJ CAR has worked over the years to provide dealers the tools to comply with the Safeguards Rule. The NJ CAR sponsored Dealer Safeguard Solutions (DSGSS) is a digital sales platform that enforces consistent compliance. It provides the technological glue to ensure that all dealership processes are consistently enforced. The optional Fraud Detection Platform validates driver licenses both in the showroom and remotely. DSGSS works with and drives dealership’s current sales procedures, so they sell cars faster while improving their customer experience. Dealerships that are interested in learning more about the Dealer Safeguards Solution or to schedule a presentation should contact the following individuals:
NJ CAR will continue to monitor the implementation of the new rule and develop compliance guidance for NJ CAR members in the form of publications and or webinars. Dealers are encouraged to reach out to their technology vendors as soon as feasible to ensure they are taking the necessary steps to prepare for to comply with the new requirements.