Building sustainable compliance for dealerships in response to the new FTC Safeguards Rule

The Federal Trade Commission (FTC) “Standards for Safeguarding Customer Information” (Safeguards Rule) under Section 501(a) of the Gramm-Leach Bliley Act (GLBA) define compliance requirements to protect consumer information from misuse or a data breach, and ultimately protect customers from identity theft or privacy violations. The Safeguards Rule underwent revisions on Dec. 9, 2021, which expanded many requirements of the original rule, including requiring dealerships to revise their programs and implement new compliance measures. Under the new Revised Safeguards Rule, dealerships must comply with the new FTC safeguards rule requirements by Dec. 9, 2022.

If these new requirements are not met, the FTC can initiate an enforcement action against an auto dealer. Such enforcement might include long-term consent decrees with the company or executives as well as monetary fines over $46,000 per violation. Further legal costs make this a significant issue that needs to be carefully addressed. Dealers need to act now to ensure compliance and avoid such penalties. Baker Tilly is ready to help you achieve compliance with the new FTC Safeguards Rule with our approach tailored to the needs and concerns of dealerships.

The new FTC Safeguards requirements:

The Revised Safeguards Rule requires a number of documented policies and procedures as well as implementation of security processes including the following:

• Designation of a qualified employee to oversee and manage the information security program
• A written security risk assessment
• A formally written information security program
• A formally written incident response plan
• A formally written report to the board of directors about information security controls
• Encryption of all customer data at rest and in transit
• Multifactor authentication
• System monitoring
• Penetration testing
• Vulnerability assessments