With the Federal Trade Commission’s recently issued Safeguards Rule, which requires stricter information security protections for consumers, U.S. auto dealerships have a heavy task of strengthening their information systems security.
The rule oversees how financial institutions protect consumer data. Dealerships not only must implement changes to protect their own consumer data, but also must have a formal employee training program and third-party audits in place to ensure their entire list of vendors also are following these guidelines.
What Is the New FTC Rule?
The FTC’s rule requires detailed procedures and specific criteria that auto dealers must implement to provide better protection and to curb data breaches and cyberattacks that could jeopardize sensitive customer data.
One of the first challenges dealerships must address is the fact that they are sitting on so much more consumer information today. The amount of sensitive information dealers take in could result in identity theft and those identities being sold to fraudsters. Critical consumer information includes access to credit reports, driver’s license information, images, account numbers, name, address, date of birth and, of course, credit card information.
Sophisticated dealers have established quality protections, but many dealerships do not. Having these safeguards in place for thousands of these dealers will be a heavy lift before the end of the year, including completion of all training curriculum and full implementation of programs.
What Dealers Need to Achieve Compliance
The Safeguards Rule originated in 2003 under the federal Gramm-Leach-Bliley Act, and as a result, dealers were designated as financial institutions because they provide financing agreements for their customers.
Recent revisions to the rule include five primary updates that focus on keeping data secure, such as limiting access to customer information and new requirements for encryption and multifactor authentication. What’s more, the rule states each dealership must designate one “qualified individual” to oversee their information security program.
Initially, dealers must perform a proper audit of their entire information security systems, as well as that of their vendor partners, to ensure things such as the encryption of consumer information. This way, if any part of the system is penetrated by a digital intruder the data is not exposed. Dealers also will need to implement two-factor authentication systems andregular intervals of intrusion-detection tests. And, of course, dealers need to make sure their employees are properly trained on all these new measures.
It will be important for dealers to designate employees who are trained in taking ownership of these new regulations and ensuring everyone is ready. The new regulation even states that a written policy must be created and put in place, with all employees understanding the policy and signing off. The educational curriculum must be designed so that each employee is trained on all facets of the new regulation with full comprehension of each component.
Auditing Vendors and Information Privacy
One of the most challenging elements of the new regulation involves a thorough audit and inventory of needs by any vendors working with the dealer, including finance partners, advertising agencies, and data and technology partners. More than likely, dealers will need to hire outside counsel or a third party that has compliant programs to help build proper audit surveys of their partners.
Third-party vendors should be aware that these requests are coming and are prepared with a program in place, so they are not bogged down with no process to handle the volume.
Dealers would be wise to take inventory of every possible way they receive consumer data and information, from the beginning of the process with advertising and marketing insights that enters the top of the funnel, all of the search-engine and social-media data they receive through promotions and interactions, website information and insights, and certainly consumer information through the service lane.
Modern retailing has opened up an abundance of new opportunities for dealers to reach new customers, but it also represents many new opportunities to collect consumer data that now needs to be scrutinized under the new regulations.
The Safeguards Rule ultimately will help dealers better protect their customers’ valuable data and information – a practice that better manages the risks associated with today’s internet-heavy focus on customer interaction and transaction. There are significant challenges and hurdles in the near term for dealers and their vendor partners.
However, with the right guidance and expert counsel, dealers and their partners can achieve this critical compliance and train each employee on the new rules so they can provide their customers with the trust they need to do business in this era of modern retailing.
Ken Hill (pictured, above left) is managing director for 700Credit, a provider of automotive-industry credit reports, compliance and soft-pull products.
