Dealerships that were struggling to meet provisions of the FTC Safeguards Rule have been given some compliance breathing room by a deadline extension but meeting the new requirements will take time.
That’s the message from Mark Dante, CDK’s global national cybersecurity subject matter expert, who in a recent webinar discusses the changes and suggests steps to become and remain compliant.
The overall thrust of the new requirements is to “strengthen the security posture for small businesses,” says Dante. What the FTC wants is for businesses to “develop, implement, and maintain a security program,” he says.
The Federal Trade Commission on Nov. 9 announced key changes to the Safeguards Rule that aims to protect consumers’ personal information. Those changes are not small tweaks, and after lobbying by groups such as the National Auto Dealers Assn., the deadline for compliance was extended. The most substantive changes were set to go into effect Dec. 9; that deadline is now June 9, 2023.
A major and very important change is the addition of more details to the required development and implementation of a written Internet Security Program, or ISP. It demonstrates the measures a dealership has in place to protect consumer data. If a dealership is audited, “they will certainly ask to see the ISP,” says Dante (pictured, below).
Now, dealership programs must have system access controls including authentication and encryption, and oversight of employees and service providers. “It is not that easy,” says Dante.
Dealerships must identify everyone who has access to their data including employees, customers and vendors. All are included in a risk assessment.
Dante recommends multi-factor identification for anyone accessing dealership or vendor systems. “This is one of the biggest and best ways to stop (unauthorized) people from entering your network,” he says.
He recommends dealerships conduct a risk assessment two times a year because remaining in compliance with the Safeguard Rules is an ongoing project.
It is not “a race to be compliant and I’m done,” says Dante. “The rules want you to continually do things. Wash, rinse, repeat. Get compliant and stay compliant.”
Dealerships should do penetration testing and vulnerability scanning, but not before a thorough risk assessment has been done. “Penetration tests are very expensive,” says Dante. “It will save money to do a risk assessment first.”
What Is a “Qualified Individual” and Why Do You Need One?
A very important change – and one reason the deadline was extended – is the requirement that a dealership appoint a “qualified individual” who is responsible for the ISP.
Initially, the rule called for each dealership to hire a Chief Information Security Officer (CISO), but the industry pushed back against that requirement.
“It is hard to hire and keep a good chief security officer,” says Dante. “It is also expensive.”
The “qualified individual” can be someone in the dealership, or a third party. This individual should work off a checklist as the ISP is being created, says Dante, and make sure all the boxes are checked. “They are the quarterback.”
If you are audited, it is worth bringing in a virtual CISO. If you have a security incident, even if the FTC doesn’t audit you, your cybersecurity insurance provider will, says Dante, and “they are looking for ways not to cover you.”
A virtual CISO can save a dealership “hundreds of thousands of dollars” in such a situation, he says.
Another change to the Safeguard Rule is that it now only applies to businesses with more than 5,000 customer records. That includes all data, not just transactional data.
Given that the average dealership has around 75,000 customer records, most dealers will need to comply, says Dante.
Dealerships also should be aware of state compliance requirements, says Dante. The California Consumer Privacy Act of 2018 gives consumers more control over personal information that businesses – including dealerships – collect about them.
Other states now have similar laws. And the states are very diligent about compliance, he says.
“The states have the wherewithal and incentive to make sure you are complying,” he says. “They can fine you (and) it is a revenue stream.”
The state privacy laws are especially complex for dealership groups with rooftops in more than one state. “It is just a matter of time before some states are knocking on your door,” says Dante.