As of June 9, 2023 the new Safeguard Compliance Rules are in Effect. It is essential that you are in compliance with this rule, and OIADA is here to help you meet and understand that coming deadline.
The deadline for compliance with the Federal Trade Commission’s (FTC) “Safeguards Rule” was June 9, 2023.* OHIADA is here to help you meet and understand that deadline. We designed this checklist to assist automobile dealers on a budget to comply with the FTC Safeguards Rule. However, the FTC is clear that larger organizations have more requirements based on their size. No matter your size, do not just go out and get a one size fits all program. The FTC has been clear that an unfollowed compliance program offers you no protection from enforcement.
Safeguards Policies: A Complete Toolkit for Dealers
Written Safeguards Policies
A Designated Qualified Individual
A Process for Updating Software
Encryption for Consumer Information
A Specific Set of Policies and Procedures
Multi-Factor Authentication
Security Awareness and Training
Secure Data Destruction
Monitoring and Testing of Safeguards
A System for Ensuring Vendor Compliance
Written Safeguards Policies
Written policies that must be appropriate for the size and complexity of your dealership. For most smaller dealerships, sample policies can be found within the Dealer Education Portal’s Qualified Individual Safeguards. You can use these templates as a starting point and write one specific to your business practices. Keep in mind that the bigger your dealership, the more you will need to add to these policies. Those forms are as follows:
- A written Dealership Privacy Policy and Information Security Standards
- Employee agreement to comply with policies and information security standards (this may also be incorporated into your employee handbook)
- Written Vendor agreement
A Designated Qualified Individual
A Process for Updating Software
A process for ensuring software is updated and learning of new & known security risks
- Set updates on software to update automatically.
- A great way to learn about security risks is by subscribing for free to the Cybersecurity and Infrastructure Security Agency.
Encryption for Consumer Information
A process for ensuring consumer information is encrypted both at rest and in transit. Encrypt sensitive information that you send to third parties over public networks (like the internet) and encrypt sensitive information that is stored on your computer network, laptops, or portable storage devices used by your employees. Consider also encrypting email transmissions within your business. Don’t forget to consider any information held by your employees on their smartphones or other devices which they may use in addition to devices owned by your dealership.
- Strong encryption is built into modern versions of the Windows and OS X operating systems, and it’s available for some Linux distributions as well. Both Microsoft and Apple provide guidance on how to go about ensuring this is enabled.
- Ensure your vendors are encrypting any data they have through the contract and monitor their compliance to the best of your ability.
A Specific Set of Policies and Procedures
The following policies and procedures should be developed, and if you hold information on more than 5,000 consumers, they must be written:
- A security risk assessment: You can’t formulate an effective information security program until you know what information you have and where it’s stored. After completing that inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information. Among other things, your risk assessment must be written and must include criteria for evaluating those risks and threats. Think through how customer information could be disclosed without authorization, misused, altered, or destroyed. The risks to information constantly morph and mutate, so the Safeguards Rule requires you to conduct periodic reassessments in light of changes to your operations or the emergence of new threats.
- Incident Response Plan (Included in Dealer Education Portal’s Qualified Individual Safeguards): You should also consider state law which can be obtained by contacting your state association or from this chart from Foley & Lardner.
- Process for reporting breaches and safeguards-related items to the ownership at least annually.
Multi-Factor Authentication
Implement Multi-factor Authentication. The Rule requires at least two authentication factors: a knowledge factor (for example, a password); a possession factor (for example, a token), and an inherence factor (for example, biometric characteristics). The only exception would be if your Qualified Individual has approved in writing the use of another equivalent form of secure access controls.
Microsoft Azure is a free/low-cost option for meeting this requirement.
Security Awareness and Training
Perform Safeguards Security Awareness and Training. OHIADA offers a low-cost option for safeguards security awareness and training that is designed for large and small dealers. The course is offered through the Dealer Education Portal.
Secure Data Destruction
Secure Data Destruction, including disposing of customer information held in the physical form and electronic form. Remember to consider the data on vehicles and WIFI as this is often overlooked.
Keep in mind that the rule requires the deletion of customer information two years after the last time the information is used in connection with providing a product or service to the customer unless the information is required for a legitimate business purpose. For a list of how long to keep information, please refer to state law and this guide on federal law.
Take care to wipe a customer’s data from their trade-in vehicle as well as from any dealership’s loaner, demonstrator, or rental vehicle before selling that vehicle or allowing another to use or rent the vehicle. Wiping data includes unpairing all Bluetooth devices, resetting the garage door opener, resetting telematics services, and logging out of cloud accounts. Remind consumers to check to make certain they have cleared connections between their devices and the vehicle and consider having them sign a statement stating they did. The manufacturer’s owner manual should provide the necessary information to clear or wipe data. The vehicle may have a factory reset option that returns the settings to their original state. Alternatively, instead of using the owner’s manual, there are services that will provide you with step-by-step instructions and certification the information has been cleared.
Please note that there is some debate within the industry about the requirement to wipe out the data in trade-ins, but a best practice is to comply with requirements when in doubt.
Secure Data Destruction
Secure Data Destruction, including disposing of customer information held in the physical form and electronic form. Remember to consider the data on vehicles and WIFI as this is often overlooked.
Keep in mind that the rule requires the deletion of customer information two years after the last time the information is used in connection with providing a product or service to the customer unless the information is required for a legitimate business purpose. For a list of how long to keep information, please refer to state law and this guide on federal law.
Take care to wipe a customer’s data from their trade-in vehicle as well as from any dealership’s loaner, demonstrator, or rental vehicle before selling that vehicle or allowing another to use or rent the vehicle. Wiping data includes unpairing all Bluetooth devices, resetting the garage door opener, resetting telematics services, and logging out of cloud accounts. Remind consumers to check to make certain they have cleared connections between their devices and the vehicle and consider having them sign a statement stating they did. The manufacturer’s owner manual should provide the necessary information to clear or wipe data. The vehicle may have a factory reset option that returns the settings to their original state. Alternatively, instead of using the owner’s manual, there are services that will provide you with step-by-step instructions and certification the information has been cleared.
Please note that there is some debate within the industry about the requirement to wipe out the data in trade-ins, but a best practice is to comply with requirements when in doubt.
Monitoring and Testing of Safeguards
Regularly monitor and test the effectiveness of your safeguards. Test your procedures for detecting actual and attempted attacks. For information systems, testing can be accomplished through continuous monitoring of your system. If you don’t implement that, you must conduct annual penetration testing, as well as vulnerability assessments, including system-wide scans every six months designed to test for publicly-known security vulnerabilities. In addition, test whenever there are material changes to your operations or business arrangements and whenever there are circumstances you know or have reason to know that may have a material impact on your information security program.
Information on vulnerability testing can also be found here.
A System for Ensuring Vendor Compliance
Establish a system for ensuring vendor compliance with their requirements to protect the data you share with them. You should send a questionnaire to vendors and review their controls.
- Make sure your contract indemnifies you from any breach of data that occurs due to the vendor.
- A tracking mechanism should be implemented that lists all vendors, contractors, or subcontractors and identify those that have access to business/confidential, sensitive, and protected information.
- There are several free options for creating your own questionnaires, such as the templates from Security Scorecard and Content Snare.
- Contractually require your vendors to notify you of any data breaches.