The recent Dealership FTC Safeguards Rules create new standards and procedures that will apply to auto dealerships and go into effect in June 2023.
Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.
The study also found that dealerships experienced an average of 16 days of downtime after a ransomware attack, with an average payout of $228,125. However, the biggest impact of attacks on dealerships is likely the impact on customer loyalty. Some 84% of customers say they would not buy another vehicle from a dealership if a breach compromised their data.
With 36% of data breaches at dealerships related to phishing, it’s not surprising that dealerships rated phishing as their top concern. Other top threats included ransomware, lack of employee awareness, theft of business data, PC viruses or malware and stolen or weak passwords.
Increased Cybersecurity Vulnerabilities at Dealerships
Attacks related to phishing schemes are typically related to user error. According to the National Automobile Dealers Association Workforce Study, the annual turnover rate across all dealership positions is 24%. While this rate has gone down in recent years, dealerships still see relatively high employee turnover. This makes training and compliance a continuing challenge.
Dealerships also have unsecured wireless networks for customers to use while at the dealership. While this is a nice perk for customers, especially those waiting for their cars to be serviced, hackers can more easily gain access to customer data through unsecured networks. By moving to guest networks and providing passwords, dealerships can provide more protection and decrease risk.
The CDK Global study found that almost 60% of dealerships plan to increase their IT infrastructure investments. Top investments included antivirus and malware protection tools, which saw a 31% increase from 2022. According to the report, dealers also are updating cybersecurity measures that will protect them from top threats such as phishing and ransomware. Other planned investments include securing endpoint devices, investing in cybersecurity insurance and continued staff training.
Overview of the FTC Dealership Safeguards Rule
The Federal Trade Commission has recently updated the 2003 Gramm-Leach-Bliley Act ‘Safeguards Rule’ to create new standards and procedures that will apply to auto dealerships and go into effect in June 2023.
The FTC Safeguards Rule outlines the standards required for the protection of consumer data. The new updates create stricter criteria and procedures that car dealers will need to implement. Both to reduce the risk of a data breach and to better protect customer data. The new updates reflect fundamental principles of data security while also keeping pace with ongoing technological advancements.
As a non-bank financial institution, auto dealerships fall under the Safeguards Rule. It requires businesses to develop, implement and maintain a comprehensive security program to keep their customers’ information safe.
Who is Impacted by Safeguards Rule Changes?
The updates to the Safeguards Rule apply to all auto dealerships in the United States, both large and small. Specifically, within each auto dealership, the updates will apply to C-suite, owners, managers, IT directors, and those who are involved in day-to-day business operations.
Implications for Auto Dealerships
Understanding the implications of the FTC Safeguards Rule for auto dealerships is crucial for their operational success and compliance with regulations. Failure to comply with the rule can result in severe penalties, financial loss, damage to reputation, and potential legal actions.
One of the main implications of the rule is the requirement for auto dealerships to establish comprehensive data protection measures. This includes implementing safeguards to protect customer information from unauthorized access. Also, ensuring the confidentiality and integrity of data, and regularly monitoring and updating security systems. By doing so, dealerships can minimize the risk of data breaches and unauthorized use of consumer information, which can lead to financial loss and legal liabilities.
Furthermore, the rule emphasizes the importance of training employees on data protection and privacy practices. Auto dealerships must educate their staff on how to handle customer information securely, recognize potential security risks, and respond appropriately in the event of a data breach. This ensures that everyone in the dealership understands their role in safeguarding customer data. This reduces the likelihood of human error that could compromise data security.
Another implication of the FTC Safeguards Rule is the need for auto dealerships to regularly assess and update their data security practices. This involves conducting risk assessments to identify vulnerabilities. Also implementing appropriate measures to address those vulnerabilities and regularly reviewing and updating security protocols. By staying proactive and continuously improving their data protection efforts, dealerships can stay ahead of potential threats and ensure compliance with the rule.
Furthermore, the implications of the rule extend beyond data security. Auto dealerships must also consider the impact on their marketing and advertising practices. The rule requires transparency in consumer communication, ensuring that customers are informed about how their information is collected, used, and protected. This means that dealerships need to review their privacy policies, terms of service, and consent forms to ensure compliance and maintain consumer trust.
The new rules introduced by the FTC require car dealers to implement and follow specific criteria and procedures. One of the most significant challenges that auto dealers will face is the sheer volume of consumer information that they work with each day (and specifically, data that are prime targets for cybercriminals).
Specific examples of this data include:
- Bank Account Numbers
- Credit/Debit Card Numbers
- Credit Reports
- Dates of Birth
- Driver’s License Numbers
If any of this data is exposed, it could result in identity theft or in the data being sold to cybercriminals. Not only would that be dangerous to the victims, but it would also deal a severe blow to the reputation of the auto dealer.
If an auto dealer sustains a major data breach and that data is made public, it could be devastating, as customers could simply go to another, less “risky” dealer in town for the same make and model of vehicle they want.
Steps to Ensure Compliance
Complying with the FTC Safeguards Rule is essential for auto dealerships to protect customer information, avoid penalties, and maintain a positive reputation. To ensure compliance, follow these step-by-step guidelines:
- Familiarize Yourself with the Rule: Start by understanding the provisions and requirements of the FTC Safeguards Rule. Read the official document and any extra guidance provided by the Federal Trade Commission (FTC). This will give you a comprehensive understanding of your obligations as an auto dealership.
- Conduct a Risk Assessment: Assess the potential risks and vulnerabilities associated with your dealership’s data security practices. Identify and document the areas where customer information may be at risk, such as data storage systems, employee access to sensitive information, and third-party data sharing. This assessment will help you prioritize your efforts and allocate resources effectively.
- Develop a Written Information Security Program (WISP): Create a WISP tailored to your dealership’s specific needs and circumstances. This program should outline your data protection policies, procedures, and practices. It should also include details on how you will address identified risks and vulnerabilities. Also, how you will train and educate your employees on data security.
- Implement Safeguards: Put in place appropriate safeguards to protect customer information from unauthorized access, use, or disclosure. This may include encryption of sensitive data, secure storage and disposal practices, access controls, and network security measures. Regularly review and update these safeguards as technology and threats evolve.
- Implement multi-factor authentication for anyone accessing customer information on your system.
- Train Employees: Provide comprehensive training to all employees who handle customer information. Educate them on the importance of data protection, their roles and responsibilities, and how to identify and respond to potential security incidents. Regularly reinforce this training and keep employees informed of any updates or changes to your data security practices.
- Monitor and Audit: Continuously monitor and audit your dealership’s data security practices to ensure ongoing compliance. Review access logs, conduct vulnerability scans, and perform internal and external audits. This will help you identify any weaknesses or gaps in your security measures and address them promptly.
- Respond to Security Incidents: Have a plan in place to respond effectively to data breaches or other security incidents. Define the steps to take in the event of a breach, including notifying affected individuals, law enforcement, and the FTC as required. Implement procedures to investigate incidents, mitigate harm, and prevent future occurrences.
- Review and Update Policies: Regularly review and update your dealership’s privacy policies, terms of service, and consent forms to ensure they align with the requirements of the FTC Safeguards Rule. Make sure these documents clearly communicate to customers how their information is collected, used, and protected.
By following these steps, auto dealerships can ensure compliance with the FTC Safeguards Rule and establish a strong foundation for protecting customer information. Remember, it is crucial to stay informed about any updates or changes to the rule and adapt your practices accordingly. Prioritizing data security not only helps you meet legal requirements but also builds trust with your customers and enhances your reputation in the industry.
There are nine specific updates to the Safeguards Rule:
- Each auto dealership must designate a ‘qualified individual’ who will serve as the overseer of their cybersecurity program and provide written reports to a governing board
- They will need to conduct regular risk assessments of both their own security systems and the security systems of their vendors to ensure that all customer and client data is kept encrypted
- They must implement safeguards to control the risks identified, such as identity and access management, encryption, and multi-factor authentication.
- They must test and monitor effectiveness of key controls, through practices such as continuous monitoring and vulnerability assessments.
- They must ensure that all employees are provided with security awareness training, updated as necessary to reflect risks.\
- They must require their own service providers to maintain appropriate safeguards, through selection, contract requirements, and assessments.
- They must continue to adjust their security program based on the results of their monitoring and any changes to the business.
- They must establish a written incident response plan, outlining roles, responsibilities, and remediation actions taken in the event of an incident
- Finally, the qualified individual must report, in writing, on the overall status of the security program.
You can see the full outline of FTC Safeguards Rule requirements here.
Many of these requirements have detailed sub-parts, drilling down into specific technical safeguards. All of them will require auto dealerships to develop new cybersecurity capabilities and expertise. And all these new requirements will have to be overseen, monitored, documented, and reported on. This will be a major challenge for all dealerships, but especially those with limited in-house cybersecurity expertise.
FAQs on Auto Dealership FTC Safeguards Rule
What is the FTC Safeguards Rule? The FTC Safeguards Rule is a regulation implemented by the Federal Trade Commission (FTC) to protect consumer information collected by businesses, including auto dealerships. It requires dealerships to establish and maintain reasonable security measures to protect customer data from unauthorized access or use.
Why is the FTC Safeguards Rule important for auto dealerships? The rule is important for auto dealerships because it helps safeguard customer information, maintain trust, and avoid penalties. By complying with the rule, dealerships demonstrate their commitment to data security and consumer privacy, which enhances their reputation in the industry.
What are the potential penalties for non-compliance with the FTC Safeguards Rule? Auto dealerships that fail to comply with the FTC Safeguards Rule may face penalties, including fines and legal action. The specific penalties can vary depending on the severity and extent of non-compliance, but they can be significant and may harm the dealership’s finances and reputation.
How can auto dealerships ensure compliance with the FTC Safeguards Rule? Auto dealerships can ensure compliance with the rule by following the steps outlined in the comprehensive guide mentioned earlier in this blog post. These steps include familiarizing themselves with the rule, conducting a risk assessment, developing a written information security program, implementing appropriate safeguards, training employees, monitoring, and auditing data security practices, responding to security incidents, and regularly reviewing and updating policies.
What are the consumer rights under the FTC Safeguards Rule? Consumers have several rights and protections under the FTC Safeguards Rule. These include the right to privacy, the right to accurate information, the right to security, the right to access and control their personal information, and the right to file a complaint with the Federal Trade Commission if they believe their rights have been violated.
How can consumers protect their personal information when dealing with auto dealerships? Consumers can protect their personal information when dealing with auto dealerships by being cautious about sharing sensitive data, such as their Social Security number or financial information. They should also regularly monitor their credit reports for any suspicious activity and report any concerns or discrepancies to the appropriate authorities.
What should consumers do if they believe an auto dealership has violated their rights under the FTC Safeguards Rule? If consumers believe that an auto dealership has violated their rights under the FTC Safeguards Rule, they should first attempt to resolve the issue directly with the dealership. If that does not result in a satisfactory resolution, they can file a complaint with the Federal Trade Commission. The FTC investigates complaints and takes enforcement actions against businesses that fail to comply with the rule.
Compliance with the FTC Safeguards Rule is crucial for auto dealerships to protect customer information and maintain trust. By following the step-by-step guide provided, dealerships can establish a strong foundation for data security. Monitoring and auditing practices, having a plan for security incidents, and regularly reviewing privacy policies are essential. Consumers should understand their rights and protections, be cautious with sharing sensitive information, and monitor their credit reports. Staying informed about rule updates is important for ongoing compliance and customer trust.
How Can Cloud9 Data Help?
With the proper guidance, auto dealers can ensure that they are in compliance with the new updates and maintain that compliance moving forward.
Cloud9 Data can be a part of helping dealers ensure compliance with the new updates in the following ways:
- We continuously monitor your entire environment to both detect cybersecurity threats when they arise and offer continual feedback on how your security systems can be improved.
- We provide continual vulnerability assessments, so you understand each of the cybersecurity risks facing your dealership and your customers.
- We identify any threats targeting your dealership’s network or cloud applications.
- We can provide cybersecurity awareness training to your security team and employees, as well as provide exercises to ensure proper lesson retention.
- And we can provide records and reporting on a dealership’s security activities—including both those we provide and those the dealership performs itself.
Contact Our Team to learn more about how auto dealerships are securing their critical data and making security operations easier with Cloud9 Data Solutions.