New Compliance Deadline: June 9, 2023
The Federal Trade Commission stated yesterday that it is extending by six months the deadline for businesses to adhere to some of the adjustments it made to improve the data security measures financial institutions are required to put in place to protect the personal information of their clients. The Safeguards Rule has some new criteria that must be complied with by June 9, 2023.
FTC Safeguards Rule Compliance Deadline Approaches for Dealerships
The Federal Trade Commission updated the GLBA Safeguards Rule on December 9, 2021, adding new criteria for automotive dealerships. Most of the new compliance criteria went into effect on January 10, of this year. Now, the date upon which all the new regulations aimed at protecting consumer financial information go into effect is approaching fast. Though the final deadline was set for December 9, 2022; as of yesterday, it was pushed back an additional 6 months
Why Compliance Is Important for Dealerships
- 84% of car buyers would return to a dealership after their data had been breached.
- 30% of vehicle dealerships are not up to date with security software.
- Ransomware breaches, the most common type of cyberattack in the automotive sector, costs an average of $1.4 to remediate.
Main Changes to the FTC Safeguards Rule
Car dealerships should already be aware of the “Standards for Safeguarding Customer Information” or “Safeguards Rule” outlined by the FTC. Since 2003, this rule requires dealerships to create and maintain an extensively documented data security program under that rule. The goal of compliance with this rule is to ensure that companies which handle consumer data, particularly financial data, safeguard it against misuse or theft.
The new set of requirements that took effect on January 10, 2022, only necessitated minor adjustments to the framework that your franchisees surely already had in place. Beginning this year, dealerships are now required to periodically run risk assessments to identify security threats facing consumer information. Additionally, dealerships must conduct tests to find actual or attempted breaches into their information systems. The new language used in the Safeguards Rule has only made it clearer that this risk assessment and breach detection should be ongoing.
For the deadline approaching next month, there are some more significant changes for which dealerships need to prepare. In general, these include designating a qualified leader for the security and compliance program, carrying out and documenting regular assessments, developing security policies and plans, and reporting on these efforts. In all, the compliance changes for dealerships fall into three categories: reporting and planning, information, security requirements, and security testing.
Reporting and Planning
Under the revised FTC rule, the very first requirement is to have a designated qualified individual (QI). The QI is appointed to oversee the entire Safeguards compliance program.
This qualified individual can either be an employee or an outside professional, as long as he/she has professional cybersecurity training as they are responsible for creating the compliance plans and reports. This can either be an internal person or an outsourced practitioner in the form of a virtual CISO. This role also involves verifying that your security personnel are taking the necessary steps to maintain the security program and stay updated on issues.
Together with senior management of the organization, the QI is also charged with reporting on FTC GLBA compliance. Reporting, according to the new rule requires periodic written risk assessments, incident response plans, vulnerability tests, and an annual security assessment report. The report is a high-level document, however, and should also cover potential risks from a broader business perspective, as well as company policies and procedures.
Incident Response Plan
This documentation should lay out the goal of the dealership’s plan, the processes for responding to an event, as well as clearly defined roles, responsibilities, and decision-making authority. Other aspects to include are documentation and reporting regarding the security event, internal and external communications, information sharing, and the requirements for remediation of identified weakness. Finally, the plan needs to cover the evaluation and revision of the incident response following a security event.
Security Assessment Report
The updated FTC Safeguards Rule requires annual written reporting. In general, the scope of the report is to inform management on the state of the dealership’s security preparedness. Whenever possible, it should identify potential future risks and attack scenarios and how to practically defend against them. Reporting is developed based on the prior year’s vulnerability and penetration testing and its intent is to communicate weaknesses and plan they can be addressed.
With the addition of an annual reporting provision, it ensures that the governing body of a financial institution is engaged with and informed about the state of the financial institution’s information security program.
this will help financial institutions to ensure that their information security programs are being maintained appropriately and are being given necessary resources so the spirit of this report is not only make sure that consumers are protected but in my opinion it’s also to remove plausible deniability for upper management and the idea is that major stakeholders are not going to be in the dark about where the ship stands row cyber security perspective
Information Security Requirements
The new Safeguards Rules also define some information security requirements. These include:
- The use of multi-factor authentication, also referred to as 2FA or MFA;
- Encryption of all data in transit and at rest on the dealership’s networks and external networks; and
- A security training program that covers breach techniques like phishing and social engineering.
To provide a bit more information here, the multi-factor authentication requirement demands that at least two things in order to access the system. Usually this includes a combination of password and a verification code, electronic key generator, or mobile app notification. Encryption is required for any personal customer data that is stored and/or transmitted through the IT systems, and this includes email messages. Finally, employee awareness training is important because cyber security is a shared responsibility; it’s everyone’s job. Cybersecurity training for dealership employees should cover things like locking workstations when not in use, how to spot phishing emails, password hygiene and more.
The FTC now requires regular security testing in two forms: periodic vulnerability scans and yearly penetration tests carried out by a qualified third party. These tests are designed to look over the entire network and IT environment in order to find any potential vulnerabilities. Certified practitioners, sometimes known as ethical hackers, probe the IT system from both the inside and outside, they simulate malicious cyber-attacks, and check that the automated security measures and monitoring tools for suspicious activity work as they should.
As is always the case with security assessments, the goal is to gather information that will help the organization improve their security controls and prevent a real data breach. During the testing process, security practitioners try to circumvent or defeat the information system’s security features. This helps to pinpoint weaknesses and make a plan for improvement.
What Should Dealerships Do to Prepare for the Updated FTC Safeguards Rule?
There isn’t much time to lose at this point. To avoid significant penalties for noncompliance, the deadline to meet is June 9th. If your dealership has not started already, it’s highly recommended that your IT department seek assistance from professional cybersecurity experts who also understand your industry.
Related article: What is the FTC Red Flags Rule & What Type of Entities Must Comply?