November 15, 2022
Today, the FTC voted 4-0 to extend the deadline to fully comply with the FTC Safeguards rule by 6 months. The new deadline for complete compliance is June 9, 2023. That is good news for dealerships that have been scrambling to come into compliance during a labor shortage.
Here are the specific provisions that have been extended:
-Section 314.4(a), which requires the designation of a “qualified individual” to implement, oversee, and enforce the information security program of a “financial institution”;
-Section 314.4(b)(1), which requires the information security program be based upon a written risk assessment that identifies various internal and external risks;
-Section 314.4(c)(1)–(8), which requires designing and implementing various administrative, technical, and physical safeguards, which includes various physical and technical access controls, multi-factor authentication, encryption, activity logging, and change management procedures;
-Section 314.4(d)(2), which includes continuous monitoring of information systems, and absent effective continuous monitoring, annual penetration testing and vulnerability scanning at least every 6 months;
-Section 314.4(e), which includes mandatory training and engaging qualified information security personnel to oversee the information security program;
-Section 314.4(f)(3), which requires periodic assessments of service providers with access to customer information;
-Section 314.4(h), which requires a written incident response plan; and
-Section 314.4(i) which requires a status report (at least annually) to the Board of Directors (or equivalent governing body).
Some provisions of the FTC Safeguards Rule remain in effect, however. For example, dealerships must still have a written information security program, still select service providers that are capable of maintaining appropriate safeguards and contractually obligate them to protect customer information, and still maintain appropriate safeguards.
Moreover, the FTC has taken other enforcement actions against other businesses that are not covered under the revised FTC Safeguards Rule, using the FTC’s power granted by Section 5 of the FTC Act for prosecuting unfair and deceptive acts and practices. In some of those cases, the FTC has found with businesses under Section 5 for not using encryption, multi-factor authentication, and providing security awareness training to employees.
While the 6 month delay may feel like a reprieve, businesses that maintain consumer information without the requirements set forth in the revised FTC Safeguards Rule will remain exposed to an FTC enforcement under Section 5.