Auto dealers will have an extra six months to comply with the Federal Trade Commission’s Safeguards rule.
The FTC announced Tuesday it was pushing the deadline for financial institutions, including auto dealers, to comply with the new rule to June 9, 2023. The deadline was Dec. 9.
“The Commission is extending the deadline based on reports, including a letter from the Small Business Administration’s Office of Advocacy, that there is a shortage of qualified personnel to implement information security programs and that supply chain issues may lead to delays in obtaining necessary equipment for upgrading security systems,” said the statement from the FTC. “These difficulties were exacerbated by the COVID-19 pandemic. These issues may make it difficult for financial institutions, especially small ones, to come into compliance by the deadline.”
The announcement was welcomed by NIADA, who has been working to help dealers comply and understand the new rule.
“We applaud the FTC on extending the deadline to allow our dealers ample time to address the complexity of the rule and ensure they are compliant,” said NIADA Vice President of Government Affairs Brett Scott.
According to the FTC, the Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.
The updated rules approved in October 2021 require financial institutions to designate an individual to oversee their security program, develop a written risk assessment, limit and monitor who can assess customer information, encrypt information, train security personnel, develop a response plan, assess security practices of service providers and implement multi-factor authentication for any individual accessing customer information.
Penalties can range up to $46,517 per violation.
FTC Commissioner Christine Wilson, who voted against the rules amendment in December 2021, released a statement supporting the deadline extension.
“Despite assurances that financial institutions were already implementing many of the requirements of the amended rule or had sophisticated compliance programs that could easily adopt and pivot to address new obligations, I was concerned that the commission did not understand fully the economic impact of the proposed changes,” Wilson said. “It has become clear that the commission may have underestimated the burdens imposed by the Rule revisions. While I continue to note my concerns about the revisions to the recently amended Safeguards Rule, I support extending the effective date. Labor shortages of qualified personnel have hampered efforts by companies to implement information security programs. Some estimates place the shortage of cybersecurity professionals in the 500,000 range. Supply chain issues also have led to delays in obtaining necessary equipment for upgrading systems. These factors are outside the control of financial institutions and have complicated efforts by companies to meet the requirements of the amended Rule by year end.”
At the NIADA BHPH Super Forum Nov. 9 in Austin a workshop was held on the new rules.
Adam Crowell of ComplyNet helped dealers through a playbook to get resources in place.
While helping to understand the rule, Crowell provided dealers with a 10-step path to compliance.
It starts with establishing a Safeguards team, including IT/MSP vendors, qualified individuals at the dealership and specialists to perform risk assessments, employee trainings and develop plans and policies.
Part two is conducting a written risk assessment and then using it to create a written information security program.
Then employees should undergo mandatory job- and role-specific training.
Phishing is part of the training, and it should be backed up with a phishing penetration test. Crowell pointed out 91 percent of all hacking starts with phishing.
Vendor assessments and agreements need to be scrutinized. Service providers should be required by contract to implement and maintain safeguards for customer information.
Access controls must continually be reviewed. It starts with granted limited access and monitoring activity.
Penetration testing of your technology is encouraged along with a continuous monitoring security system.
A written incident response plan is also needed. An annual report should also be prepared on the risks assessments, testing results and proposed changes.