Skip to main content

In his parting words Wednesday, Adam Crowell touched on the importance of his presentation.

“This won’t make you more money, but this is the type of stuff that if you don’t pay attention to you won’t have a business,” Crowell said.

With the Federal Trade Commission’s Safeguards Rule deadline fast-approaching, Crowell of ComplyNet helped dealers through a playbook to get resources in place by the Dec. 9 deadline during the BHPH Super Forum at the Austin Hilton.

The amended rules passed in December 2021 require financial institutions, including car dealerships, to follow technological and physical safeguards to protect the confidential information of customers. The rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”

Penalties can range up to $46,517 per violation.

While helping to understand the rule, Crowell provided dealers with a 10-step path to compliance.

It starts with establishing a Safeguards team, including IT/MSP vendors, qualified individuals at the dealership and specialists, such as Complynet, to perform risk assessments, employee trainings and develop plans and policies.

Part two is conducting a written risk assessment and then using it to create a written information security program.

Then employees should undergo mandatory job- and role-specific training.

Phishing is part of the training, and it should be backed up with a phishing penetration test. Crowell pointed out 91 percent of all hacking starts with phishing.

Vendor assessments and agreements need to be scrutinized. Service providers should be required by contract to implement and maintain safeguards for customer information.

Access controls must continually be reviewed. It starts with granted limited access and monitoring activity.

Penetration testing of your technology is encouraged along with a continuous monitoring security system.

A written incident response plan is also needed. An annual report should also be prepared on the risks assessments, testing results and proposed changes.