The Safeguards Rule is part of the Gramm-Leach-Bliley Act, and it requires financial institutions to protect the information of customers. This rule includes the finance departments of dealerships.
The Federal Trade Commission (FTC) updated the Safeguards Rule on October 27, 2021, and the changes will become effective on October 27, 2022. Learning about the updated Safeguards Rule and making the necessary changes now can help you and your dealership avoid substantial Federal penalties and fines. Providing plenty of protection for customer information can also help you attract new and repeat buyers. Here are the five biggest changes to the Safeguards Rule.
Before these changes, the Safeguards Rule offered very little detail about the requirements for an effective program to safeguard customer information. The new Safeguards Rule requires financial institutions to encrypt all customer information, whether it’s being transmitted through an online network or being stored in dealership files.
The authentication process to access this information must require at least two knowledge factors, possession factors, or inherence factors.
A knowledge factor can be a password, a PIN, or the answer to a security question.
A possession factor is based on the items you have with you. For example, you might need to enter a one-time password or PIN sent to your smartphone. Inherence factors use biometric characteristics, and they can include facial recognition, iris scanning, or fingerprint recognition.
The amended Safeguards Rule applies to any information provided by the consumer, resulting from a consumer transaction, or obtained in connection with a transaction. This includes lists of customers and their contact information that aren’t publicly available. It also applies to internet cookies.
Dealers must base their information security programs on written risk assessments. Every written risk assessment must have criteria for categorizing and evaluating risks and threats. It must also contain the criteria for assessing the confidentiality, availability, and integrity of customer information; the systems used to store it; and how vulnerable they are to hackers, identity thieves, and other potential threats.
Risk assessments must also include a description of how the risks or threats mentioned will be mitigated and how the institution will implement appropriate safeguards.
Dealers and other financial institutions must designate a single qualified individual to supervise, implement, and enforce their information security programs. With just one person in charge, several employees won’t need to coordinate their actions. Keeping track of program rules and changes can become easier as well.
The qualified individual can be an employee, contractor, or service provider. The Safeguards Rule doesn’t require any education, experience, or certifications.
However, you should choose someone who understands the company’s information system, what data the dealership stores about customers, and how the finance department works. Most dealers designate a manager as the qualified individual.
The qualified individual will need to submit regular reports to senior managers, board members, or executives about data security safeguards. They must report once per year about the overall status of the dealership’s information security program, its compliance with the Safeguards Rule, and any issues related to:
Reports should also include recommendations for improvements to the information security program from the qualified individual.
A Written Incident Response Plan
The new Safeguards Rule also requires a written incident response plan to help dealerships and other financial organizations respond promptly to security events and recover from them quickly. Written incident response plans must include:
- The goals of the plan
- Internal processes and procedures for responding to a security event
- Clear definitions of roles, responsibilities, and levels of authority for everyone who works with customer information
- Rules for external and internal communications and information sharing
- Requirements for correcting any weaknesses in information systems or controls soon after they’re identified
- Documentation and reporting rules for security events and related responses
- Provisions for evaluating and revising the incident response plan after security events and when otherwise needed.
Dealerships that collect data from fewer than 5,000 people are exempt from the incident response plan, written risk assessment, and annual reporting requirements.
NIADA is the only national association representing independent automobile dealers. NIADA provides legislative advocacy and extensive training and educational resources geared to improve dealership operations.
Learn more about how NIADA can help your dealership handle the changes associated with this new legislation and more: niada.com/why-niada/