With the Federal Trade Commission’s Safeguard’s Rule deadline nearing, the National Independent Automobile Dealers Association is working to make sure all its members have all the information they need to be compliant.
NIADA is hosting a free webinar, “The Roadmap for Complying with the Updated FTC Safeguards Rule” at 1 p.m. ET Tuesday, March 21.
The webinar will be presented by ComplyNet, NIADA’s endorsed compliance provider.
The FTC Safeguards Rule deadline is June 9. It was extended from December in November.
According to the FTC, the Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.
The updated rules approved in October 2021 require financial institutions to designate an individual to oversee their security program, develop a written risk assessment, limit and monitor who can assess customer information, encrypt information, train security personnel, develop a response plan, assess security practices of service providers and implement multi-factor authentication for any individual accessing customer information.
Penalties can range up to $46,517 per violation.
At the NIADA BHPH Super Forum Nov. 9 in Austin a workshop was held on the new rules.
Adam Crowell of ComplyNet helped dealers through a playbook to get resources in place.
While helping to understand the rule, Crowell provided dealers with a 10-step path to compliance.
It starts with establishing a Safeguards team, including IT/MSP vendors, qualified individuals at the dealership and specialists to perform risk assessments, employee trainings and develop plans and policies.
Part two is conducting a written risk assessment and then using it to create a written information security program.
Then employees should undergo mandatory job- and role-specific training.
Phishing is part of the training, and it should be backed up with a phishing penetration test. Crowell pointed out 91 percent of all hacking starts with phishing.
Vendor assessments and agreements need to be scrutinized. Service providers should be required by contract to implement and maintain safeguards for customer information.
Access controls must continually be reviewed. It starts with granted limited access and monitoring activity.
Penetration testing of your technology is encouraged along with a continuous monitoring security system.
A written incident response plan is also needed. An annual report should also be prepared on the risks assessments, testing results and proposed changes.
NIADA has worked with ComplyNet to create the Independent Dealer’s FTC Safeguards Rule Playbook to provide a guide to help you get everything in order.
The playbook can be purchased online at niada.com. NIADA membership includes a complimentary copy of the playbook.
