FTC Regulations for Car Dealerships: What You Need To Know

In 2021, the Federal Trade Commission (FTC) amended the Gramm-Leach-Bliley Act, which is commonly known as the “Safeguards Rule.”  The amendment, which goes into effect on June 9, 2023, creates stricter regulations for car dealership data protection. The rule requires dealerships with over 5,000 customer records to develop, implement, and maintain a security program to protect customer information. If you’re a small dealer, you might wonder how you can contend with these big changes. In this guide, we’ll outline the new regulations and discuss how a managed services provider in Orange County, like TechHeights, can help car dealerships get compliant before the upcoming deadline.

What Are the FTC Regulation Changes for Car Dealerships?

Car dealerships handle a large volume of consumer information, including sensitive data that cybercriminals want to steal. The Safeguards Rule outlines stricter procedures that dealerships must follow to protect their customers’ information and reduce the possibility of a cyberattack. Before the amendment, the FTC allowed dealerships to make their own protections. However, with the rise of cybercrimes, the revised rule provides more concrete guidance for dealerships’ security programs. 

Updates to the Safeguard Rule

The new Safeguards Rule identifies nine key elements that your car dealership’s information security program must include: 

1. Designate a “Qualified Individual” to implement and supervise the dealership’s information security program. This person can be an employee or can work for an IT service provider in Orange County, like TechHeights. 
2. Conduct a risk assessment. Before creating a compliant security program, dealerships must first understand what information they have, where this information is located, and which specific threats could affect the data’s security. 
3. Implement safeguards to control the identified risks. This part of the rule is very detailed and includes specifics on access management, encrypting sensitive information, implementing multi-factor authentication, and securely disposing of information. 
4. Assess vulnerabilities and continuously monitor the effectiveness of these safeguards. 
5. Train your employees. Staff members need regular, specialized training to spot potential risks.
6. Monitor service providers. Your dealership probably works with multiple vendors to run your business as smoothly as possible. But under the new rule, your service provider contracts must include security expectations, including security assessments.
7. Keep your information security program current. Dealerships must adjust digital security programs based on any changes.
8. Write an incident response and recovery plan. The plan must outline procedures, processes, roles and responsibilities in case of a security event. 
9. Require the “Qualified individual” to provide a regular written status report on the company’s security program. 

How Can a Managed Service Provider Help Car Dealerships Stay Compliant?

The changes to the Safeguard Rule are complex and time-consuming. Many of the requirements listed above have detailed specifics, and all of them require most car dealerships to develop new expertise and capabilities — and fast. A managed service provider in Orange County can be a trusted partner in helping you create a culture of cybersecurity awareness. TechHeights helps car dealerships stay compliant in a variety of ways, including: 

• Assessments: We’ll guide you through the process and perform a detailed analysis to determine your current level of compliance.
• Recommendations: After the assessment, we’ll give your dealership specific guidance on how to build and implement a compliant information security program.
• Training: We can provide cybersecurity awareness training to your employees, contractors, and vendors.
• Monitoring: TechHeights offers continuous security monitoring to detect potential cyber security threats and vulnerabilities. 

Our certified experts understand that the new FTC regulations create significant challenges for small car dealerships. Contact TechHeights today for expert help tailored to these new requirements for car dealerships.

Categories: Compliance, Cyber Security, IT Security