With the Federal Trade Commission’s (FTC) latest Safeguards Rule, which requires stricter information security programs for consumers, U.S. auto dealerships have a heavy task of strengthening their information systems security. The ruling oversees how financial institutions protect consumer data, and dealerships must implement changes to protect their own consumer data, but they also must have a formal training program for their employees and third-party audits in place to ensure their entire list of vendors are also following these guidelines.
What is the New FTC Rule?
The FTC’s rule requires detailed procedures and specific criteria that auto dealers must implement to provide better protection and to curb data breaches and cyberattacks that could jeopardize sensitive customer data.
One of the first challenges dealerships need to address is the fact that they are sitting on so much more consumer information today. The amount of informa-tion dealers take in that’s sensitive could result in identity theft, and those identities being sold to fraudsters. They have an immense amount of critical consumer information, including access to credit reports, driver’s license information, images, account numbers, names, addresses, dates of birth, and, of course, credit card information.
Sophisticated dealers have quality protections in place, but there are a lot of dealerships that do not have protections and programs in place. Having these safeguards in place for thousands of these dealers will be a heavy lift before the end of the year, including all training curriculum completed and programs fully implemented.
The new Safeguards Rule will ultimately help dealers better protect their customers’ valuable data and information – a practice that better manages the risks associated with today’s internet-heavy focus on customer interaction and transaction.
What Dealers Need to Achieve Compliance
The Safeguards Rule began in 2003 under the federal Gramm‐Leach‐Bliley Act, and as a result, dealers were designated as financial institutions since they provide financing agreements for their customers. Revisions to the rule were recently approved, and the revised version now includes five primary updates that focus on keeping data secure, such as limiting access to customer information and new requirements for encryption and multifactor authentication. What’s more, the rule states each dealership must designate one “qualified individual” to oversee their information security program.
Initially, dealers must perform a proper audit of their entire information security systems, as well as any of their vendor partners, to ensure things like the encryption of consumer information. This way, if any part of the system is penetrated by a digital intruder, the data is not exposed. Dealers will also need to implement two‐factor authentication systems and regular intervals of intrusion detection tests. Dealers also need to make sure their employees are properly trained on all these new measures.
It will be important for dealers to designate individuals within the dealership who are trained on taking ownership of these new regulations and ensure everyone is ready. The new regulation even states that a written policy must be produced and put in place, with all employees understanding the policy and signing off. The educational curriculum must be designed so that each employee is trained on all facets of the new regulation with full comprehension of each component.
Auditing Vendors and Information Privacy
One of the most challenging elements of the new regulation involves a thorough audit and inventory of needs by any vendors working with the dealer, including finance partners, advertising agency, data and technology partners, etc. More than likely, dealers will need to hire outside counsel or a third party that has compliant programs to help build proper audit surveys of their partners. Third‐party vendors should be aware that these requests are coming and be prepared with a program in place, so they are not bogged down with no process in place to handle the volume.
Dealers would be wise to take inventory of every possible way they receive consumer data and information, from the beginning of the process with advertising and marketing insights that enters the top of the funnel, all of the search‐engine and social media data they receive through promotions and interactions, website information and insights, and certainly consumer information through the service lane. Modern retailing has opened up an abundance of new opportunities for dealers to reach new customers, but it also represents so many new opportunities to collect consumer data that now needs to be scrutinized under the new regulations.
The new Safeguards Rule will ultimately help dealers better protect their customers’ valuable data and information – a practice that better manages the risks associated with today’s internet‐heavy focus on customer interaction and transaction. There are significant challenges and hurdles in the near term for dealers and their vendor partners. However, with the right guidance and expert counsel, dealers and their partners can achieve this critical compliance and train each employee on the new rules in place so that they can provide their customers with the trust they need to do business in this era of modern retailing.
ABOUT THE AUTHOR: Ken Hill is managing director for 700Credit, a provider of credit reports, compliance and soft pull products for the automotive industry.