FTC Safeguard Rules for Auto Dealers (2023)
Information and resources for your dealership to be ready for the June 9th deadline
The Safeguard Rules require your dealership to develop, implement, and maintain an information security program designed to protect customer information. In short, it’s a written plan of action outlining how your dealership is protecting customer’s nonpublic personal information.
In part, your vendors (including KGI), play a key role by putting safeguards in place on the data they store on your behalf.
At KGI Dealer Solutions we are currently rolling out security measures for our products and services:
- Multi-factor authentication for your DMS
- Encrypted data
- User management controls and logs
Through these measures KGI Dealer Solutions is helping keep your data secure in the following ways:
- Each Dealer’s data is stored separately in their own databases with their own credentials
- Database data is encrypted, and the communications between them and you are as well
- Firewalls severely limit who can access your servers
- Configurable Multi-factor authentication required for both installation and access
- Intrusion monitoring and prevention on all public endpoints
Be sure ANY vendor that has access to your customer’s nonpublic personal information is providing the same protections to your data and record these in your Safeguards Security Program your dealership is creating.
If this article is over your head, start with this practical guide instead!
What’s in an Information Security Program and how to get started?
The FTC identifies this outline for car dealerships and other ‘financial institutions’;
- Assign a person at your dealership as the “Qualified Individual” to be the one in charge of implementing and auditing your information security program.
- Conduct a full risk assessment. Find out how and where all of your data is stored and then assess the risk of threats to that data.
- Structure a set of safeguards for your dealership to defend against those threats
- Implement and periodically review access controls – who has access to what data.
- Conduct a periodic inventory of your data – keep a list of devices, vendors, platforms, personnel.
- Encrypt customer information – (KGI has your data encrypted)
- Implement multi-factor authentication for anyone accessing customer information – (KGI is implementing this in all of our products that houses customer information)
- Dispose of customer information securely.
- Anticipate and evaluate changes to your information system and network.
- Maintain a log of authorized users’ activity and look out for unauthorized access – (KGI is implementing this log and user management)
- Regularly monitor and test the effectiveness of your safeguards. Monitor, assess, and test!
- Train your staff. They need to know protecting customer information is a high priority. Make sure deal jackets, credit apps, etc are not left on desks.
- Monitor your service providers. Ask how your data is being protected and make sure they meet your security standards.
- Keep your Information Security Program current.
- Create a written incident response plan. IF data is compromised what would your next steps be?
- Require your Qualified Individual to report to your Board, owners, and/or senior officers.
More tools and resources:
- Information Security Program Example