Amended Safeguard Rules
On October 27, 2021, the Federal Trade Commission (“FTC”) issued the final amendments to the FTC Safeguards Rule (“Safeguards Rule”). The new Safeguards Rule under the Gramm-Leach-Biley Act (“GLBA”) requires financial institutions to strengthen their data security safeguards to protect consumer financial information. The new amendments to the Safeguards Rule contain a significant number of new and expanded requirements that financial institutions, including dealers, must satisfy to meet their information security obligations. The previous Safeguards Rule effective May 3, 2003, allowed for some flexibility based on the size and sophistication of the financial institution. The new Safeguards Rule applies to all dealers, regardless of their size (exception for 5,000 or fewer customer records), systems, or the types of data they maintain.
Some of the highlights of the new Safeguards Rule are as follows:
(1) requires dealers to designate a “Qualified Individual” responsible for overseeing, implementing, and enforcing your information security program.
(2) requires a new comprehensive written document (a “Risk Assessment”) be prepared that contains and addresses certain areas of risks at the dealership. The new Safeguards Rule also requires additional periodically performed risk assessments.
(3) requires dealers to place access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of customer information, and to periodically review such access controls.
(4) requires dealers to encrypt all customer information, both in transit over external networks and at rest. This requirement also extends to all dealer vendors and others with access to dealership customer data.
(5) requires dealers to implement multi-factor authentication for any individual accessing any information system unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls.
(6) requires dealers to implement policies, procedures and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
(7) requires dealers to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
(8) requires dealers to regularly test or otherwise monitor the effectiveness of the Safeguards key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.
(9) requires dealers to provide their personnel with security awareness training that is updated to reflect risks identified by the Risk Assessment.
(10) requires dealers to oversee service providers by taking reasonable steps to select and retain service providers that are capable of maintaining appropriate Safeguards for the customer information at issue, and requires dealers to periodically assess service providers based on the risks they present and the continued adequacy of their Safeguards.
(11) requires dealers to adopt a written incident response plan that addresses such things as the internal processes for responding to a security event, and identification of the requirements for the remediation of any identified weaknesses in your information systems.
Dealers, and all of their service providers that access any customer data have until December 9, 2022, to comply with the majority of the new requirements. However, some of the changes take effect January 29, 2022, such as regularly testing or monitoring the effectiveness of the safeguards, and overseeing service providers. Please consult with your attorney or other professional advisors regarding your specific facts and circumstances, and application of the new Safeguards Rule to your dealership.