The Safeguards Rule is a regulation set forth by the Federal Trade Commission (FTC) that applies to financial institutions, including dealers. The rule requires dealers to develop, implement, and maintain an information security program that includes administrative, technical, and physical safeguards to protect customer information. In this blog post, we will take a closer look at the requirements of the Safeguards Rule and what dealers need to do in order to comply.
Information Security Officer (ISO)
First and foremost, dealers must appoint an individual to implement and supervise over the information security program. This is similar to the Red Flags Rule, which also requires dealers to appoint an information security officer (ISO) to oversee the program. In addition to appointing an individual, dealers must also develop a written information security program with the objectives of ensuring confidentiality of customer information, protection against threats to that information, and protection against unauthorized access to that information.
Risk Assessment
One of the key requirements of the Safeguards Rule is conducting a risk assessment. This requires dealers to inventory what information is maintained, where it is stored, and determine what internal and external threats to that information exist. Once the risks are identified, dealers must design and implement safeguards to control those risks.
Periodic Review
The Safeguards Rule requires dealers to implement and periodically review access controls. This means determining who has access to customer information and regularly determining if these parties still have a legitimate need for the information. In addition, dealers must conduct periodic reviews to determine what data is collected, where it is stored, and how it is transmitted. To protect this data, the Safeguards Rule requires that it be either encrypted or secured through alternative controls.
App Evaluation
Another important requirement of the Safeguards Rule is evaluating apps that are used to transmit, store, or access customer information. If a dealership uses apps in these ways, they must be evaluated for security. Additionally, dealers must dispose of customer information securely and require multi-factor authorization for anyone who has the ability to access customer information.
Risk Assessment
When it comes to information systems, the Safeguards Rule requires that any changes made to the system must be reviewed to determine if any additional security risks are posed. Dealers must also maintain and log user activity to determine if any unauthorized access is present.
Monitor and Test
Once the risks are assessed and safeguards are put in place, dealers must routinely monitor and test the effectiveness of the safeguards, train its staff in security awareness, monitor service providers, modify the program periodically to keep security procedures current, create a written incident response plan, and lastly, require the security office to report to the Board of Directors.
Deadline, penalties etc.
It’s important to note that these requirements are very similar to those imposed on dealers under the Red Flags Program. Compliance with the Safeguards Rule is crucial, as non-compliance can result in penalties of approximately $45,000 per violation. The deadline for companies to comply with the amendments to the FTC’s Safeguards Rule was originally December 9. In mid-November, the FTC announced an extension of the deadline to June 9, 2023.
With this in mind, Impact Revenue has a phased approach to ensure compliance with the Safeguards Rule, which includes obtaining a signed Service Provider Agreement and Safeguards Rule Certification letter from all of its providers, moving forward with Multi-Factor Authentication (MFA) in January 2023, requiring email encryption of Personally Identifiable Information (PII) early next year, and already having encryption for data at rest and all other requirements of the FTC Safeguards Rule in place.
For information regarding the Safeguards Rule from NADA, click here.
For more information contact us!