The Federal Trade Commission (FTC) has revised the “Standards for Safeguarding Customer Information” (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA). The Safeguards Rule is intended to strengthen data security to help protect your customers’ financial data.
The Safeguards Rule applies to any business or entity that provides or facilitates financial services, which includes dealerships and other similar industries that gather customer financial data. The new guidelines were released on December 9, 2021, giving those affected by the changes a year to comply with the new standards and objectives.
Starting December 9, 2022, amendments to the FTC Safeguards Rule require non-banking financial institutions to develop, implement, and maintain a comprehensive security system to keep customer information safe. Motor vehicle dealers constitute a “non-banking financial institution” for purposes of the Rule. It’s critical for dealers to understand how these amendments may apply to their dealership before renewing or signing a new contract with a data security vendor.
Personally Identifiable Financial Information (PIFI)
The Revised Safeguards Rule applies to all customer information and includes any customers of other financial institutions that have shared information with you. The customer information that is protected under the Safeguards Rule applies to Personally Identifiable Financial Information (PIFI). PIFI does not simply include social security numbers and credit card information, but all transactions that take place that might disclose a customer’s financial information.
There are three primary objectives that an information security program must meet and have written policies in place to support. A security program must:
- Ensure the safety and confidentiality of customer information
- Protect against threats or hazards to the security and integrity of customer information
- Protect against unauthorized access to customer information
Watch our recent Cybersecurity Roundtable on how the new Safeguards Rule affects dealerships.
Eight Elements to Include in Your Information Security Program
To best meet the primary objectives the FTC has established, there are eight elements that must be included in your dealership’s information security program:
- Establish a designated Qualified Individual who oversees and enforces the information security program. A qualified individual must have some level of information security training and knowledge. This individual is held accountable to issues that may arise due to a security event. A Qualified individual can be a third-party vendor.
- Conduct periodic risk assessments on the various security risks to customer information. This must be documented and include the risks or threats found and how each are addressed in the information security program. The documents should include the steps that have been made to ensure confidentiality, integrity and availability.
- Implement customer information safeguards. These safeguards include access control, inventory of all systems, data encryption, secure development practices, Multifactor Authentication (MFA), data disposal procedures, change management procedures, and monitoring and logging authorized user activities. This would be covered through continuous monitoring. If a system for continuous monitoring is not in place, biannual vulnerability assessments must be completed.
- Test or monitor the effectiveness of the various security controls used to detect attempted attacks on the systems that hold customer information regularly.
- Put policies and procedures in place to ensure that employees can enact the information security program. Employees must have sufficient information and training on the security risks. The training program must also integrate the new and evolving security risks.
- Verify that third party service providers are doing everything possible to protect customer information and that providers are assessed based on the risk that they pose to the customer’s information.
- Establish an Incident Response Plan (IRP). The IRP must include the goals of the plan, the internal process for responding to a security event, clear roles and responsibilities of the decision makers, all communication if an event were to occur, how to remediate systems in the case of an event, documentation related to incident response actives and evaluation and revisions of the IRP.
- Assure that the Qualified Individual reports in writing every year the overall status of the information security policy and compliance with the Revised Safeguards Rule. This should include documents that highlight any risk assessments, risk management controls, service provider contracts who handle customer information, penetration testing results, security events and the remediation steps, and changes to the information security program.
Why Choose Eide Bailly for Your Cybersecurity Needs
From proactive planning to supportive, timely response when you need it the most, we’re the trustworthy cybersecurity team you can count on. Our comprehensive security solutions include advisory, integration and threat management. Our vision is to help build a culture of security for every organization, so they have a proactive, planned out response when cyberthreats arise.
Build a culture of security in your dealership. Our team of advisors can help you prepare for the FTC’s New Safeguard Rules.