As you have hopefully heard by now, the Federal Trade Commission (FTC) recently issued complicated new amendments to its Safeguards Rule, which require dealers to undertake a series of procedural, technical, and contractual steps to protect consumer and other personal data. The amended Rule’s requirements must all be completed by December 9, 2022. There is quite a lot that dealers must do between now and December, and the time for dealers to act is now in order to ensure compliance by the deadline.
The FTC recently issued a guidance publication, FTC Safeguards Rule: What Your Business Needs to Know, that provides some further insight into the requirements. There, the FTC summarizes the requirements as follows:
a. Designate a Qualified Individual to implement and supervise your information security program.
b. Conduct a risk assessment.
c. Design and implement safeguards to control the risks identified. Including:
Implement and periodically review access controls.
Know what you have and where you have it.
Encrypt customer information on your system and when it’s in transit.
Assess your apps.
Implement multi-factor authentication for anyone accessing customer information on your system.
Dispose of customer information securely.
Anticipate and evaluate changes to your information system or network.
Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
Regularly monitor and test the effectiveness of your safeguards.
e. Train your staff.
f. Monitor your service providers.
g. Keep your information security program current.
h. Create a written incident response plan.
i. Require your Qualified Individual to report to your Board of Directors.
Dealers should review the FTC publication for more details. The compliance requirements are also spelled out in detail in NADA’s Driven Guide to the Amended Safeguards Rule, which contains step-by-step guidance on how to comply with the Rule, as well as downloadable templates and other critical information to aid dealer compliance. NADA also has a series of webinars, workshops, and more to help dealers with these complex new requirements. Members can access these resources at nada.org/nada/issues/data-and-privacy.
We know that dealers have an extensive list of compliance issues to deal with, but this is a critical issue and a critical deadline – if you have not focused on this new Rule, jump in today!
Note: This article is offered for general informational purposes only and is not intended to constitute legal advice. Each dealer should seek their own legal counsel and make their own independent business decisions and work with their attorneys to ensure compliance
For more stories like this, bookmark www.NADAheadlines.org as a favorite in the browser of your choice and subscribe to our newsletter here: