What is the FTC Safeguards Rule for Dealerships?
Jan 7, 2024

What is the FTC Safeguards Rule for Dealerships?

What is the FTC Safeguards Rule for Dealerships?

The Federal Trade Commission (FTC) created the “Safeguards Rule” to ensure that businesses protect the security of customer information. The Safeguards Rule applies to non-banking financial institutions which includes auto dealerships.

To comply with the Safeguards Rule, a dealership must implement a program that:

  • Ensures the security and confidentiality of customer information
  • Protects against anticipated threats or hazards to the security or integrity of customer information
  • Protects against unauthorized access to information that could result in substantial harm or inconvenience to any customer

Is your dealership compliant?

Why do Cyber Criminals Target Auto Dealerships?

We live in a new world where cyber crime is a profitable business. Software automation and Artificial Intelligence (AI) has made it easy for hackers to attack small businesses at scale. Dealerships are juicy targets for cyber criminals.

Did you know that 84% of customers would not buy another vehicle from a dealership after their data has been compromised? (Total Dealer Compliance)

Safeguards Rule for Dealerships
The FTC Safeguards Rule requires Car Dealerships to practice new cyber security controls to protect their customer data privacy

Auto Cybersecurity Dealership Stats

To further our point, here are a few cybersecurity statistics about dealerships in the past few years:

  • 85% of Dealerships worldwide have experienced a cyber attack since 2018 (CDK Global)
  • 70% of surveyed Dealerships do not have up-to-date antivirus software (Total Dealer Compliance)
  • Only 27% of Dealerships are testing incident response plans (CDK Global)
84% of customers would not buy another vehicle from a dealership after their data has been compromised (Total Dealer Compliance)


How Can Your Dealership Become Compliant With The FTC Safeguards Rule Quickly?

The Safeguards Rule details nine elements that Dealerships must include in their IT security program.

Let’s take a look at the basic steps that Dealerships need to focus on:

1. Put someone in charge. This can be an employee or service provider. It’s your company’s responsibility to make sure that the Qualified Individual understands the security risks and can communicate them to the Board.

2. Conduct a cyber risk assessment. You can’t make an effective IT security program until you know what information you have and where it’s stored. Write your risk assessment down and include criteria for evaluating risks and threats. The Safeguards Rule requires you to assess employee accounts, data storage, network threats, and software vulnerabilities throughout your Dealership. (We can do this for you at Iceberg Cyber!)

3. Regularly monitor and test the effectiveness of your safeguards. Test your procedures for detecting actual and attempted attacks. Implement continuous monitoring of your system to make sure you adapt with the changing threat landscape. Hackers adapt every day to make money by stealing from you. Stay one step ahead of them or face the consequences. Hackers only have to get lucky once.

4. Implement basic cyber hygiene. Encrypt your client data, put in place routine data backups, and use Multi-Factor Authentication for all accounts.These are simple steps that your Managed Service Provider can help you with. For more info, check out our blog post here.

5. Report to your Board of Directors. The FTC Safeguards Rule makes cybersecurity a key business concern for your Directors. They will be liable for negligence and non-compliance. What should the report address? Include an overall assessment of your Dealership’s compliance with its IT security program. Cover specific topics related to the program like the risk assessment, service provider arrangements, and recommendations for changes in the information security program. This is a team sport.


Three Key Takeaways for Dealerships About the FTC Safeguards Rule

1. Time is running out to achieve compliance

The updated FTC Safeguards Rule has gone into full effect since June of 2023. This means Dealerships need to begin working now to be ready in time. If your Dealership does not have the internal bandwidth or resources to achieve compliance, you need to engage with an expert cybersecurity services provider

2. Virtually all data is covered by this rule

The FTC has a very broad definition of data as covered by the updated Safeguards Rule. This includes data provided directly by customers to obtain products or services, any data that is customer-related, and data resulting from or in conjunction with a transaction. Hardly any data are excluded

3. Boards of directors will have to be engaged

The new Rule requires regular reports to company boards including the overall status of the Dealership's information security program, the Dealership’s current level of compliance with Safeguards Rule, the most recent risk assessment, any new management and control decisions, service provider arrangements, test results, information on security events or violations (and management’s responses thereto), and recommendations for changes


What Are The Auto Dealership Penalties for Non-Compliance?

According to the FTC, penalties for non-compliance can be “extensive and expensive”. They take consumer privacy very seriously. Non-compliance consequences can include:

  • Lengthy oversight periods or disabling access to information systems.
  • FTC monetary fines that can cost an organization $100,000, and individuals in leadership can be fined up to $10,000.
  • Negligence can result in prison time of up to five years
84% of customers would not buy another vehicle from a dealership after their data has been compromised (Total Dealer Compliance)
The new FTC Safeguards Rule requires Auto Dealerships to conduct periodic cyber risk assessments to protect their client data privacy

How Can Dealerships Get Compliant With the FTC Safeguards Rule?

For many Dealerships in the United States, complying with the updated Safeguards Rule may seem like a daunting challenge.

Here are a few tips for how to get started:

Don’t Stand Alone

IT Managed Service Providers (MSP) are experts in IT and cyber security. They can demystify the complex world of cyber crime and protect the assets most critical to your strategic business objectives and operations. Talk to the experts and don’t stand alone. Here at Iceberg Cyber, we are here to help. Simply get in touch with us to find out how we can make your dealership compliant.

Start with a risk assessment

You trust your technicians to diagnosis a vehicle, do the same for your computers. Get a cyber risk assessment and validate your current state, identify any existing gaps and vulnerabilities which are creating exposure to risk, and prioritize actionable recommendations based on ease of implementation and criticality to reduce risk quickly and effectively.

Complete a data and system inventory

The risk assessment for your Dealership, along with the risk assessment for the vendors you work with, are contingent upon a complete understanding and inventory of your assets, data and data flows.


Is your dealership FTC safeguards compliant? We can help!

Additional Resources

For more information on the FTC Safeguards Rule: