Is your Dealership Prepared for the Amended FTC Safeguards Rule that goes into EFFECT JUNE 9, 2023?
The Federal Trade Commission published amendments to the Safeguards Rule that expands the procedural, technical and personnel requirements for financial institutions, including dealers, to keep customer information secure. Dealers are responsible for not only their own safeguards, but the safeguarding actions of service providers, like Force Marketing, WeDrive, and GSM. Dealers are now required to implement and maintain a written comprehensive information security program appropriate for the size and complexity of the business, as well as the sensitivity of any customer information on hand. Is your dealership on track?
The original Safeguards Rule was created nearly 20 years ago. The world has changed. The expectations of customers have changed. The amended Safeguards Rule includes critical components that address the current sensitivity of customers and shared information, plans for threats against data security, more dedicated effort on the dealers to be aware of who is accessing information. The Safeguards come with a stronger reinforcement of the rules. Previously, a fine may be from $1,000 to $7,000 per occurrence, As of June 9, 2023, that fine may be up to $46,000 per occurrence.
If you’re not familiar with the Safeguards Rule we break it all down for you here.
The Primary Components of the Safeguards Rule to Keep Customer Information Safe include:
- A designated and qualified individual to oversee your company’s information security program
- Keep up to date with potential security threats and countermeasures
- Written “Risk Assessment” performed periodically
- Implement and monitor safeguards and controls
- Allow access to only those individuals who require information
- Keep an inventory of data and systems, along with the risk of maintaining that data
- Encrypt customer information at rest and in transit
- Establish secure development of new software applications is tested prior to full use
- Require change management practices that governs updates, removal or modification in systems
- Implement multi-factor authentication for access to customer information
- Securely dispose of customer information after is it unnecessary
- Monitor who is accessing information to detect unauthorized access to customer information
- Routinely test for vulnerability to systems
- Have a written incident response plan in case of unauthorized access to customer information
- Train employees to know how to handle customer information and how it can be secured shared
- Complete annual written reports to your dealers governing body (Board of Directors/Owners)
- Require service providers (marketing partners) to have a Written Information Security Program
- Audit service providers (marketing partners) to assess their ability to follow the same Safeguards as dealers
How is Force preparing our dealer clients for this update?
Force is Focused on Protection
Our commitment is to provide a highly secure environment that protects the integrity of the information by maintaining compliance with FTC Safeguards, State Regulations, CAN-SPAM, etc.
Regulations are changing and adaptation to new requirements require dedicated and diligent personnel. We take pride in our focus on training associates, maintaining documented processes, securing our infrastructure, and ensuring a technology framework that includes:
- Secure Access Management
- Networks Protected by Firewalls and Intrusion Detection
- Encryption of all Data
- Annual Vulnerability Assessments
- Annual Penetration Testing
- Planned Incident Response Plan
- Disaster Recovery and Business Continuity Planning
If you’re looking for more information on the Safeguards Rule or would like to speak with one of our Force Marketing Data and Technology Specialists about what your dealership needs to check for in order to be prepared before the deadline on June 9, 2023, contact us here.