Last Fall, we hosted a panel of leading minds in the industry, including a legal expert, aftermarket specialist, F&I manager and a recreational lender. The dealers in attendance brought a variety of questions to the table, but one topic stood out among the rest: new security regulations required for your business to protect customer information.
Randy Henrick, former attorney for DealerTrack, and our legal expert on the panel, is back to help clarify those legal changes that will impact you most. Here, we discuss the recent changes made by the U.S. Federal Trade Commission (FTC), how they impact you, and what Priority One can do to help.
CHANGES COMING FOR YOU
Last October, the FTC revised its Safeguards Rule regarding a dealer’s obligation to protect customer information. Previously, the rule gave you the discretion to adopt a Safeguards program based on your dealership’s identified risks. The amended rule, however, details more comprehensive requirements that your dealership must take to protect your customer’s non-public information (NPI) from wrongful use or disclosure.
Let’s break this down. A Safeguards program consists of the administrative, technical, and physical measures you take to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information. Your Safeguards program must be in writing. The FTC’s amended rule, which focuses on electronic information, requires three major additional responsibilities for your dealership:
You must designate a Qualified Individual responsible for overseeing, implementing and enforcing your information security program. The qualifications necessary for this role depend on the complexity, volume and sensitivity of the customer information that you process. Qualified Individuals from a dealer with one showroom will need less training than a larger dealership with a complex information system. Regardless of your size, however, security training of some kind is required for your dealership.
Your Safeguards program must use risk assessment, access controls, authentication, data inventory, data disposal, change management, and monitoring to protect customer information. Risk Assessment: A written risk assessment is required to identify and evaluate risks to your information systems. A compliant risk assessment should evaluate the adequacy of your plan and identify how risks can be mitigated. Once written, you should assess up front, and again on a regular basis. Access Controls: Customer information should be made visible only to your personnel who need this information to do their jobs. Authentication: Any personnel with access to NPI must use two factor authentication when doing so. Data Inventory & Disposal: You should develop a program that securely destroys all customer information within two years from when it was last needed, or longer, if necessary, to meet a legal or business requirement. Monitoring: You should continually monitor user access by conducting vulnerability scans every six months, penetration tests annually, and whenever there are material changes to your business. All customer NPI must be encrypted, both in transit and at-rest.
Your dealership’s Qualified Individual is required to make periodic reports to the board of directors or governing body of your dealership. You should also be prepared to explain your safeguards to customers — including how you access, collect, process, protect, store, use, transmit and dispose of NPI. Make sure the Qualified Individual and any personnel that access customer NPI are regularly trained on your dealership’s policies and new security risks. You should have an incident response plan prepared in the event of a data breach.
WE’RE HERE TO HELP
If you work with a service provider for other areas of your business, those providers must also implement and maintain safeguards. At Priority One, we have a number of safeguards in place to protect your customers’ NPI. Our Dealer Resource Center, Customer Resource Center, and credit application each securely transmit data to an encrypted database for safe-keeping. When NPI information is no longer needed, it is deleted at the earliest business opportunity. Additionally, your business managers and the entire Priority One staff are educated annually on NPI best-practices. We emphasize that our customers and business managers only communicate sensitive information using our secure messaging centers.
Most of the new FTC requirements will need to be in place for your dealership by the end of 2022, but assessing risks, developing solutions to risks, managing service providers, and beginning training should take effect immediately.
This information is not intended to take the place of legal counsel. Contact your legal advisor for specific needs. For more information and resources on FTC policies, visit ftc.gov.
