Consumers, including anyone reading this, should demand that any entity that holds their personal information be extremely vigilant about protecting it. Identity theft is all too commonplace, and its repercussions are serious and costly.
It’s why the Federal Trade Commission (FTC) first implemented the Safeguards Rule in 2003. The rule requires financial institutions – which for purposes of this discussion includes automobile dealers – to develop, implement, and maintain a comprehensive information security program to keep their customers’ information safe.
On the heels of major data breaches, including one involving Equifax that impacted approximately 147 million Americans, the FTC launched an initiative to examine the Safeguards Rule. In 2019, the Commission sought public comment on proposed changes to the rule and held a workshop on those proposals during the summer of 2020.
After 2 years of public consideration, in a controversial 3-2 vote with Commissioners Noah Joshua Phillips and Cristine S. Wilson dissenting, the FTC recently announced significant changes to the Safeguards Rule that every dealer will need to know.
The FTC’s notice containing the updated Safeguards Rule is 145 pages long, but let’s sum up some of the major changes as it may relate to your dealership.
Most of the changes involve specific criteria that financial institutions must include as they develop and implement their information security programs. Whereas financial institutions have always been required to develop their program based on a risk assessment that identifies risks around improper access to consumer information, now the risk assessment must be in writing and include the following:
- Criteria for the evaluation and categorization of identified security risks or threats faced;
- Criteria for the assessment of the confidentiality, integrity, and availability of information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced; and
- Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.
The Final Rule will also require financial institutions to implement specific safeguards into their information security programs, including:
- encryption for all customer information in transit and at rest (if encryption is infeasible, effective alternative compensating controls may be used);
- multi-factor authentication for anyone accessing any information system (a reasonably equivalent or more secure access control may be used);
- procedures to dispose of customer information no later than 2 years after the date the information was last used (there are exceptions that may permit you to hold the information for longer period)
- continuous monitoring or periodic penetration testing and vulnerability assessments;
- develop steps for selecting and retaining service providers capable of maintaining appropriate safeguards for consumer information, including contractually obligating service providers to implement and maintain those safeguards, and periodically assessing service providers based on the risk they present;
- establish a written incident response plan designed to promptly respond to, and recover from security event (defined as “any an unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form”) materially affecting the confidentiality, integrity, or availability of customer information in your control.
The changes to the Safeguards Rule also require financial institutions to designate a single “qualified individual” responsible for overseeing, implementing, and enforcing the institution’s information security program. Financial institutions will also need to train their employees necessary to enact the information security program. Additionally, the financial institutions will be required to submit periodic reports to boards of directors or equivalent governing body (or senior office if no governing body exists) that addresses the overall status of the information security program compliance with the Safeguards Rule.
If there is a silver lining, the FTC included a “small business exemption” for financial institutions that maintain customer information concerning fewer than 5,000 consumers. However, the exemption is limited. If applicable, those financial institutions will not have to complete a written risk assessment, prepare incident response plans, or complete the annual reporting requirements.
Most of these changes will take effect in one year.
I recognize that these new rules create additional layers of compliance, which of course will cost money; a point I made to the FTC in official comments and in many conversations I had with them about these proposed changes.
Before these changes become effective, dealers should take the opportunity to review their existing information security program and make note of what you will need to come into compliance with the changes. It may require some assistance from an IT professional. That cost may well end up being cheaper than the hefty fines the FTC will levy for non-compliance or worse, a class action attorney may get in damages if there is a data breach.
Shaun Petersen is the Executive Vice President and Chief Legal Officer at Buckeye Dealership Consulting. He can be reached at 330-726-9030 or firstname.lastname@example.org