Botdoc Blog

A Car Dealership’s Checklist for FTC Safeguards Rule

Written by Laura Johns | Nov 18, 2022 8:13:47 PM

The deadline to comply with the FTC Safeguards Rule is fast approaching. Car dealerships need to prepare now for the changes. Failing to comply with the Rule risks a fine of up to $46,517 (per incident) for auto dealers. Here’s how car dealerships can get up to speed quickly.

What is the FTC Safeguards Rule?

The Federal Trade Commission's Standards for Safeguarding Customer Information, aka the Safeguards Rule, are put in place to ensure entities (such as car dealerships) have proper security measures intended to protect consumers’ personal information. On June 9, 2023, the revised Safeguards Rule will officially go into effect, and it’s part of the FTC’s initiative to keep customer information safe in light of the growing cyber security threat posed by data breaches, ransomware, and various other cyberattacks.

What Entities Are Required to Abide by the FTC Safeguards Rule?

The FTC Safeguards Rule was originally a requirement for businesses and financial institutions that handle sensitive consumer data such as banks, lenders, credit unions, and similar entities. Starting June 9, 2023, these rules will also apply to non-traditional businesses such as car dealerships. They are required to develop, deploy, and maintain a security plan that details how they will protect customers’ personal information. 

The Safeguards Rule also states that you must have a formally written information security program that’s appropriate for the size and complexity of your business– i.e. how many customers you serve, the type of data collected, etc. 

There are three main objectives of the Safeguards Rule:

  • Keep customer information secure and confidential,
  • Reasonably protect the information from threats that affect its security or integrity,
  • Protect the information from unauthorized access.

The Rule also helps car dealerships because it will improve customer confidence that their information is in safe hands when going through the car buying process.

The Safeguards Rule Checklist for Car Dealers

As mentioned, the updated Safeguards Rule goes into effect on June 9, 2023. If dealerships fail to adequately abide by the new regulations, there could be severe punishment for the business.

If you’re a car dealer, see the checklist to help simplify exactly what you need to do to get compliant:

1) Assign a Qualified Individual to administer and enforce the dealership’s information security program. This person can be an employee or an outside individual that has real-world experience and know-how for your specific business operations.

2) Perform a risk assessment: After taking an inventory of what type of customer data you will collect, perform a risk assessment to determine what kind of internal and external threats could affect the security, confidentiality, and integrity of customer information.

3) Design and put into action safeguards for the risks identified: Your information security program should be multifaceted and include the following precautions:

    • Develop access controls to determine who can view customer information and regularly review these permissions to keep them up-to-date.
    • Conduct an inventory assessment to understand what data you have and where it is stored.
    • Use end-to-end encryption to ensure customer information is encrypted where it’s stored and when it’s in transit.
    • Perform an app security assessment if your company uses a mobile or web app that collects customer data.
    • Implement multi-factor authentication protocols for any of the people who will need to access customer information.
    • Securely dispose of customer data within two years unless there’s a legitimate business need or legal cause to hold on to it.
    • Understand and evaluate changes to your information network and other systems used to move or store customer data.
    • Keep activity logs of authorized users and be on the lookout for unauthorized access.

4) Regularly monitor and assess the efficacy of your information security. Ensure your plan is consistently put to the test to be confident that it works when a real threat attempts to infiltrate.

5) Educate your team and staff members: Ensure your team understands the importance of information security by providing training and reminders of what to do and what not to do (e.g. don’t click on suspicious links).

6) Ensure service providers' security measures are appropriate: Don’t assume third-party vendors provide adequate security. Include your security expectations in your contract and regularly assess service providers to make sure their security protocols are up-to-date.

7) Continuously assess your information security program: Regularly evaluate your security program to ensure it’s robust and up-to-date.

8) Develop a written incident response and recovery plan: It should include goals, internal processes for reporting security events, roles and responsibilities, a process to fix issues, and a plan for documenting security events.

9) Ensure your Qualified Individual reports to the Board of Directors: At least once a year, the Qualified Individual should provide a detailed written compliance report to the board and senior executives.

Failure to comply with the new revised FTC Regulations can cost your car dealership. It also opens the door to civil and class action lawsuits from customers. To avoid these penalties and punishments, it’s imperative that car dealerships make sure they are compliant well before the June 9th deadline.

How Botdoc Can Help your Car Dealership

Botdoc is here to help car dealerships make that list of security standards less overwhelming. In just minutes, dealerships can set up with Botdoc’s solution and receive driver's licenses, bank account information, and more from customers without the use of pins, passwords, logins, accounts, apps, or software to download.

Notice those items on the checklist about end-to-end encryption? Botdoc is the first ever easy, remote, and secure file transport service that works via text messaging and email with end-to-end encryption. Our API automatically moves data to the appropriate area within the system of record, limiting the touchpoints of data. Botdoc even automatically purges documents after a certain amount of time, decreasing the risk and time spent purging documents manually.

Our solution is always simple to use because the customer experience is everything to us. Get started today by scheduling a demo. Let Botdoc help your dealership comply with the FTC safeguards rule and help you avoid a costly penalty.