What You Need to Know About FTC’s Privacy Rule and How to Comply
By: Brittany Demendi, Corporate Communications Manager
Auto Dealerships Must Comply with the Federal Trade Commission
The Federal Trade Commission (FTC) recently announced new cybersecurity regulations for auto dealerships offering financial services to comply with the Gramm-Leach-Bliley Act and the FTC’s Privacy Rule. In 2021, the FTC amended the 2003 Rule to provide concrete guidance for businesses to implement critical security measures to protect customers’ sensitive data.
This applies to any dealership considered a financial institution if it engages in financial activity and must comply with Section 312.1(b) in the Code of Federal Regulations. To determine if your dealership is subject, the Rule defines ‘financial institution’ in a broader sense that may not be how you or others categorize your business. Focus on the types of activities your business undertakes rather than categorization.
What Auto Dealerships Need to Comply?
The FTC states that the Privacy Rules apply to auto dealerships that:
- Extend credit to someone (for example, through a retail installment contract) when purchasing a car for personal, family, or household use.
- Arrange for someone to finance or lease a car for personal, family, or household use; or
- Provide financial advice or counseling to individuals.
If your auto dealership is trying to determine if you’re considered a financial institution and must comply under GLBA, reference the Code of Federal Regulations 16 CFR 314.2 (h). For example, if an organization maintains under 5,000 customers, it may be exempt.
The new Rule goes into effect on June 9, 2023, and emphasizes the need for auto dealers to implement appropriate safeguards, respond effectively to cyber incidents, and conduct regular risk assessments. It represents a critical step in reinforcing customer confidence and trusts in the financial sector while reducing the risks associated with cyber threats.
How can Adlumin Help Your Auto Dealership Comply?
Auto dealerships are prime targets for cybercriminals who are eager to exploit weak security and access a large amount of financial data and gain access to third-party vendor supply chains. This is why they must now become Personally Identifiable Information (PII) compliant, meaning the private information held by auto dealerships needs to be properly protected by a specific set of standards.
For example, in a report, Researcher Eaton Zveare broke into Toyota’s C360 CRM, bypassing the corporate login screen and breaking into the web app used by Toyota to manage Mexican customers, exposing their information. He found the customer’s name, address, email address, phone number, tax ID, and service/vehicle/ownership history.
Adlumin is here to help your auto dealership comply with mitigating cyber risks. Under the new requirements, according to the FTC, auto dealerships and financial institutions must comply with the following:
- Designate a qualified individual to implement and supervise your company’s information and security program: The individual can work directly for your company or a service provider. If the person works for a service provider or affiliate, that provider also must maintain an information security program that protects your business.
- Solution: Choose an individual who understands cybersecurity, not just information technology, so they have the proper knowledge to lead the security program with a team and Managed Detection and Response services.
- Conduct a periodic risk assessment: An effective plan can be formulated after you know what information you have and where it is stored. After the inventory is completed, an assessment will determine foreseeable internal and external threats and risks to the customer’s integrity, security, and confidentiality.
- Solution: A Security Operations Platform continually assesses compliance with the National Institute of Standards and Technology (NIST) and the Federal Financial Institutions Examination Council (FFIEC) frameworks.
- Implement safeguards to control risks identified through periodic risk assessments: According to the FTC, the Safeguards Rule requires your company to encrypt customer information, assess your apps, implement multi-factor authentication, review access controls, keep proper data and asset inventory, dispose of customer information securely, anticipate and evaluate change to your network, and maintain a log of authorized users’ activity.
- Solution: A Security Operations Platform ingests security data from your environment and applies a multi-layered detection approach to illuminate threats.
- Train employees on cybersecurity proactive awareness: Your employees are your first line of defense, and your security program is only as effective as the weakest chain in the link.
- Solution: Implementing a Proactive Security Awareness Program empowers employees to report suspicious activity. In addition, it provides robust security awareness training and automatically enrolls users who need additional training.
- Maintain oversight of third-party service providers: Evaluate and select providers with security experience and skills to maintain the appropriate safeguards.
- Solution: A Security Operations Platform paired with Managed Detection and Response services monitors vendor account access, privilege, and event logs.
- Complete regular vulnerability scanning and penetration testing to identify weak points in your IT environment: It is required to conduct system-wide scans every six months through penetration testing and vulnerability scans for publicly known security risks and vulnerabilities.
- Solution: Vulnerability Scanning is a perimeter defense that monitors your external network for vulnerabilities and port changes. In addition, Progressive Penetration Testing simulates different vantage points to see if your critical data can be accessed.
- Keep information security programs current: The best programs are flexible mainly because the only constant in information security is when changes are consistently made. For example, changes to your operations, changes due to emerging threats, what is learned during your risk assessment, and more.
- Solution: A Security Operations Platform provides live data on your network health, at-risk programs, and compliance.
- Develop a written incident response plan: In case of a cyberattack, your dealership or financial institution needs a ‘what if’ plan. This plan should be documented along with practicing tabletop exercises so everyone involved knows what steps to take. The incident response plan must cover the goals of your plan, clear responsibilities and roles, and a process to fix any identified threats and attacks.
- Solution: Virtual Chief Information Security Officer (vCISO) services assist auto dealerships with building their security programs.
- Provide an annual security program report to your Board of Directors: The report must include an overall assessment of your company’s compliance with its security program and cover specific topics like risk assessment, risk management, control decisions, test results, security events, recommended changes, service provider arrangements and more.
- Solution: Board and IT Steering Committee Report and One-Touch Compliance Reporting provide all the details to share as frequently as needed.
What are the Benefits of Compliance?
Despite the challenging compliance regulations, they drive many organizations’ security success. Complying with industry standards is the first step to setting the foundation for cybersecurity. There are many benefits for auto dealerships to comply; here are a few:
- Avoid Fines and Penalties for Being Non-Compliant
- GLBA non-compliance penalties include:
- Fines of USD $100,000 per violation for financial institutions found in violation
- Fines of USD $100,000 per violation for individuals found in violation
- Criminal penalties include imprisonment for up to 5 years for individuals found in violation
- GLBA non-compliance penalties include:
- Build Customer Trust and Loyalty
- Trust is affected when an auto dealership experiences a breach. When customers know their information is secure, they may be more willing to conduct business with a dealership from a financial services perspective.
- Improve Capabilities and Data Management
- The Privacy Rule expects auto dealerships to revamp their data management plans to track better customers’ sensitive information, assets, and files. This helps auto dealerships increase operational and management efficiency when they are more organized and can easily find what they want.
Illuminate Threats and Eliminate Risks
The importance of cybersecurity goes beyond the FTC’s regulations. If your auto dealership’s network is breached, you risk losing customers’ trust and could potentially fold due to the fines and money lost. Time is of the essence to get your cybersecurity plan in place, and there are resources to help.
Adlumin provides all the necessary solutions in one place, including 24×7 monitoring and one-touch compliance reporting, in a cost-effective package designed for upholding and maintaining security. June will be here before you know it, and it’s best to get ahead and avoid any potential repercussions for non-compliance.
Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.