With the Federal Trade Commission’s (FTC) recently issued Safeguards Rule, which requires stricter information security programs for consumers, US auto dealerships have the heavy burden of strengthening their information systems security. The ruling oversees how financial institutions protect consumer data. Dealerships must implement changes to protect their own consumer data, but they also must have a formal training program for their employees and third-party audits in place to ensure their entire list of vendors are also following these guidelines.
What is The New FTC rule?
The FTC’s rule requires detailed procedures and specific criteria that auto dealers must implement to provide better protection and to curb data breaches and cyberattacks that could jeopardize sensitive customer data.
One of the first challenges dealerships need to address is the fact that they are sitting on so much more consumer information today. The amount of information dealers take in that’s sensitive could result in identity theft, and those identities being sold to fraudsters. Dealerships take in an immense amount of critical consumer information, including access to credit reports, drivers’ license information, images, account numbers, name, address, date of birth, and credit card information.
Sophisticated dealers have quality protections in place, but there are a lot of dealerships that do not have protections and programs in place. Implementing these safeguards for thousands of these dealers will be a heavy lift before the end of the year – including all training curriculum completed and programs fully implemented.
What Dealers Need to Achieve Compliance
The Safeguards Rule began in 2003 under the federal Gramm-Leach-Bliley Act, and as a result, dealers were designated as financial institutions, since they provide financing agreements for their customers. Revisions to the rule were recently approved, and the revised version now includes five primary updates that focus on keeping data secure, such as limiting access to customer information and new requirements for encryption and multifactor authentication. What’s more, the rule states each dealership must designate one “qualified individual” to oversee their information security program.
Initially, dealers must perform a proper audit of their entire information security systems, as well as that of their vendor partners, to ensure things like the encryption of consumer information. This way, if any part of the system is penetrated by a digital intruder, the data is not exposed. Dealers will also need to implement two-factor authentication systems and regular intervals of intrusion detection tests. And, of course, dealers need to make sure their employees are properly trained on all these new measures.
It will be important for dealers to designate individuals within the dealership who are trained on taking ownership of these new regulations, and to ensure everyone is ready. The new regulation even states that a written policy must be produced and put in place, with all employees understanding the policy and signing off. The educational curriculum must be designed so that each employee is trained on all facets of the new regulation with full comprehension of each component.
Auditing Vendors and Information Privacy
One of the most challenging elements of the new regulation involves a thorough audit and inventory of needs by any vendors working with the dealer, including finance partners, advertising agencies, data and technology partners, etc. Most likely, dealers will need to hire outside counsel or a third party that has compliant programs to help build proper audit surveys of their partners. Third-party vendors should be aware of that these requests are coming and prepared with a program in place, so they are not bogged down with no processes in place to handle the volume.
Dealers would be wise to take inventory of every possible way they receive consumer data and information. From advertising and marketing insights at the top of the funnel, search-engine and social media data they receive through promotions and interactions, website data and insights, and certainly consumer information through the service lane, dealers today have countless opportunities to collect consumer data that must be scrutinized under the new regulations.
The new Safeguards Rule will ultimately help dealers better protect their customers’ valuable data and information – a practice that better manages the risks associated with today’s internet-heavy focus on customer interaction and transaction. There are significant challenges and hurdles in the near term for dealers and their vendor partners. However, with the right guidance and expert counsel, dealers and their partners can achieve this critical compliance and train each employee on the new rules in place so that they can provide their customers with the trust they need to do business in this era of modern retailing.
About The Author:
Ken Hill is managing director for 700Credit, the automotive industry’s leading provider of credit reports, compliance and soft pull products. For more information please visit www.700credit.com.