If you’re in the retail automotive business, you’re used to dealing with regulations and compliance issues. It’s simply part of doing business. However, sometimes when a new regulation comes down, it’s all too easy to balk at the potential increased cost in both financial and time investment to implement them. Right now, there is a lot of talk about updating the Safeguards Rule, and the potential business impact.
Let’s step back and look at the regulation. As part of the Gramm-Leach-Bliley Act, the Safeguards Rule was designed to protect the security, confidentiality, and integrity of customer information.
16 CFR Part 314 Rule Summary:
The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
While it is in the inherent best interest of a dealership and its partners to protect and secure customer data, a new wrinkle was recently added that has many in retail automotive scratching their heads. The April 4th issue of the Federal Register contained an update to the Federal Trade Commission’s Notice of Proposed Rulemaking concerning the Safeguards Rule. This issue included several additional requirements that will impact dealerships. One of the most pervasive is the requirement for a Chief Information Security Officer (CISO), which begs the question – what the heck is a CISO and where do you find one?
CISO
A CISO oversees the continuous monitoring or periodic penetration testing and vulnerability assessments of the dealership’s network security system. Whether managing this internally or through outsourcing, the effort to achieve a robust and continuous network monitoring program is directly tied to on the number of networked devices in your IT environment. Count all your computers that are set up on your dealership’s network. Now, count the printers, faxes, tablets, cell-phones, etc. That number can add up fairly quickly.
Here’s the good news. The FTC Notice indicates that a dealership can appoint an employee to serve as the CISO, or an outside provider can be tapped, and there are already excellent players in the field of IT security. If you work with an OEM, start by reaching out to them to see what resources they have available for you. Check with your website provider for references. You can also speak with your F&I product administrator for advice and references on where to go.
When deciding whether to keep the CISO function in-house or to outsource, consider the functions the CISO must handle, including:
- Access controls on information systems
- Identification and management of the data
- Restricting access at physical locations
- Protecting by encryption all customer information
- Adopting secure development
- Implementing multifactor authentication
The baseline to all of this is to keep applying the processes and procedures you already have in place to secure customer data and stay compliant. The changes will not come overnight. But if your dealership security is already in good working order, then this new wrinkle becomes just another business decision.