Data Security

Safeguarding Your Data

The Federal Trade Commission (FTC) Safeguards Rule goes into effect June 9, 2023. Did that date sneak up on you? Will your dealership be compliant, or is your team still trying to figure out what IT upgrades are needed to secure private customer data? Let’s breakdown the Safeguards Rule, see how it impacts your dealership and outline steps to consider while working on this compliance initiative. If you’d like another source of information to share with your team, check out EFG’s latest F&I Talk Outside the Box podcast.

Originally enacted in 2003, the FTC amended the Safeguards rule in 2021, but extended the deadline for compliance to June 9th of this year, giving dealerships more time to incorporate the needed equipment and procedures. Specifically, the new requirements include:

  • Designate a qualified individual to oversee your information security program.
  • Develop a written risk assessment.
  • Limit and monitor who can access sensitive customer information.
  • Encrypt all sensitive information.
  • Implement ongoing security personnel training.
  • Develop an incident response plan.
  • Perform periodic assessments of service provider security practices.
  • Implement multi-factor authentication, or another method with equivalent protection, for any individual accessing customer information.

That’s a lot to absorb! Let’s focus on the key component of data security.

Compliance Data Security

What IS a CISO?

Contributing Author:
Maurice Hamilton
Vice President
EFG Companies

If you’re in the retail automotive business, you’re used to dealing with regulations and compliance issues. It’s simply part of doing business. However, sometimes when a new regulation comes down, it’s all too easy to balk at the potential increased cost in both financial and time investment to implement them. Right now, there is a lot of talk about updating the Safeguards Rule, and the potential business impact.

Let’s step back and look at the regulation. As part of the Gramm-Leach-Bliley Act, the Safeguards Rule was designed to protect the security, confidentiality, and integrity of customer information.

16 CFR Part 314 Rule Summary:

The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

While it is in the inherent best interest of a dealership and its partners to protect and secure customer data, a new wrinkle was recently added that has many in retail automotive scratching their heads. The April 4th issue of the Federal Register contained an update to the Federal Trade Commission’s Notice of Proposed Rulemaking concerning the Safeguards Rule. This issue included several additional requirements that will impact dealerships. One of the most pervasive is the requirement for a Chief Information Security Officer (CISO), which begs the question – what the heck is a CISO and where do you find one?


Consumer Privacy in Retail Automotive

Contributing Author: Steve Roennau Vice President Compliance EFG Companies
Contributing Author:
Steve Roennau
Vice President
EFG Companies

Do you know someone who was affected by the Equifax data breach? How about the Verifone hack or, the breach within the Internal Revenue Service (IRS)? According to the Identity Theft Resource Center® (ITRC) and CyberScout®, 1,579 data breaches occurred in 2017, representing a 44.7 percent year-over-year increase.

A study of more than 10,000 consumers by Gemalto, a data security firm, stated 70 percent of consumers would stop doing business with a company if it experienced a data breach. And, 69 percent feel businesses don’t take security of consumer data very seriously.

In retail automotive, dealers have been regulated on consumer privacy ever since the Gramm Leach Bliley Act was passed in 1999. Under Gramm-Leach Bliley, dealers are required to implement, and regularly audit, a written “Information Security Program,” to protect information about its customers. This is called the Safeguard Rule. However, in 1999, digital data breaches were not even a feasible consideration for most dealers.

To date, these “Information Security Programs” detailed how to physically secure private consumer data. It’s because of these programs that most F&I offices are locked, and F&I managers pay very close attention to make sure no private consumer information can be displayed on a desk or computer screen for anyone to see.

While these procedures are important, they now need to be augmented to incorporate every possible way a consumer data breach could occur. From a physical standpoint, this includes training the sales team on how to properly manage private consumer information, and holding them to the same standards as F&I professionals. For example, let’s say a salesperson made a copy of a driver’s license for a test drive and the consumer ended up leaving the dealership without purchasing. What does the sales person do with that photocopy? Do they just put it in their desk trash bin, or do they put it in a secure shredding bin? If they just put it in their desk trash bin, that data is not secure. Anyone could come and take that photocopy out of the trash.