Co-authored by Robert Ebin, Esq. and Emily Hartman
At the end of October, the Federal Trade Commission (FTC) announced its expansion of the Safeguards Rule to better protect consumer financial information from cyberattacks and security breaches. The amended rule’s most significant requirements will take effect one year from the date it’s published in the Federal Register, which means dealers will need to comply likely by the fourth quarter of 2022.
Here are five things you need to know.
1. Rule Expands Data Security Requirements for Written Programs
For background, the FTC created the Safeguard Rule as part of a directive from the Gramm-Leach-Bliley Act. The Safeguard Rule has been around since 2003, directing financial institutions, which includes dealerships that extend credit and lease terms, to develop and implement a written information security program.
The updated Rule includes much more detail about the required elements that must be included in an information security program, like addressing access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing and incident response.
2. Identify One Qualified Individual to Oversee Data Security
The previous rule allowed “an employee or employees” to take responsibility for the information security program, but the new rule requires only one “Qualified Individual.” This person must write an annual status report and provide it to the board of directors or the business’s governing body. The report must cover overall status updates of the program, compliance and all security breaches or events that occurred in the past year.
3. If You Have Less Than 5,000 Customers, You Could Be Exempt from Some Requirements
There is an included exemption for financial institutions that collect data on less than 5,000 customers. These organizations are exempt from certain requirements, including the written risk assessment, incident response plan and submitting the report to the Board of Directors.
4. The Definition of Financial Institution Is More Expansive
The Safeguard Rule applies to any financial institution, which includes dealerships that extend credit and lease terms. The updated rule now includes any organizations participating in activities that the Federal Reserve Board identifies as incidental to financial activities. This change brings “finders,” or companies that bring together buyers and sellers, under the rule.
Additionally, several other definitions were directly added to the rule from the Privacy of Consumer Financial Information Rule.
5. Open Comment Period: Should Organizations Report Large Data Breaches to the FTC?
On top of the updates, the FTC announced a 60-day open comment period regarding whether or not the Safeguard Rule should be further amended to require financial institutions to report to the FTC any data breaches or other security incidents that impact 1,000 or more customers’ information.
What Should You Do?
Continue to monitor for more information from the FTC. Seek out your legal counsel to review your current policies and procedures, help determine what changes you’ll need to make, and figure out how you’ll make them in the coming year.
Robert Ebin, Esq. is KPA’s senior manager of legal affairs, specializing in regulatory and compliance issues in sales and F&I.
Emily Hartman is the marketing communications manager for KPA, writing about regulatory and compliance news for the KPA Better Workforce Blog.
