The Federal Trade Commission’s (FTC) Safeguards Rule kicks into effect this year, and while some parts have already become official, other areas of the legislation have been extended to June. The law requires stricter information security programs for consumers, meaning U.S. auto dealership executives have a heavy task of strengthening their information systems security.
The ruling oversees how financial institutions protect consumer data, and dealerships must implement changes to protect their own consumer data, but they also must have a formal training program for their employees and third-party audits in place to ensure their entire list of vendors are also following these guidelines.
Even though parts of the rule have been extended to June, a recent poll raised alarms in illustrating just how many dealers have yet to become compliant in many areas. On a recent dealer-focused webinar, 36% said they are just getting started with their compliance plans, 26% said they are halfway there, and 25% said they are nearly done.
This is definitely concerning since several key components of the ruling have already gone into effect:
Some Parts of the Rule Are Already in Effect
Dealers must now show they are in compliance with risk assessments, information security programs, and establishing capable service providers and contractually obligate service providers. They must also be able to regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. Lastly, they must be able to periodically perform additional risk assessments and adjust the ISP accordingly.
The items that were delayed until June 9 include designating qualified individuals, written risk assessments, and designing and implementing various administrative, technical, and physical safeguards, including various physical and technical access controls, multi-factor authentication, encryption, activity logging, and change management procedures.
What’s more, dealers also had until June 9 to complete a continuous monitoring of their information systems, mandatory security awareness training, periodic assessments of service providers, incident response plans, and an annual status reporting functionality.
The webinar poll also showed that 44% of dealers have not provided the mandatory security awareness training to their employees, and 73% have not conducted simulated phishing attacks on their employees.
What’s Key In Becoming Compliant
It will be important for dealers to designate individuals within the dealership who are trained in taking ownership of these new regulations and to ensure everyone is ready. Any educational curriculum must be designed so that each employee is trained in all facets of the new regulation with full comprehension of each component.
Aside from education and training of new programs, the way dealers and any employees handle consumer data and privacy information will be paramount to compliance. Dealers would be wise to take inventory of every possible way they receive consumer data and information, from the beginning of the process with advertising and marketing insights that enters the top of the funnel, all of the search-engine and social media data they receive through promotions and interactions, website information and insights, and certainly consumer information through the service lane. Modern retailing has opened an abundance of new opportunities for dealers to reach new customers, but it also represents so many new opportunities to collect consumer data that now needs to be scrutinized under the new regulations.
The new Safeguards Rule will ultimately help dealers better protect their customers’ valuable data and information — a practice that better manages the risks associated with today’s internet-heavy focus on customer interaction and transaction. There are significant challenges and hurdles in the near term for dealers and their vendor partners. However, with the right guidance and expert counsel, dealers and their partners can achieve this critical compliance and train each employee on the new rules in place so that they can provide their customers with the trust they need to do business in this era of modern retailing.
There is no way around being compliant, and dealers must realize there is also no grey area. There still remains a large number of dealers who are not fully compliant, and the time is now to partner with trusted experts who can help finalize all plans.
Ken Hill is managing director for 700Credit, the automotive industry’s leading provider of credit reports, compliance and soft pull products. For more information, visit www.700credit.com.