The Federal Trade Commission has recently updated the 2003 Gramm-Leach-Bliley Act ‘Safeguards Rule’ to create new standards and procedures that will apply to auto dealerships and go into effect in December 2022.
The Safeguards Rule outlines the standards required for the protection of consumer data. The new updates create stricter criteria and procedures that car dealers will need to implement, both to reduce the risk of a data breach and to better protect customer data. The new updates are designed to reflect fundamental principles of data security while also keeping pace with ongoing technological advancements.
We’ll cover the impact of these new updates, the unique challenges they will pose for dealerships, the new requirements dealers will need to meet, and how Arctic Wolf can help auto dealers meet those requirements.
Who is Impacted by Safeguards Rule Changes?
The updates to the Safeguards Rule apply to all auto dealerships in the United States, both large and small. Specifically, within each auto dealership, the updates will apply to C-suite, owners, managers, IT directors, and those who are involved in day-to-day business operations.
What Are the Challenges for Dealerships?
The new rules introduced by the FTC require car dealers to implement and follow specific criteria and procedures. One of the most significant challenges that auto dealers will face is the sheer volume of consumer information that they work with each day (and specifically, data that are prime targets for cybercriminals).
Specific examples of this data include:
- Bank Account Numbers
- Credit/Debit Card Numbers
- Credit Reports
- Dates of Birth
- Driver’s License Numbers
If any of this data is exposed, it could result in identity theft or in the data being sold to cybercriminals. Not only does would that be dangerous to the victims, but it would also deal a severe blow to the reputation of the auto dealer. Like the team at GetWeave notes, 90% of customers will always research a company and check reviews online before buying from them.
If an auto dealer sustains a major data breach and that data is made public, it could be devastating, as customers could simply go to another, less “risky” dealer in town for the same make and model of vehicle they want.
Another major challenge that dealerships face is ensuring compliance before the upcoming December 9th deadline. Not all car dealerships have these safeguards in place, which include the implementation of new detailed security programs and for employees to complete rigorous cybersecurity training curricula.
If auto dealerships are not fully compliant following December 9, they stand to face a potential fine of $50,000 per infraction. So, what are the requirements dealerships must follow to ensure they remain compliant with the updated rules?
What Are the Requirements for Dealerships?
Good question. There are nine specific updates to the Safeguards Rule:
- Each auto dealership must designate a ‘qualified individual’ who will serve as the overseer of their cybersecurity program and provide written reports to a governing board
- They will need to conduct regular risk assessments of both their own security systems and the security systems of their vendors to ensure that all customer and client data is kept encrypted
- They must implement safeguards to control the risks identified, such as identity and access management, encryption, and multi-factor authentication
- They must test and monitor effectiveness of key controls, through practices such as continuous monitoring and vulnerability assessments
- They must ensure that all employees are provided with security awareness training, updated as necessary to reflect risks
- They must require their own service providers to maintain appropriate safeguards, through selection, contract requirements, and assessments.
- They must continue to adjust their security program based on the results of their monitoring and any changes to the business
- They must establish a written incident response plan, outlining roles, responsibilities, and remediation actions taken in the event of an incident
- Finally, the qualified individual must report, in writing, on the overall status of the security program
Many of these requirements have detailed sub-parts, drilling down into specific technical safeguards. All of them will require auto dealerships to develop new cybersecurity capabilities and expertise. And all of these new requirements will have to be overseen, monitored, documented, and reported on. This will be a major challenge for all dealerships, but especially those with limited in-house cybersecurity expertise.
How Can Arctic Wolf Help?
Ultimately, when these new updates to the Safeguards Rule go into effect on December 9, they will be here to stay and become the new normal. Their purpose is to ensure that the personal and financial data of customers are better protected. With the proper guidance, auto dealers can ensure that they are in compliance with the new updates by December 9th of this year and maintain that compliance moving forward.
Arctic Wolf can be a part of helping dealers ensure compliance with the new updates in the following ways:
- Arctic Wolf can continuously monitor your entire environment to both detect cybersecurity threats when they arise, and offer continual feedback on how your security systems can be improved.
- We provide continual vulnerability assessments, so you understand each of the cybersecurity risks facing your dealership and your customers.
- We identify any threats targeting your dealership’s network or cloud applications.
- We can provide cybersecurity awareness training to your security team and employees, as well as provide exercises to ensure proper lesson retention.
- And we can provide records and reporting on a dealership’s security activities—including both those we provide and those the dealership performs itself
Learn more about how auto dealerships are securing their critical data and making security operations easier with Arctic Wolf.