On October 27, 2021, the U.S. Federal Trade Commission (“FTC) amended the FTC Safeguards Rule. This Rule requires dealers to protect customer non-public personal information (“NPI”) from wrongful use or disclosure. The prior Safeguards Rule was enacted in 2003 and gave dealers discretion to adopt a risk-based Safeguards program consistent with their identified risks. The amended Rule contains more specific requirements for more “comprehensive” Safeguards information security programs.
Safeguards programs cover the administrative, technical, and physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information. A Safeguards program must be in writing.
The new Safeguards Rule is largely focused on electronic information. It imposes a series of mandatory dealer requirements:
Qualified Individual to Head Safeguards Program
The amended Safeguards Rule requires the appointment of a single qualified individual (Qualified Individual) responsible for overseeing, implementing and enforcing your information security program.
The qualifications necessary for the Qualified Individual will depend upon the size and complexity of a dealership’s information system and the volume and sensitivity of the customer information that the dealer possesses or processes. Security training is one universal requirement. The Qualified Individual of a single store dealer with a very small and simple information system will need less training and expertise than a Qualified Individual for a large dealership with a complex information system.
Written Risk Assessment and Data Controls Required
The amended Safeguards Rule adds requirements designed to provide more guidance on how to develop and implement specific aspects of an overall information security program, such as risk assessment, access controls, authentication, data inventory, data disposal, change management, and monitoring. A Safeguards program must address each of these issues.
A written risk assessment is required up front and periodically to identify and evaluate risks to the systems, evaluate the adequacy of existing controls for addressing these risks, and identify actions necessary to mitigate the risks.
Protections for Access to and Use of NPI
The amended Rule requires NPI access to only those persons who need NPI to do their jobs. It requires dual factor authentication for authorized users to access NPI (something the authorized user knows like a password and something they have like a token or personal access code issued for the transaction). You must keep access records to create an audit trail. Conduct penetration tests annually and vulnerability scans every six months and whenever there are material changes to your business or if you know or have reason to know a circumstance may have a material impact on your Safeguards program.
All customer NPI must be encrypted, both in transit and at-rest.
As is the case today, the amended Safeguards Rule requires that you do appropriate due diligence before hiring service providers and specifically with respect to their data security procedures. Service providers must agree contractually to implement and maintain your established safeguards and they must be periodically assessed as to the continuing adequacy of their safeguards.
Changes to Your Safeguards Program
The amended Safeguards Rule adds provisions designed to improve the accountability of dealers’ information security programs, including by requiring the Qualified Individual to make periodic reports to boards of directors or governing bodies. A detailed security incident response program must also be included in your Safeguards program.
The Rule specifically requires regular enhanced security training of employees and the use of qualified information security personnel. You also need to make sure the security personnel maintain current knowledge on new security risks.
Dealers should also be prepared to explain their safeguards to customers — including how they access, collect, process, protect, store, use, transmit and dispose of NPI.
You must also develop an information disposal program that securely destroys all customer information within two years from when it is last needed, or longer if necessary to meet a legal or business requirement.
Effective Date and Exempt Entities
The effective date for most of these new requirements is the fourth quarter of next year but requirements to assess risks, develop solutions to risks, manage service providers, and do employee training take effect in January 2022.
The amended Rule exempts financial institutions that collect customer information on fewer than 5,000 customers from certain of the new requirements. These include the requirements for a written risk assessment, continuous monitoring or periodic tests, the written incident response plan, and regular reports from the Qualified Individual to the board or senior management. However, these dealers must still have a Safeguards information security program in effect based on identified risks.