As consumers demand more privacy, government agencies like the Federal Trade Commission (FTC) are taking active steps to protect consumer information and data. However, 63% of consumers are concerned about what’s being done with their data, and 66% of British survey respondents said they’d feel most comfortable trusting an organization that had never had a data or security breach. With these high-pressure demands from consumers, the FTC recently updated The FTC Safeguards Rule, which creates new standards on what an information security program looks like and how “non-banking financial institutions” like auto dealerships will need to adapt. The new standards go into effect on June 9, 2023.
What Does the Safeguards Rule Mean for Auto Dealerships?
Overall, the FTC is working to strengthen the protections in place to keep consumer data confidential and secure. Going forward, auto dealerships with more than 5,000 customer records in their database are required to develop, implement, and maintain an information security program to protect customer information. Dealerships maintain personally identifiable financial information (PIFI) when drivers apply for new lines of credit to buy a car. Companies are required to:
- Designate a qualified individual to run their information security program. It’s difficult for many businesses to maintain in-house cybersecurity experts. This can be an external, third-party partner like TPx.
- Craft a written risk assessment. TPx offers comprehensive security consulting that always starts with a risk assessment. Gaps and vulnerabilities can quickly be identified, and concurrent risk assessment can be performed in the future.
- Limit and monitor all access to consumer information. Enable controls and securities around usage rights. Not everyone should have the same access to information.
- Encrypt sensitive information. Endpoint security helps safeguard devices, so when sales representatives access files while touring potential buyers around the parking lot, they’re not vulnerable to hackers.
- Train all employees. With 88% of data breaches caused by human error, it’s critical employees are up to date on their security awareness training. This strengthens your first line of defense against cyberattacks as well.
- Develop an incident response plan. Incidents will happen, and it’s best to have a mediation plan in place. TPx offers managed backups and disaster recovery solutions.
- Assess their third-party vendors periodically. As regulations change, third-party vendors might fall out of compliance. Assess vendors regularly and avoid vendor lock-in with flexible contracts.
- Implement multi-factor authentication or equivalent protection. Multi-factor authentication offers a safeguard around employee access so you can ensure only verified team members are seeing sensitive data.
Work With TPx
Work with a trusted managed services provider like TPx to get compliant sooner rather than later so your employees, customers, and partners can feel secure and confident in your ability to protect their data. Contact us today to learn how TPx can help you become compliant by the June 9th deadline.