The FTC Safeguards Rule Amendments + You + Reynolds… What You Need to Know

Update: The FTC announced an extension of six months to the amendments of the Safeguards Rule. The amendments will not take effect until June 9, 2023. For more information about the extension, click here.

Cybersecurity attacks have been on a steady incline each year, increasing by 15.1% from 2021 to 2022. There seems to be no end in sight, and each new attack is becoming more and more sophisticated. You may be looking into your dealership showroom thinking, “that will never happen to me!” But the truth is, the automotive industry is a prime target. There have been several cyberattacks and threats on OEMs and dealerships over the last few years.

And the impact isn’t just a bad day at the office or an angry customer comment. It’s legal fees and fines due to improper security practices. It’s hours, days, or maybe even weeks out of operation, like it was for Honda after their 2020 ransomware attack. Or it could be $250,000 in expenses to replace all your computers and network infrastructure, as was the case for a dealership group in Florida. There are real financial consequences to a cyberattack.

The FTC Safeguards Rule & Amendments

Enter the FTC Safeguards Rule initially released in 2003 as part of the Gramm-Leach-Bliley Act (GLBA). The rule lays out specific ways financial institutions should protect customer information. You might be thinking, “Financial institutions… I’m a dealership???” Yes, this does apply to dealerships. Under the rule, a financial institution is any business that offers consumers financial products or services like loans, financial or investment advice, or insurance.

With the continuous evolution of cyberattacks, there have been recent amendments to the rule. These include items such as:

• Having a qualified person in charge of the dealerships’ information security program
• Encrypting data at rest and in transit
• Implementing, documenting, and reviewing who has access to what data
• Requiring multi-factor authentication when accessing customer information
• Providing staff training on information security
• Disposing of consumer data in a secure fashion
• Ongoing monitoring and testing of the effectiveness of your security program

These are just a few of the amendments. For more information, click here.

What can you do?

These amendments have a direct impact on your business, and you’re required to have a plan in place to meet these amendments by June 9, 2023. So what can you do today?

1. Dust off the information security plan you created in 2003 when the Safeguards Rule was first released. Review it thoroughly to ensure it includes all of the components in the rule and the amendments. If something is missing, address it as soon as you can.
2. Talk to your vendor partners to understand what policies they have in place to help you meet these amendments by the deadline.

How is Reynolds helping?

Reynolds is committed to helping our dealer partners meet the requirements laid out in these amendments. We’ve always taken data and cyber security seriously so we already have many of these requirements built into our system. For example, you’re already able to implement and review access controls for all applications, monitor and document who is accessing which data, and securely dispose of customer information. Also, the data is encrypted both at rest and in transit.

In addition, we are in the process of rolling out several new features, including multi-factor authentication, security training courses, and enhancements to our Interface Dashboard for monitoring user and third-party access.

For more information on any of these items, please contact your Reynolds account manager.

Looking Ahead

The amendments to the Safeguards Rule have established a deadline for implementing many security measures for your business.  This, coupled with the fact that cyberattacks continue to grow and evolve each year, make now the time to take action. Make sure you are working with your software vendors to meet these requirements and have a comprehensive and flexible plan for both your IT infrastructure and cybersecurity protection. When you can’t do all this on your own, enlist the services of a trusted partner to help do the heavy lifting.

Related Articles: