FTC SafeGuards Rule Update by ComplyAuto

The Revised FTC Safeguards Rule

complyauto privacy logo linkedin 002

Written by Credit Bureau Connection strategic partner ComplyAuto

On October 27, 2021, the Federal Trade Commission (FTC) revised the
Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (“Revised Rule”) for the first time since the
rule was issued in 2002. The Safeguards rule requires certain financial institutions to implement
a written information security program (“ISP”) to protect consumer financial information as well
as conduct periodic risk assessments to make sure the organization is abiding by strict protocols
to protect this information. In its announcement, the FTC specifically names “automobile
dealerships” as a non-banking financial institution that would fall under the purview of these new
revisions. Within thirty days of the Federal Register publication, these covered companies (i.e.
dealerships) must implement written risk assessments, an ISP based on those risk assessments,
and conduct regular testing of their systems safeguards and controls. Additionally, the revised
Safeguards Rule requires covered companies maintain written incident response plans and
implement specific security requirements. Dealers must act immediately to meet compliance
with the new rules or otherwise face stiff penalties of up to $43,792 per violation.

But these are things you already know. As dealer attorneys yourselves, I’m sure you have
been inundated with these kinds of articles and newsletters since the FTC’s announcement. So,
I’m going to spend the rest of this article to go over the salient points of the new revisions in
bullet-point fashion and explore concepts buried in the 145-page publication that may not have
immediately jumped out at you. I will then discuss specific topics that both clarify certain issues
and remind you of what your dealer clients should be doing.

What does the revised Safeguards Rule require?

Our team here has gone through every page and here are the rules that impact dealers the most
(Note that this list is not meant to be exhaustive):

  1. Submit a periodic written report to the dealership’s board of director or senior officer on
    compliance with these new requirements and overall status and results of the Information Security
    Program (ISP).
  2. Implement a written “Incident Response Plan”.
  3. Perform periodic written risk assessments that adhere to certain requirements.
  4. Encrypt all data in transit over external networks and at rest.
  5. Require Multi-Factor Authentication (MFA), such as an SMS/text verification code, for
    all systems containing customer nonpublic personal information (NPI).
  6. Implement a data retention policy and dispose of customer information within two years
    after the end of a customer relationship, unless doing so conflicts with state or federal law.
  7. Adopt procedures for IT “change management”.
  8. Appoint a single “Qualified Individual” to oversee the dealership’s ISP.
  9. Monitor and log the activity of authorized users and detect unauthorized use or access of
    customer information.
  10. Implement a system or software for continuous monitoring of cybersecurity threats, including
    annual penetration tests and bi-annual vulnerability tests.
  11. Perform “security awareness” training for all employees.
  12. Periodically assess service providers for their adequacy of physical and technical safeguards.

Written Risk Assessment[1]:

Even though the prior version of the Safeguards Rule speaks of a risk assessment
requirement, the Revised Rule revisits the requirement with more detail and specificity. The
Revised Rule requires that dealerships create a written risk assessment that includes:

  • criteria for the evaluation and categorization of identified security risks or threats
    faced by the dealership;
  • criteria to assess the confidentiality, integrity, and availability of the dealership’s
    information systems and customer information, including the adequacy of existing
    controls; and
  • requirements describing how identified risks will be mitigated and how the
    information security program will address the risks.

Multi-Factor Authentication[2]:

Multi-factor authentication (“MFA”) occurs when an individual’s identity is authenticated
through verification of at least two of the following types of authenticating factors: 1) knowledge
factors, such as a password; 2) possession factors, such as an email token or SMS/text code; and
3) inherence factors, such as biometric information.
Dealers should begin to ask their vendors that process customers’ nonpublic personal
information to begin requiring MFA when individuals access their database. This should not be a
tall order in light of the FTC’s complaint (and consent order) against DealerBuilt in 2019. In it,
DealerBuilt was considered to be a financial institution itself because it “significantly engaged in

data processing for its customers, auto dealerships that extend credit to customers.1” With this in
mind, dealers should not run into any significant difficulties when asking their own CRM and
DMS to provide MFA.

Annual Penetration Testing[3]:

New for the Revised Rule, financial institutions are required to perform continuous
monitoring or annual penetration testing to evaluate the effectiveness of the safeguards’ key
controls, systems, and procedures. Penetration testing means a test methodology in which
assessors attempt to circumvent or defeat the security features of an information system by
attempting penetration of databases or controls from outside or inside your information systems.
An interesting point here is that the FTC cited “social engineering and phishing” as an important
part of penetration testing because the fact that the testing involves employees with access to the
information system, rather than the system itself, does not exclude them from the definition of
penetration testing. Scott Wallace, a penetration tester for the Department of Homeland Security,
says that preparing for a phishing campaign is the first thing he does when conducting
penetration testing for the federal agency.

Biannual Vulnerability Assessments[3]:

In addition to annual penetration testing, the Revised Rule requires that financial
institutions conduct biannual vulnerability assessments to detect publicly known vulnerabilities.
Note that these tests, in this context, are not relevant to information in the physical form. In its
comments, the FTC notes that there are free resources available that automate vulnerability
assessments, such as “OpenVAS” and “Nmap.org.” Your dealer clients should also take this
opportunity to comply with Center for Internet Security (CIS) Critical Security Controls as some
states, like Utah, Connecticut, and Ohio, are offering forms of safe harbor from civil data breach
liability for CIS compliance.

Service Provider Agreements and Other Requirements[4]:

The definition of “service provider” is not updated with this revision nor is the
requirement for financial institutions to “take reasonable steps to select and retain service
providers that are capable of maintaining appropriate safeguard for customer information and
require those service providers by contract to implement and maintain such safeguards.”
However, it is important nonetheless to remind your dealer clients what they must do when
working with their service providers.

First, dealers should contractually require the service providers (i.e. any person or entity
that receives, maintains, processes, or otherwise is permitted to access customer information
through its provision of services directly to a financial institution[5]) they work with to
implement and maintain appropriate safeguards including encrypting the information they
process for the dealers. Second, dealers must periodically assess these measures that their service
providers have purported to put in place. To accomplish this, dealers should consider requiring
vendors complete a risk assessment questionnaire as part of their vetting process to ensure the
vendor confirms to applicable industry standards regarding physical and technical safeguards.
For example, any vendor with access to NPI should confirm that they support MFA login and
encryption of data at rest and in transit.

(h) Incident Response Plan[6]:

New in the Revised Rule, financial institutions must establish written incident response
plans. These plans must outline goals and address internal processes for responding to security
events, define clear roles and responsibilities of parties involved, prescribe internal and external
communications and information sharing, identify weaknesses in information systems and how
to remediate, document and report security events and related response activities, and evaluate
and revise the incident response plan as necessary following the security event. When some
commenters argued that this requirement was too burdensome, the FTC clarified that the plan
must address only events that “materially” affect customer information, not every security event
that may occur. Nor does the incident response plan need to detail all possible scenarios and dig
into the minutiae of it all. Rather, it needs only to establish a system that outlines the financial
institutions’ response.

If you feel overwhelmed by the content and potential time and expense that abiding by
these new revisions may require, you’re not alone. In 2019, the National Automobile Dealers
Association suggested that fulfilling these new rules would cost dealerships an average of
$277,000 per year. ComplyAuto is the most trusted privacy software tool for dealers
representing over 600 dealerships and some of the largest groups in the United States. Not only
can we help your stores or clients at a fraction of this cost, we can get them compliant with these
new rules in a matter of days, not months. For more information and pricing, please visit:

Disclaimer: Nothing in this email is intended to be legal advice. Please consult with competent
legal counsel if you have questions regarding this article, the Gramm-Leach-Bliley Act, or the
federal Safeguards Rule.


[1]16 CFR § 314.4(b)
[2] 16 CFR § 314.4(c)(6)
[3] 16 CFR § 314.4(d)(2)
[4] 16 CFR § 314.4(f)
[5] 16 CFR § 314.2(d)
[6] 16 CFR § 314.4(h)

Leave a Reply

Your email address will not be published. Required fields are marked *