How to Stay on top of Ongoing Compliance Requirements Under the Amended Safeguards Rule

Less than two months remain before the Amended Safeguards Rule’s1 June 9, 2023, deadline. At this stage, you are likely well aware of the requirements promulgated by the FTC: (1) designate a qualified individual to manage your information security program (ISP); (2) conduct risk assessments of your ISP; (3) implement mitigation tools for identified ISP risks; (4) test your ISP; (5) train your staff; (6) monitor your third-party service providers; (7) write an incident response plan; and (8) report to organization leadership on ISP activity. The FTC’s stated purpose for these requirements is to protect the customer information that dealerships collect.

By now, or in the waning few weeks ahead, you and your ISP qualified individual will tick the boxes on specific action items under the amended rule such as lining up your threat detection provider, installing multifactor authentication, sending out service provider questionnaires, polishing the written documents that encompass your ISP, reviewing system inventory lists and user access protocols, and settling on your encryption solution, etc. While important, clearing these compliance to-dos by June 9 is only part of the equation. Embedded in the FTC’s Amended Safeguards Rule are ongoing, continuous obligations that are vast. They necessitate consistent attention and a best-laid plan.

Specifically, the Amended Safeguards Rule mandates periodic written risk assessments, which commentators have opined means annually. The risk assessment should include the criteria used for the evaluation, the types of data analyzed, and foreseeable threats to data. As your data inventory changes and business needs adjust, so do the risks and the tools utilized to neutralize the risks. As these developments occur, they prompt edits to your written ISP.

Additionally, the amended rule requires continuous monitoring of your data systems or annual penetration testing, with bi-annual vulnerability assessments. The testing results and recommendations must be reported to your board or senior officers in writing and at least annually.

The rigorous nature of these ongoing obligations is apparent. From discussions with dealers, we have gathered the importance of engaging a steadfast compliance partner. Though the interaction between your inside qualified individual and your outside compliance partner will be unique to your organization, it will be imperative that both work according to a predetermined schedule so that assessments, tests, and reports are completed at the required intervals. This means scheduling internal deadlines for preparatory meetings and deadlines for when reports must be made.

Notably, these activities and evaluations will produce new records about your organization. Recordretention policies and safety measures for them will need to be considered, as well. Documents should be organized and easily accessible in the event of an audit, whether from the FTC or your cyber insurance carrier.

The Amended Safeguards Rule also requires dealership staff be trained on a routine basis regarding customer information security protocols.

Your employees need to stay abreast of your written ISP and any changes to it. You and your compliance partner should develop a scheduled course of action for policy dissemination. What’s worse than not having a required policy? Having one that no one knows or follows.

In addition to training on your customer data standards, dealership staff should stay current on industry-wide data-security ethics and compliance issues. Approximately every eight weeks, The LDS Group offers an Ethics and Compliance Seminar via Zoom. Attendance is tracked, allowing dealers to receive reports on F&I employees who attend. As you know, training is not a one-and-done exercise. Repeated exposure to these issues positions your employees to be effective risk managers.

As the song goes, “The only thing that stays the same is everything changes.”2 This is especially true in the customer data context. We have found that a reliable compliance partner and regular training help dealers stay on top of ongoing, progressing compliance requirements. After all, June 9 is not the date to put your ISP on a shelf. It marks the beginning of your security obligations.