Established in May of 2003, The Safeguards Rule (“Rule”) is a federal data security rule that requires financial institutions (including auto dealers) to have measures in place to keep customer information secure. In addition to developing their own safeguards, dealers are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

On October 27, 2021, the FTC published updates to the Safeguards Rule that add additional requirements for dealerships to adapt to current technologies revising the Rule to provide more concrete guidance for businesses.

These rules will be enforced beginning June 9, 2023.

How does this update affect financial institutions and auto dealers?

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security protocol with administrative, technical, and physical safeguards designed to protect customer information. The Rule covers information about your own customers and information about customers of other financial institutions that have provided the data to you.

Dealers, and all their service providers that have access to any customer data, will have one year from the Amended Rule’s publication in the Federal Register to comply with the new requirements. Those who fail to comply with the Safeguards Rule are subject to legal issues and costly fines.

Why was the Safeguards Rule updated?

The FTC updated the rule forcing organizations to protect themselves and their partners and clients against anticipated threats or hazards to the security or integrity of customer information, to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer, and to ensure the security and confidentiality of customer information.

How does Isogent get your organization compliant?

Following these 15 steps:

• Designate a Qualified Individual to implement and supervise your company’s information security program.
• Conduct a risk assessment.
• Implement and periodically review access controls.
• Know what you have and where you have it.
• Encrypt customer information on your system and when it’s in transit.
• Assess your Externally Developed Applications
• Implement multi-factor authentication for anyone accessing customer information on your system.
• Systems Monitoring and Logging
• Development of Secure Data Disposal Procedures
• Required Change Management Procedures
• Required Unauthorized Activity Monitoring
• Required Intrusion Detection and Vulnerability Testing
• Staff Training
• Create a written Incident Response Plan.
• Annual written report to the Board