Understanding the FTC Safeguard Rules Update & What it Means for Your Dealership

In today’s world where private data is collected on the web, we are no strangers to the occasional data security breach or leak. The world’s largest companies have been hit with cyberattacks that have exposed breaches in their data security, leaving mountains of personal consumer data open for the taking.

The Federal Trade Commission (FTC) is a governmental organization charged with consumer protection. For decades they have been working to ensure institutions are properly securing the confidential or sensitive information they gather from their customers or clients. As of 2003, the FTC left it to non-banking institutions to decide what sufficed for security measures, but they recently released an amendment to their Safeguard Rules. The amendment included a specific set of practices designed to protect consumer data based on today’s privacy standards that apply to all financial institutions – including automotive dealerships – with a June 9, 2023 deadline for full compliance.

Let’s take a closer look at dealership data security, the Safeguard Rules, and what this all means for you.

Why is data security so critical for my dealership?

Before we dive into the technical bits of FTC compliance, take a moment and consider how much personal information your dealership collects from the average lead. Your website likely asks converting leads for their full name, phone number and email address. A customer looking to purchase a new car will need to give you their credit score or their social security number in order to get financing options. Shoppers looking for a test drive from home will provide you with their home address for pick up purposes. That is a lot of very personal, highly sensitive data.

Now, consider this: if your dealership is storing that information in multiple unsecured, disconnected data silos, you are automatically opening yourself – and your customers – to tremendous risk for cyber attacks, identity theft and other forms of fraud. The FTC Safeguard Rules aim to reduce the risk and ensure dealerships are taking the necessary steps towards protecting their customers.

While it may feel overwhelming at first, compliance with governmental data security and privacy laws is an absolute must for your dealership. In addition to meeting your customers’ expectations of privacy, complacency or refusal to adapt could result in your dealership being slapped with massive fines from the FTC.

What are the FTC Safeguard Rules?

Now that we’ve explored why data security is critical for your dealership, let’s dive into the nitty gritty of the FTC amendment.

In late 2021, the FTC released a set of updated regulations that requires all “non-banking financial institutions” that offer consumers financial products or services like loans, financial or investment advice, and insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data – including automotive dealerships.

In accordance with the Safeguard Rules, dealerships must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.

Compliance with the FTC Safeguard Rules

In order to be fully compliant with the FTC rules, dealerships much meet the following criteria:

• Each auto dealership must designate a ‘qualified individual’ who will serve as the overseer of their cybersecurity program and provide written reports to a governing board.
• Dealerships will need to conduct regular risk assessments of both their own security systems and the security systems of their vendors to ensure that all customer and client data is kept encrypted.
• Dealerships must implement safeguards to control the risks identified, such as identity and access management, encryption, and multi-factor authentication.
• Dealerships must test and monitor effectiveness of key controls, through practices such as continuous monitoring and vulnerability assessments.
• Dealerships must ensure that all employees are provided with security awareness training, updated as necessary to reflect risks.
• Dealerships must require their own service providers to maintain appropriate safeguards, through selection, contract requirements, and assessments.
• Dealerships must continue to adjust their security program based on the results of their monitoring and any changes to the business.
• Dealerships must establish a written incident response plan, outlining roles, responsibilities, and remediation actions taken in the event of an incident.
• Finally, the qualified individual must report, in writing, on the overall status of the security program.

FTC compliance with Fullpath

Fullpath’s CDXP is ISO 27001 certified. This is the top international standard of information security. You can be assured that working with Fullpath’s Customer Data and Experience Platform means you are working with a vendor who understands, appreciates, and has gone above and beyond industry standard to make sure the data we collect, store, and use on behalf of your dealership is secure and via our continued ISO Certification, in compliance with the top international standard of information security.

Fullpath can ensure the following when it comes to FTC compliance:

• Fullpath has a designated Chief Information Security Officer (CISO) to ensure thorough and consistent compliance with ISO data security standards.
• All our customer data is encrypted and stored in separate databases.
• In accordance with our ISO certification, we conduct ongoing risk assessment on all our data services.
• We maintain separate permission levels for different dealership employees and different products and data sets those employees may/ may not have access to
• Fullpath complies with the top standards and protocols for incident response as outlined in our ISO Certification (above and beyond this, we are committed to keeping the Dealership informed of any potential or actual security breach)
• Fullpath conducts quarterly internal data security audits along with yearly external data audits conducted by local ISO reps.

Fullpath applies the highest standards when it comes to compliance and emails sent by Fullpath’s CDXP are designed specifically to meet California requirements:

• Fullpath emails display offer disclaimers in the body of the email for both OEM and Dealership offers.
• Fullpath emails clearly display the offer expiration date as a separate line in the email body (not just in the disclaimer).
• Fullpath emails display the VIN on all vehicle-specific offers
• Fullpath’s CDXP verifies that any price drop included in emails, is a ‘real price drop’ and not artificially created in order to look like a discount is given. Fullpath has specifically made sure the that the ‘previous price’ was the lowest price for a specific VIN in the past 3 months.
• Fullpath includes ‘this is an advertisement’ disclaimer at the top of all emails

If you are interested in learning more about Fullpath’s CDXP solutions for your dealership, reach out to us at get.started@fullpath.com.

This article was last updated in March 2024.