On Wednesday, the Federal Trade Commission (FTC) announced it had voted to implement an update to the so-called “Safeguards Rule.” The FTC’s release noted the update will “strengthen the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information.” The rule was created around 2001 as part of the Gramm-Leach-Bliley Act passed by Congress in 1999, but it has garnered increasing attention throughout the past few years as more and more institutions continue to be vulnerable to threats such as cyberattacks.
FTC director Samuel Levine said the recent updates are “common-sense steps” that must be taken to fulfill institutions’ responsibility to protect consumers’ information. The updated rule mandates that non-banking financial institutions “develop, implement, and maintain a comprehensive security system to keep their customers’ information safe.” This includes automotive dealerships, which have been required to disclose their privacy policies to their customers outlining how they will be using their private personal information for many years.
While the committee voted 3-2 in favor of the updates, dissenters Noah Joshua Phillips and Kristen Wilson voiced concern that they could have the opposite effect of what their goal is, noting that “the new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions.”
| Related: The dangers of cybersecurity and fraud in 2021: What your dealership should know |
Rebecca Kelly Slaughter and Lina M. Khan, who voted in favor of the updates, jointly defended the updated rules and stated that they are “sorely needed” due to the growing occurrences and negative effects of data breaches as technology advances.
The FTC is also planning on requesting public comment to determine if relevant institutions should be required to report security incidents to the FTC.
Dealership Impact
The updated rules require institutions such as dealerships to assign one individual to be in charge of their organization’s security procedures and “report periodically to an organization’s board of directors, or a senior officer in charge of information security.” It also mandates that institutions be able to “explain their information-sharing practices,” which includes everything from retrieving customers’ information to sharing it, using it, and disposing of it.
Ultimately, the updates to the rule require dealerships and other institutions to make a more solid, regimented security program and be more transparent about them, including the requirement to periodically report them. Institutions obtaining data from under 5,000 consumers will be exempt from some of the requirements.
Other protocols that are required to be put into place include strong encryption of data as well as multi-factor authentication procedures for computer systems.
Of course, dealerships will need to continue to abide by their old methods of protecting customer data, too. This includes sharing such information only with employees who need it, keeping the information in-house and well-monitored while also eliminating the ability to download it to external devices (e.g., USB drives), implementing strong anti-virus software on all dealership computers, and permanently deleting any information that is no longer needed.
Did you enjoy this article from Kimberly Hurley? Read other articles on CBT News here. Please share your thoughts, comments, or questions regarding this topic by submitting a letter to the editor here, or connect with us at newsroom@cbtnews.com.
Be sure to follow us on Facebook and Twitter to stay up to date or catch-up on all of our podcasts on demand.
While you’re here, don’t forget to subscribe to our email newsletter for all the latest auto industry news from CBT News.
