Posted on March 5, 2024 by Travis Peterson
Ransomware attacks nearly doubled in 2021 and the shift in quantity is expected to be permanent. That’s a scary stat for any business – but especially for auto dealerships, which are at the forefront of cybersecurity attacks.
We all know how much sensitive customer information changes hands when a vehicle is financed or leased. It’s no wonder the FTC classifies motor vehicle dealers as “non-banking financial institutions” that must follow strict Safeguard Rules. And now those Rules have become even more stringent.
Buckle up because there’s a lot to cover here. If you haven’t made changes already, it will take time and money to ensure your dealership is in compliance with the new requirements (which the FTC updated in October and are mandated by Congress under the Gramm-Leach-Bliley Act).
The silver lining of complying with new regulations is a bullet-proof system and well-trained employees who can defend against ransomware attacks, keep consumer data safe, and avoid hefty non-compliance fees.
To help break down the new data security rules, we spoke with Risa Boerner, partner and co-chair of the data security and workplace privacy practice group at Fisher Phillips, a labor and employment firm with offices across the country. Here’s what you need to know.
Safeguards rules requirements (compliance)
The amendments to the federal Safeguards Rule include new data security requirements for dealers, employees, and vendors to protect sensitive customer information. They are set to take place this December, with certain requirements delayed until a year after publication in the federal register.
Boerner notes the changes will likely mean extra upfront costs and operating expenses because compliance will “require more preparation and dealerships may need to hire outside vendors to assist in the process.” Consider budgeting for IT consultants and compliance experts.
Qualified individual amendment
A key amendment is a requirement to appoint a “qualified individual” to oversee, implement, and enforce the information security program and submit an annual written report to your board of directors or governing body. The individual can be an employee, contractor, or vendor. There are no specific education requirements, but it should be someone who understands your system and the type of data you store.
Risk assessment amendment
Risk assessments have new rules too. Dealerships must prepare a written risk assessment that can be used to evaluate and identify security risks periodically. The written document must include criteria to assess the “confidentiality, integrity, and availability” of customer information and information systems. It must also include descriptions of how identified risks will be addressed and mitigated.
One of the most significant changes is the requirement to implement multifactor authentication whenever anyone – employee, customer, or vendor – accesses a system containing nonpublic personal information. This technique, also known as two-factor authentication, requires a two-step login process so a criminal cannot access your system with a stolen password alone.
Boerner explains compliance with this rule change is also “really critical” to obtain cyber insurance. She went on to say, “Many insurance companies won’t even speak with dealerships if they don’t have multifactor authentication in place.”
It’s smart to take a hard look at your insurance policies and renewal dates. Ease vendor auditing and make it simple to find and review contracts by storing them all in one central online location instead of a paper file cabinet. A document management platform allows you to find a document with a couple of keystrokes and scan through for renewal policies so you’re not caught flat-footed if your insurer refuses to renew or tries to push through a large price increase.
Vendor vetting for compliance
Carefully vetting vendors will be a whole new ball game for many dealers. That’s because the amendments require dealers to oversee and monitor that service providers are maintaining safeguards in line with the dealer’s safeguards.
“These measures apply equally to vendors who have access to your data and/or systems. You’re responsible to make sure they comply,” explains Boerner. “It’s not enough to only vet when you hire. You need to ask and document compliance when you hire and over the life of your relationship.”
The average dealership has around ten vendor partners. Large groups can have hundreds. This amendment makes vendor management more important than ever. Storing all agreements in one central online location can help you quickly view contracts and compliance assessments and rectify problems before your dealership is at risk.
Hopefully, most dealerships already train their employees on phishing techniques and other cyberattack strategies, but if not, now is the time to start. Under the amended regulations, dealership management must provide and document security awareness training. The training must also be updated over time.
Proper training is especially important when you consider the growing trend of compromised business email. Email addresses and message wording look as if they are legitimately from upper management or a vendor, for example, but click on an embedded link and your system is instantly infected with malware. Vetting and hiring a training consultant is a good step to handle a lot of the heavy lifting of getting employees up to speed.
Various data protection amendments
Other notable amendments relate to keeping sensitive customer data secure. These include the mandates to encrypt all customer information both in your system and in transit, implement policies and procedures for monitoring and logging user access, and conduct annual system vulnerability assessments.
Is your dealership exempt from the compliance rules?
The FTC is throwing a bone to smaller retailers such as one-rooftop dealers. The new rule exempts dealerships that maintain fewer than 5,000 customer records from conducting written risk assessments, annual board reporting, certain monitoring, and testing requirements, and maintaining a written incident response plan.
Boerner cautions smaller retailers to be careful when assuming exemption. “Five-thousand consumers sounds like a lot, but as a practical matter it’s really not a lot for many dealerships.”
As more and more dealerships rely on digital solutions to process and store consumer data, it’s imperative to take cyber security seriously. Yes, compliance can be expensive. However, the damage to your bottom line and your dealership reputation in the event of a data breach makes it worth the investment.