The FTC amended the Safeguards Rule to include business practices performed at dealerships. This update will impact car dealerships throughout the Dayton Area. These requirements must be completed by December 9, 2022, so the time to get moving is now. When reading through the Safeguards Rule on the FTC website, the information can seem a bit overwhelming. To help simplify this complex converstation, here are some basic things to know when embarking on this journey.

Three Main Questions Dayton Dealerships Ask About the Safeguards Rule

1. What is the Safeguards Rule? This ruling provides the minimum requirement needed to ensure customer information is secure.
2. Who does this ruling apply to? This ruling specifically applies to financial institutions. The most recent amendment added “finders” to the category of financial institutions, which is how dealerships were brought into this ruling.
3. What does this mean for the automotive industry? Any automotive dealerships that either lease vehicles for longer than 90 days, or bring car buyers and financial institutions together to discuss financing a vehicle will be subjected to the requirements in the FTC Safeguards Rule.

Most Dayton based dealerships have Information Technology systems with automated controls that help protect the system. This ruling focuses on how the information within that system is handled. To help simplify this process, consider these 6 steps.

Six Steps to Securing Data at Your Dealership

• Designate an individual to oversee your information security program. This can be an internal employee with an information security background or this can be a third-party service provider.
• Conduct a risk assessment and create a remediation plan. Every industry has a risk assessment comprised of a series of statements that provide guidance on the best practices for securing data in that industry. These risk assessments can seem a bit daunting at first, but just tackle them one statement at a time. Anything that your company does not currently have implemented, add that to your remediation plan.
• Create a remediation plan and start remediating. A remediation plan is essentially a list of actions that the company needs to take in order to satisfy all of the statements within the risk assessment. Each item will detail out what is required, what the company plans to do, and a date of expected completion.
• Monitor your service providers. This is an extremely important step. You need to ensure that any third party service providers that have access to your information system or data follow the same information security guidelines.
• Training, training, and more training. Really, this should probably be your first step because it is the one thing that will provide the most benefit to protecting the data within your information system.  There are two areas of staff training that are vital to all businesses. The first is a general information security training provided to the staff that covers all relevant topics like phishing, ransomware, insider threats, password security, remote working safety, etc. The second is an ongoing phishing training that keeps the staff’s mindset focused on phishing attacks. Phishing is still the number one attack utilized by cyber criminals, so this is a definite necessity.
• The last thing you need to have in place is an Incident Response Plan. This plan needs to be in writing and will cover the basic steps to take if there is ever a cyber security incident. The company will also want to schedule table top exercises as a way to practice what is in this plan.

Let’s Get Started

For more information or assistance, contact LMSolutions today at https://www.lmsolutionsllc.com and let them help you with the process!