Stay Compliant with the FTC’s Safeguards Rule
In December 2021, the FTC revised the Safeguards Rule, which is a component of the Gramm-Leach-Bliley Act (GLBA). The Rule requires that financial institutions, including dealerships, develop, implement, and maintain a comprehensive written information security program.
Dealers must designate a “Qualified Individual” responsible for overseeing, implementing, and enforcing the information security program.
KPA provides a sample Designation of Qualified Individual Form. Additionally, during an on-site Safeguards review, your KPA Consultant will confirm the qualified individual is in place.
Dealers must periodically conduct a written risk assessment to identify reasonably foreseeable internal and external threats to the security, confidentiality, and integrity of customer information.
KPA offers online GLBA Safeguards training. Additionally, during an on-site Safeguards review, your KPA Consultant will validate you have completed a yearly risk assessment and verify there is a written assessment. They will also provide a written report detailing the handling of physical
customer data with recommendations for implementing new controls.
Dealers must design and implement customer information safeguards to
control the risks identified through the assessment.
KPA provides a sample written Information Security Program template. Additionally, during an on-site Safeguards review, your KPA Consultant will inquire that you have put proper information safeguards in place that address and/or control the risks identified in the assessment, asking questions like do you encrypt data at rest (stored on a server or other computer)? Do you have multifactor authentication? And more…
Dealers must regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.
While KPA does not provide cybersecurity testing services, we can verify you have either put in place a continuous monitoring solution and/or have conducted both penetration and vulnerability tests in the last six months. We’ll also verify you are putting new controls in place as a result of the assessments.
Dealers must implement policies and procedures to ensure that personnel uphold the information security program. The Qualified Individual must provide personnel with security awareness training and keep current on changing information, security threats, and countermeasures.
KPA provides online General Security Awareness training. Additionally, during an on-site Safeguards review, your KPA Consultant will validate you have provided regular training programs and that security personnel are keeping up to date with security trends and program risk needs.
The Latest on the Safeguards Rule
In this episode of The F&I Minute, Emily is joined by KPA Senior Manager of Legal Affairs, Robert Ebin, Esq., to dig into the Safeguards Rule and what companies can do to avoid getting dinged by regulators.
Incident Response Plan
Dealers must establish a written incident response plan designed to assist in quickly responding to and recovering from a security incident involving the exposure of customer information.
KPA provides templates for both an Incident Response Plan and a Breach Notification Form. Additionally, during an on-site Safeguards review, your KPA Consultant will verify that an incident response plan is in place. They will also confirm a walkthrough of the plan is conducted annually.
Service Provider Oversight
Dealers must oversee service providers that have access to customer information. They should take reasonable steps to select and retain service providers that can maintain appropriate safeguards for customer information, and require service providers to do so contractually. You should also periodically assess service providers based on the risk they present and the continued adequacy of their safeguards.
KPA provides a Sample Service Provider Risk Assessment and a Sample Service Provider GLBA Addendum. During an on-site Safeguards review, your KPA Consultant will inquire that the correct service provider addendum is in place and covers all providers.
The Qualified Individual must report in writing, regularly and at least annually, to the board of directors or an equivalent governing body. The report should include the overall status of the information security program and the dealer’s compliance with the program.
During an onsite Safeguards review, your KPA Consultant will verify regular reports are being produced by the qualified individual and that they meet the minimal standards listed
above. The consultant will also ensure both Safeguard assessments and KPA’s on-site physical Safeguard security reports are incorporated into the dealer’s risk assessment remediation plans.