Facebook Twitter LinkedIn

The FTC Safeguards Rule – The Provisions in Effect Right Now

November 22, 2022

Certain FTC Safeguards Rule provisions have been extended to June 9, 2023, but all of the following provisions are in effect RIGHT NOW:

  • A risk assessment identifying internal and external risks to customer information (however, the risk assessment does not need to be documented/written until June 9, 2023)
  • A written information security program (ISP) that is based on the risk assessment and identifies the administrative, technical, and physical safeguards
  • Selecting service providers with access to customer information that are capable of maintaining the appropriate safeguards
  • Contractually obligating those service providers to safeguard customer information
  • Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems
  • Periodically performing additional risk assessments and adjusting the ISP accordingly

The provisions that have been extended to June 9, 2023 are:

  • Section 314.4(a), which requires the designation of a “qualified individual” to implement, oversee, and enforce the information security program
  • Section 314.4(b)(1), which requires the risk assessments be written
  • Section 314.4(c)(1)–(8), which specifically requires designing and implementing various administrative, technical, and physical safeguards, which includes various physical and technical access controls, multi-factor authentication, encryption, activity logging, and change management procedures
  • Section 314.4(d)(2), which specifically requires continuous monitoring of information systems, and absent effective continuous monitoring, annual penetration testing and vulnerability scanning at least every 6 months
  • Section 314.4(e), which requires mandatory training and engaging qualified information security personnel to oversee the information security program
  • Section 314.4(f)(3), which requires periodic assessments of service providers with access to customer information;
  • Section 314.4(h), which requires a written incident response plan
  • Section 314.4(i) which requires a status report (at least annually) to the Board of Directors (or equivalent governing body)

But here is the reality check. Splitting hairs on what is required now, what will be required in the future, and which consumer data needs protected, is ill-advised. The FTC has been actively taking enforcement actions against businesses that maintain any type of consumer information and suffer data breaches, under a different authority – by using the FTC’s authority to prosecute unfair and deceptive acts and practices. It is the same authority that the FTC used against Bronx Honda, Napleton, and Passport for different purposes.

Among other things, the FTC is finding “unfair” and “deceptive” security practices when businesses are:

  • Storing consumer information unencrypted
  • Not using multi-factor authentication (MFA)
  • Not providing employees with security awareness training
  • Not having an information security program
  • Not having an incident response plan
  • Not having continuous monitoring, vulnerability scanning, or penetration testing

To summarize, your dealership should be doing everything that the FTC Safeguards Rule requires (now and in the future) right now.

ComplyNet helps guide dealerships to compliance with its Guided Compliance Assistant solution for Privacy and Safeguards. To schedule a meeting, CLICK HERE.