The latest updates to the Federal Trade Commission’s Safeguards Rule may have been a long time coming, but for CIOs, risk managers, or newly designated Qualified Individuals, a December 2022 deadline is approaching at rapid speed.
How should you implement new security practices, who should you trust to help you, and how fast can you get it done?
First, you’ll need to know exactly what FTC amendments apply to auto dealerships–then tap into a way to meet multiple requirements with one multifaceted solution.
2003 marked the birth of the FTC’s Safeguards Rule–a requirement that any organization deemed a “financial institution” according to the Gramm-Leach-Bliley Act must take various steps to protect consumer data. Part of these requirements includes developing and executing a written information security program, and making it available to customers. The FTC instructed organizations to meet these new requirements through a series of five flexible steps:
The first iteration of the Safeguards Rule wasn’t overly specific about the actions financial institutions should take in developing an infosec program (ergo “implement safeguards”). Twenty years after the conception of the Safeguards Rule, the FTC has issued an amendment, this time requiring financial institutions (including auto dealerships) to meet timely and industry-standard security requirements. This rule will be enforced on December 9, 2022, regardless of a dealership’s size, operating systems, or types of data being handled.
How will this specifically affect your dealership’s information security program?
First, all institutions will need to appoint a “Qualified Individual” who will be held responsible for the implementation and management of the security program. This person must report on the organization’s security safeguards to higher management to ensure compliance across the board.
Second, the FTC broadened the definition of a financial institution to include “finders,” or companies that connect buyers and sellers. This means that when dealers work with vendors to buy or sell, they will need to be examined for standard security practices, and will have to comply with the Safeguard Rule on their own.
The most vital change, however, is to the methods and practices dealers are expected to perform to protect customer data.
In 2003, the FTC left it to institutions to decide what sufficed for security measures specific to their size, scope, and workflow. In 2022, the Safeguards Rule amendment provides a set of specific practices required for protecting consumer data, based on today’s privacy standards. The FTC lists them as:
You can see the full outline of FTC Safeguards Rule requirements here.
There are several products that can provide end-to-end encryption for data in motion and at rest in dealerships–but there’s more to the FTC regulation than just that. In the pursuit of compliance by December 9, 2022, what if dealerships could meet encryption, access control, and audit requirements at the same time?
At Virtru, we help auto dealerships do this through our foundational open standard called the Trusted Data Format (TDF). TDF protects sensitive information by encrypting data at the object level, to offer as much control as possible. This means that instead of solely encrypting a network, device, app, or endpoint, TDF encrypts individual emails and files themselves — while making it exceptionally easy for the end user. All they have to do is click a toggle button directly within their email interface, and it’s done. Even better, dealerships can also add a safety net of encryption with an email gateway that detects and protects sensitive data before it leaves your organization.
Virtru recently partnered with a car dealership to help them meet multiple Safeguards Rule requirements. Here’s how.
This car dealership opted to secure its Google Workspace email system using Virtru’s Gmail plugin for Chrome. Users can encrypt emails even in draft mode with one click. Using a Data Loss Protection (DLP) function, administrators can add triggers to warn users to protect their email communications with encryption when the software detects keywords or key actions.
With Virtru, this dealership is using attribute based access controls (ABAC), which tie a person’s identity, instead of their role in the company, to access rights. This allows for easier compliance with the FTC’s requirement of persistent reevaluation of access controls. Since data is encrypted and assigned access controls on the data object level, this integrates the constant evaluation of access controls within the workflow itself. No more sweeping access for collaborators based on broadly assigned roles within the security ecosystem.
Encryption at the data object level also gives dealership employees the ability to control what specific pieces of data can be accessed, by whom, for how long, and in what manner. TDF empowers users with the ability to grant or revoke access to emails and files, track email forwards, apply watermarks to attachments, disable forwarding or copy and paste, and set expiration dates for accessing data.
Virtru’s control center allows administrators to track any and all emails secured with encryption, with a magnifying glass. The control center lets our dealership view what data has been encrypted, who accessed and forwarded it through its entire lifecycle, whether or not it was decrypted after delivery, potential expiration dates, and who was revoked access. Admins can also use the control center to grant and revoke access at any point. The dealership can tap into this capability specifically to streamline audits.
The dealership can instantly revoke access to any email or attachment that contains sensitive information using Virtru. So when the time comes to audit and dispose of customer information, it’s easy to remove it from places it shouldn’t be, and to track where it has been.
It’s a race to December 9–and many dealerships could face missing the deadline because of overly complex deployment rollouts. Virtru data protections don’t require heavy-lift software installs, can be implemented on-premise or on the cloud, and will allow for intuitive user adoption.
It’s why this prominent dealership decided to expand the power of encryption and granular data access controls to more than just its executives. Accounting, finance, sales teams, and more only need one click to encrypt valuable customer data. With Virtru, this dealership can trust that data will be protected, because the workforce isn’t exhausted by security measures that disrupt workflow.
Dealerships depend on email to propel their businesses forward –but Virtru leverages data-centric encryption for more than just email. Consumer data cloud protection, apps, inbound and outbound file sharing, and more can all be protected with the power of TDF.
See how it can work for your dealership, and book a demo with our team today.