FTC Safeguards Rule: Is Your Dealership’s InfoSec Program Ready?

The latest updates to the Federal Trade Commission’s Safeguards Rule may have been a long time coming, but for CIOs, risk managers, or newly designated Qualified Individuals, a December 2022 deadline is approaching at rapid speed.

How should you implement new security practices, who should you trust to help you, and how fast can you get it done? 

First, you’ll need to know exactly what FTC amendments apply to auto dealerships–then tap into a way to meet multiple requirements with one multifaceted solution. 

The SafeGuards Act: What it Used to Be

2003 marked the birth of the FTC’s Safeguards Rule–a requirement that any organization deemed a “financial institution” according to the Gramm-Leach-Bliley Act must take various steps to protect consumer data. Part of these requirements includes developing and executing a written information security program, and making it available to customers. The FTC instructed organizations to meet these new requirements through a series of five flexible steps:

1. Designate a program coordinator
2. Perform a risk assessment
3. Implement safeguards and perform audits
4. Oversee service providers
5. Update and adjust info security program over time

The first iteration of the Safeguards Rule wasn’t overly specific about the actions financial institutions should take in developing an infosec program (ergo “implement safeguards”). Twenty years after the conception of the Safeguards Rule, the FTC has issued an amendment, this time requiring financial institutions (including auto dealerships) to meet timely and industry-standard security requirements. This rule will be enforced on December 9, 2022, regardless of a dealership’s size, operating systems, or types of data being handled. 

Zoning In: Key FTC Changes Dealers Need to Know

How will this specifically affect your dealership’s information security program?

First, all institutions will need to appoint a “Qualified Individual” who will be held responsible for the implementation and management of the security program. This person must report on the organization’s security safeguards to higher management to ensure compliance across the board.

Second, the FTC broadened the definition of a financial institution to include “finders,” or companies that connect buyers and sellers. This means that when dealers work with vendors to buy or sell, they will need to be examined for standard security practices, and will have to comply with the Safeguard Rule on their own.

The most vital change, however, is to the methods and practices dealers are expected to perform to protect customer data.

The Biggest Hit Comes to Safeguard Practices Themselves

In 2003, the FTC left it to institutions to decide what sufficed for security measures specific to their size, scope, and workflow. In 2022, the Safeguards Rule amendment provides a set of specific practices required for protecting consumer data, based on today’s privacy standards. The FTC lists them as:

1. Frequently and consistently review and update access controls. Dealers should constantly be examining and reevaluating who has access to customer data, and whether or not they should still have it. 
2. Know what you have and where you have it. Be able to track all of consumers’ data down to where it is and who has eyes on it. 
3. Use encryption to protect customer data. You’ll be required to ensure it’s encrypted both in transit, and when it’s at rest in your system. 
4. Assess and ensure security of apps, whether owned by your dealership or third party. Codify a way to evaluate whether or not they meet secure standards. 
5. Implement multi-factor authentication for anyone accessing customer information on your system. 
6. Dispose of customers’ information in a secure way. Do this no later than two years after obtaining the data, unless there’s a business need to keep it. 
7. Anticipate changes to your systems information networks and security practices. As technology develops, you need to have change management processes in place that will continue to protect customer data in periods of transition or increasing threat. 
8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. For audit purposes, actively record the activity of users with access to customer data. 

You can see the full outline of FTC Safeguards Rule requirements here.

Two Birds, One Stone: Meet Multiple FTC Requirements By Centering the Data

There are several products that can provide end-to-end encryption for data in motion and at rest in dealerships–but there’s more to the FTC regulation than just that. In the pursuit of compliance by December 9, 2022, what if dealerships could meet encryption, access control, and audit requirements at the same time? 

At Virtru, we help auto dealerships do this through our foundational open standard called the Trusted Data Format (TDF). TDF protects sensitive information by encrypting data at the object level, to offer as much control as possible. This means that instead of solely encrypting a network, device, app, or endpoint, TDF encrypts individual emails and files themselves — while making it exceptionally easy for the end user. All they have to do is click a toggle button directly within their email interface, and it’s done. Even better, dealerships can also add a safety net of encryption with an email gateway that detects and protects sensitive data before it leaves your organization. 

Virtru recently partnered with a car dealership to help them meet multiple Safeguards Rule requirements. Here’s how.

Encrypting Data At Rest and In Motion

This car dealership opted to secure its Google Workspace email system using Virtru’s Gmail plugin for Chrome. Users can encrypt emails even in draft mode with one click. Using a Data Loss Protection (DLP) function, administrators can add triggers to warn users to protect their email communications with encryption when the software detects keywords or key actions.

Attribute-Based Access Controls are Tied to The Data Itself

With Virtru, this dealership is using attribute based access controls (ABAC), which tie a person’s identity, instead of their role in the company, to access rights. This allows for easier compliance with the FTC’s requirement of persistent reevaluation of access controls. Since data is encrypted and assigned access controls on the data object level, this integrates the constant evaluation of access controls within the workflow itself. No more sweeping access for collaborators based on broadly assigned roles within the security ecosystem. 

Encryption at the data object level also gives dealership employees the ability to control what specific pieces of data can be accessed, by whom, for how long, and in what manner. TDF empowers users with the ability to grant or revoke access to emails and files, track email forwards, apply watermarks to attachments, disable forwarding or copy and paste, and set expiration dates for accessing data.

Granular Access Controls Streamline Consistent Audits

Virtru’s control center allows administrators to track any and all emails secured with encryption, with a magnifying glass. The control center lets our dealership view what data has been encrypted, who accessed and forwarded it through its entire lifecycle, whether or not it was decrypted after delivery, potential expiration dates, and who was revoked access. Admins can also use the control center to grant and revoke access at any point. The dealership can tap into this capability specifically to streamline audits.

Aids in Disposal of Customer Information

The dealership can instantly revoke access to any email or attachment that contains sensitive information using Virtru. So when the time comes to audit and dispose of customer information, it’s easy to remove it from places it shouldn’t be, and to track where it has been. 

Ease of Use Promotes Intuitive Adoption

It’s a race to December 9–and many dealerships could face missing the deadline because of overly complex deployment rollouts. Virtru data protections don’t require heavy-lift software installs, can be implemented on-premise or on the cloud, and will allow for intuitive user adoption. 

It’s why this prominent dealership decided to expand the power of encryption and granular data access controls to more than just its executives. Accounting, finance, sales teams, and more only need one click to encrypt valuable customer data. With Virtru, this dealership can trust that data will be protected, because the workforce isn’t exhausted by security measures that disrupt workflow.

Virtru Applies Encryption to Emails, Inbound & Outbound File Sharing, Salesforce & ZenDesk Integrations, and More

Dealerships depend on email to propel their businesses forward –but Virtru leverages data-centric encryption for more than just email. Consumer data cloud protection, apps, inbound and outbound file sharing, and more can all be protected with the power of TDF. 

See how it can work for your dealership, and book a demo with our team today.