How the FTC’s Amendments to the Safeguards Rule Affects Auto Dealerships
In the fall of 2021, the Federal Trade Commission (FTC) announced a change. The Safeguards Rule, designed to protect customer financial data, would be expanded to include non-financial institutions that engage in financial transactions. This includes auto dealerships, which have historically only been subject to a patchwork collection of regional legislation dictating cybersecurity measures.
So, what does this expansion of the FTC’s Safeguards Rule mean for auto dealerships? Most importantly, it means they must be in compliance with several new rules to protect consumer information by December 2022. And one of the few security technologies that is specifically called out by the FTC is multi-factor authentication (MFA).
What is the FTC’s Safeguards Rule?
In 1999, Congress passed the Gramm-Leach-Bliley Act (GBLA) that established the 2002 Safeguards Rule. The Safeguards Rule enhanced the regulatory power of the FTC and led to new requirements for financial institutions, including the development, implementation, and maintenance of an information security program to prevent unauthorized access to sensitive customer information.
In the past, the Safeguards Rule has been vague and offered flexibility in compliance. However, after public comment and further research, the FTC released the updated Safeguard Rule with amendments in order to keep up with technological change, respond to current cybersecurity threats, and establish more concrete guidelines.
What do these changes mean for the auto industry?
More than 90% of Americans live in a household with a car, and many families rely on a car as their key mode of transportation. That means purchasing a car is a big decision for most and can involve a lot of research and investment. From a practical, and emotional perspective, a trip to an auto dealership is often a big moment in our lives.
When a customer puts their trust in a dealership, they expect the company to not only help them find the best car that fits their lifestyle and needs, but also protect their personal information. In fact, according to a 2021 CDK Global Survey, 84% of consumers said they would not go back to a dealership and buy another vehicle if their data had been compromised.
Similarly, auto dealerships are focused on protecting financial data. In the same survey of 135 dealerships, 85% of dealers claimed that cybersecurity is important compared to other operational areas. However, one challenge in the industry has been the lack of clear security and privacy requirements that all dealerships must follow across the country.
The FTC’s amendments to the Safeguards Act changes all of that. Previous legislation – including the New York State Department of Financial Services cybersecurity regulations in 2017 and California Consumer Privacy Act in 2018 – established guidelines for protecting consumer information that could only be enforced on a regional level. But the Safeguards Act sets a national standard, outlining what a reasonable information security program looks like.
And according to the FTC, a key component of these programs is MFA.
How does MFA fit into an information security program?
Multi-factor authentication helps security teams control access to sensitive data. When an MFA solution is deployed, in addition to a username and password, employees with access to sensitive data will need another means of verification to make sure they are who they say they are. For example, after a Duo Security user logs into their account, Duo push pops up on their phone confirming that the right person is accessing the right account.
For companies that are new to this technology, it can seem intimidating. Duo understands this and keeps users in mind by focusing on ease of use through multiple authentication methods.
Compliance made simple
Auto dealerships have a lot on their plate, with cars being sold before they even hit the lot. When other priorities emerge, security can take a backseat. Duo recognizes that new and complex compliance regulations can lead to additional burdens and wants to make it easier for dealerships to focus on what they do best - sell and service vehicles. Duo is easy to use, integrates with diverse and complex IT systems, and can be deployed in minutes. With the deadline for compliance with the FTC’s Safeguards Act fast approaching, Duo is here to help.