汽车经销商 are no strangers to strict measures surrounding customer data security. They have been complying with the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule for more than 20 years.
但是, 联邦贸易委员会(FTC) amended the 2003 Safeguards Rule on October 27, 2021, to require additional controls for existing security compliance processes to better combat increased data breaches and online security risks. While the revised rule took effect on January 10, 2022, 特定的需求, such as the appointment of a qualified individual and written risk assessments, 将于12月9日生效, 2022.
The relatively complex requirements may carry a lofty burden, with the National Automobile Dealers Association (NADA) estimating upward of $200,每年的额外费用是1万英镑. Because of the significant time and financial investment necessary to comply with the enhanced rule, it’s recommended all affected auto dealerships begin preparing and implementing the changes as soon as possible.
Basic Overview of Updated FTC Safeguards Rule
The Safeguards Rule was introduced as part of the original 2003 GLBA to help strengthen the security of customer information and financial data, especially for those receiving loans and financing assistance.
The new FTC Safeguards Rule specifically calls on non-banking financial institutions to develop and implement a more robust security system to maintain customer data. Since most auto dealerships offer financing as part of their sales agreements, they automatically fall into the “non-banking financial institution” category and are subject to the FTC’s increased security measures.
In light of several high-profile data breaches, the FTC’s final amendments include a number of intensified obligations surrounding security, 包括新的和扩展的程序, 技术, 人员要求. While the initial Safeguards Rule had slightly less stringent compliance requirements, the updated rule requires all financial institutions to comply regardless of size, 系统, 或者他们收集的数据范围.
The following amendments that specifically impact auto dealerships are worth noting:
1. 围绕风险评估的额外标准, 系统访问控制, 身份验证, and encryption on top of existing requirements for developing and implementing a written information security program.
2. The appointment of a “qualified individual” to oversee the effectiveness of the information security program, including employee training and 服务提供商. This individual should also be responsible for providing periodic reports to boards of directors and governing bodies.
3. 确保所有附属机构, 服务提供商, and vendors comply with safety measures and effectively protect customer information. This includes all third parties that might access the customer’s personal information during the loan or financing process, including customer resource management (CRM) tools, 营销机构, 数据管理平台.
Small dealerships collecting information from less than 5,000 consumers may be exempt from the requirement of a written risk assessment, 事件响应计划, and annual reporting to the board of directors.
Please contact John Comunale via our online contact form for more information.
委员,葡京会手机app下载 & 老葡京手机app(老葡京手机app) is a professional services firm delivering tax, accounting and business advisory expertise throughout the Mid-Atlantic region from offices in 马里兰州贝塞斯达和华盛顿, DC.
