Many dealerships have diligently worked to update their Information Security Programs in 2022 to come into compliance with the revised Safeguards Rule by the December 9th deadline. On November 15, 2022, the FTC announced that the compliance deadline would be extended until June 9th, 2023 for certain provisions of the revised rule.

Provisions Included in the Extension

The following requirements of the revised Rule now do not need to be in place until June 9, 2023.

• Designate a Qualified Individual

• Creation of a Written Risk Assessment

• Implement Access Controls for Sensitive Customer Information

• Encryption for Sensitive Customer Information

• Training for Security Personnel

• Creation of an Incident Response Plan

• Service Provider Oversight

• Implementation of Multifactor Authentication

Provisions Still Required by the December 9th Deadline

• Continuous Vulnerability Scanning

• Data and Systems Inventory

• Systems Monitoring and Logging

• Continuous Monitoring

• Unauthorized Activity Monitoring

• All-Employee Security Awareness Training

• Secure Development Practices

• Safe Data Disposal Practices

• Change Management Procedures

• Written Information Security Program (WISP)

• Written Annual Report

Dealerships should understand that although they now have more time to come into compliance with the revised Rule, implementation of a full Safeguards Solution can take a month or more. Dealerships who have already begun the process should continue to roll out their programs. Dealerships who have not started the process should not delay.

Mosaic Cyber Security offers complete compliance with the revised FTC Safeguards Rule and has provided retail automotive compliance solutions for over 15 years. You can receive a tailored quote by filling out our Safeguards Status Questionnaire. In addition to satisfying all of the Rule’s requirements, Mosaic’s solution also allows you to pick and choose services a la carte. Our dedicated team will walk you through your custom roadmap, help set up your services, provide live support, and keep you on track so that you will achieve complete compliance on time!

Retaining Service Providers

The Safeguards Rule requires you to oversee your service providers. There are four subparts to this requirement. First, you must take reasonable steps to select – and only retain - service providers that are capable of adequately protecting customer data. There are software-based programs that can manage this task. This will require the cooperation of your service providers. If they won’t cooperate, you must find service providers that will.

Written Contract

Second, you must obligate your service providers by written contract to implement the safeguards necessary to protect customer data. This obligation can be baked into the contract itself, be added as an addendum to an existing contract, or be a free-standing Safeguards Agreement, but it must be in writing.

Periodically Assess

Third, you must “periodically assess” your service providers with respect to this obligation. The same software used to vet service providers can support this effort as well.

Monitor

Fourth, you must monitor your service providers on an ongoing basis to verify they are maintaining adequate safeguards. This does not mean “continuous” oversight, but it must be regular. This last obligation is potentially overwhelming. Fortunately, the software we’ve been referencing probably satisfies both the “assessing” and “monitoring” requirements, and accomplish those tasks inexpensively.

Originally published in F&I and Showroom Magazine on August 11, 2022.

"Let’s examine the trades necessary to build a Safeguards Rule compliance program."

"I look at Safeguards Rule compliance from a particular perspective. Let me explain. Boniface Bernhardt Günther was born in 1866 in Baden-Baden, Grand Duchy of Baden (the German states wouldn’t coalesce into a single country until 1872). He studied the building trades in Bern, Switzerland, returning to his hometown in 1888, where he became subject to conscription into the army of the nascent German Empire..."