The U.S. Federal Trade Commission (FTC)—a bipartisan federal agency that champions the interests of American consumers—has added certain businesses to the Safeguards Rule, which was designed by the FTC to protect customer information from being shared inappropriately as required by the Gramm-Leach-Bliley Act that has been in force since 1999.

The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

According to the FTC, customer information includes personally identifiable data collected by dealers in relation to lease, insurance, or finance contracts; this holds true across data types except for information that is publicly available. The FTC has clearly stated that all businesses must:

• Assign an employee to manage the dealership’s security plan. In order to be considered a successful implementation, the manager must be provided with the authority, time, and resources necessary to fulfill compliance requirements.

• Perform reasonable risk assessments, including assessment of the existing safeguards to determine if they are sufficient to mitigate risks to an acceptable level; it is considered a leading practice to record such risk assessments in writing in case the FTC requires evidence of compliance.

• Put sufficient security safeguards in place to mitigate the identified risks to the required level according to risk tolerance; these safeguards must be regularly monitored to ensure their effectiveness. A helpful four-step self-assessment guide is included below.

• Perform vendor security management for all vendors which may have access to process or store the organization’s sensitive information. This can include validation of security certifications on a regular basis, or the performance of security audits of those vendors’ operations. The requirements for security compliance should be part of the organization’s contracts with service providers.

• Adapt the security program as needed to improve the effectiveness of the program, or when the risk profile of the organization changes.

How can an auto dealership know whether it is compliant? Below are four key steps that can give such organizations a proven method for performing a self-assessment:

1. Perform after-hours inspections of sales desks, common areas, trash cans, printers, fax machines, and copiers to identify whether sensitive information is being left where unauthorized individuals may have access.

2. Similarly, perform after-hours inspections of finance offices, looking for the same types of issues. Any unsecured customer information besides customer names could be cause for concern.

3. Inspect computer interfaces when they are not in use to determine whether employees have properly locked their screens or logged out for the day, as applicable. Check for exposed passwords, such as those written on notepads or taped on cards under keyboards. Employees violate policy should be counseled about dangerous behavior identified.

4. Try to access bookkeeping and accounting files outside of normal business hours, including filing cabinets and storage rooms.

We hope these self-assessment steps are helpful in making it clear what is required to ensure sensitive information is secure. It is highly recommended that the organization performs this type of self-assessment regularly throughout each year, being sure to immediately address any issues discovered.

Please note that auto dealers do have additional requirements with which they must comply under the Gramm-Leach-Bliley Act and the FTC’s Privacy Rule. Reach out to Webcheck Security to learn how we can help your organization comply with its compliance requirements under these laws and rules.