What Car Dealers Need to Know About the FTC Safeguards Rule
As a car dealership, you’re not just in the business of selling vehicles – you’re also handling some of your customers’ most sensitive financial information. Every credit application and financing agreement contains a goldmine of personal data. That’s exactly why the FTC has specifically called out dealerships in their Safeguards Rule. But what does this mean for your day-to-day operations? Let’s break it down with some real-world examples and practical guidance.
Why Car Dealerships Are in the Spotlight
Think about all the personal information that passes through your dealership: social security numbers, credit reports, bank account details, and more. Every time a customer fills out a credit application or applies for financing, they’re trusting you with their most sensitive data. The FTC recognizes this unique position dealerships hold in financial transactions, which is why you’re specifically named in the Safeguards Rule as businesses that must comply.
Recent Cautionary Tales in Cybersecurity and Data Protection
The consequences of inadequate data protection can be severe, as some major companies learned the hard way in 2024. Marriott recently faced a $52 million settlement over a data breach – a stark reminder of what’s at stake. While Marriott isn’t a dealership, their story holds valuable lessons about the importance of proper security measures.
Even more telling is the case of Blackbaud, which received a unique punishment: 20 years of mandatory third-party audits. Their mistake? Keeping customer data longer than necessary – something many dealerships might be doing right now without realizing it. Think about those old credit applications or customer files sitting in your system from years ago. Do you really need to keep them?
What This Means for Your Dealership
Running a dealership is complex enough without adding cybersecurity concerns to the mix. However, protecting customer data doesn’t have to be overwhelming. Start by thinking about your everyday operations:
Customer Data Collection and Storage
Every time someone walks into your showroom and fills out a credit application, you’re collecting data that needs protection. You need clear processes for how this information is collected, where it’s stored, and who can access it. This includes both paper forms and digital records in your Dealer Management System (DMS).
Employee Access and Training
Your sales team, F&I managers, and administrative staff all need different levels of access to customer information. The key is ensuring everyone only has access to what they need to do their job. Regular training helps your team understand their role in protecting customer data – from the salesperson taking down initial information to the F&I manager processing loan applications.
Security Monitoring and Response
Just like you have security cameras watching your lot, you need systems monitoring your digital assets. If something goes wrong – whether it’s a data breach or a system failure – you need to know who to call and what to do first. Is it your DMS provider? Your IT company? Your attorney? Having these decisions made in advance can save crucial time during an incident.
What Steps Do I Need to Take to Make My Dealership Compliant With the FTC Safeguards Rule?
First Steps Toward FTC Compliance
Start with a thorough risk assessment of your dealership’s operations. This isn’t just about checking boxes – it’s about understanding where your customer data lives and how it’s protected. Consider everything from how credit applications are processed to how long you keep customer records. A simplified FTC assessment tool can help identify your risk profile and generate specific recommendations for your dealership.
Creating Your Information Security Program
Your security program must be documented and actively managed by a qualified individual – this can be someone from your IT Company or Managed Service Provider, but you’ll still need an internal point person to oversee them during the process. Your program should include:
- Written policies that reflect your actual practices for handling customer data
- Access control protocols, including who can access what systems and when
- A full set of security policies covering device protection, network security, wi-fi, and other technical controls
- Data destruction policies – both for paper records and digital files
- Incident response and business continuity plans that spell out exactly who to call first in an emergency
Ongoing Cybersecurity Measures
If you’re not using continuous monitoring tools, you’ll need to conduct annual penetration tests and vulnerability assessments from a qualified vendor. Other key measures include:
- Multi-factor authentication (MFA) for all system access
- Regular, preferably automated, system patching and updates
- Ongoing security awareness training for all employees
- Role specific training for managers and finance staff who handle sensitive data
- Regular program reviews to keep security measures current
Program Management and Reporting
Security isn’t a one-time project – it’s an ongoing process that requires regular attention. Your qualified individual needs to:
- Provide annual reports to your leadership team
- Review and update policies when business changes occur (new locations, new systems, etc.)
- Monitor and document security incidents
- Keep training records and policy acknowledgments
- Regularly test your incident response plan
Remember, if something changes in your business – whether it’s opening a new location, switching DMS providers, or buying new computers – you need to reassess your security program to ensure it still provides adequate protection.
What About State and Insurance Requirements?
You’re not just dealing with federal regulations – there’s a multi-layered approach to compliance that smart dealerships need to consider. At the state level, many governments are starting to implement their own requirements. For example, Texas specifically looks for FTC Safeguards Rule compliance when auditing businesses that handle financial data, while New York has implemented similar regulations through their own framework.
But there’s another crucial piece to this puzzle: your cyber liability insurance. If you don’t have cyber liability insurance yet, you should seriously consider it – it’s becoming as essential as your general liability coverage. However, these policies come with their own security requirements that often mirror the FTC Safeguards Rule. Insurance carriers want to know you’re taking proper precautions before they cover you, and many require specific security measures like multi-factor authentication, employee training, and incident response plans. By aligning your security practices with the FTC Safeguards Rule, you’re not just meeting regulatory requirements – you’re also positioning your dealership to qualify for better insurance coverage and potentially lower premiums.
Moving Forward with Confidence
Protecting customer data is now as much a part of running a dealership as selling cars and providing service. While the requirements might seem daunting, breaking them down into manageable steps makes compliance achievable. Remember, this isn’t just about avoiding fines – it’s about protecting your customers and your dealership’s reputation.
Ready to Ensure Your Dealership is Protected?
Download our FTC Safeguards Rule Compliance Checklist, specially designed for car dealerships.
You can read more about how our business can help your business by going to: www.Dbest.com
Read more blogs and tech tips by visiting our Blogs page.