FTC Safeguards Rule Compliance for Auto Dealerships

Understanding regulatory requirements and building an effective information security program

What is the FTC Safeguards Rule?

The Federal Trade Commission's Safeguards Rule is a federal regulation requiring certain businesses—including auto dealerships—to develop, implement, and maintain comprehensive information security programs to protect customer information. Originally enacted under the Gramm-Leach-Bliley Act and substantially amended in 2021, the rule establishes specific security requirements that dealerships must meet to remain compliant.

The regulation recognizes that financial institutions and businesses regularly handling consumer financial information have a responsibility to protect that data from unauthorized access, theft, and misuse. For auto dealerships, this responsibility stems from the routine collection and processing of customer credit applications, financing information, and personal data during vehicle purchases and service transactions.

Why Auto Dealerships Are Subject to FTC Safeguards Rule

Auto dealerships fall under FTC Safeguards Rule jurisdiction because they regularly engage in activities classified as financial in nature. When dealerships arrange financing, lease agreements, or extended warranties, they collect and transmit customer financial information to lending institutions. This activity brings dealerships within the regulatory definition of "financial institutions" subject to the rule.

The determination is not based on how frequently a dealership arranges financing or whether financing is the dealership's primary business activity. If your dealership ever facilitates customer financing, processes credit applications, or shares customer financial information with lenders, the FTC Safeguards Rule applies to your entire operation.

Key Compliance Date

The amended FTC Safeguards Rule became fully enforceable on June 9, 2023. Dealerships must maintain ongoing compliance.

Quick Links

Core FTC Safeguards Rule Requirements

The FTC Safeguards Rule establishes nine core security requirements that dealerships must implement and maintain. These requirements represent minimum standards—your dealership's specific security needs may require additional controls.

1

Designate a Qualified Individual

Dealerships must designate a Qualified Individual responsible for overseeing and implementing the information security program. This person must have the authority and knowledge to develop, implement, and maintain the program. For many dealerships, this requirement is effectively met through engagement with a Virtual CISO or qualified security consultant.

2

Conduct Risk Assessments

Dealerships must conduct periodic risk assessments to identify reasonably foreseeable internal and external risks to customer information security, confidentiality, and integrity. Risk assessments must evaluate the adequacy of existing security controls and identify areas requiring improvement or additional protection measures.

3

Design and Implement Safeguards

Based on risk assessment findings, dealerships must design and implement security controls to manage identified risks. Required safeguards include access controls limiting data access to authorized personnel, encryption of customer information in transit over external networks, secure system development practices, and multi-factor authentication for any individual accessing customer information remotely.

4

Monitor and Test Security Controls

Security controls must be regularly monitored and tested to ensure effectiveness. This includes continuous monitoring or periodic penetration testing of systems, vulnerability assessments to identify security weaknesses, and monitoring of authorized user activity to detect potential internal threats or compromised accounts.

5

Train Security Personnel

All personnel responsible for implementing or maintaining the security program must receive appropriate training. Additionally, all employees must receive security awareness training relevant to their roles and responsibilities regarding customer information protection.

6

Develop Written Information Security Program

Dealerships must create and maintain a Written Information Security Program (WISP) that documents security policies, procedures, controls, and responsibilities. The WISP must be reviewed and updated at least annually or whenever circumstances materially affect the program.

7

Oversee Service Providers

Dealerships must select service providers capable of maintaining appropriate security controls, require service providers by contract to implement and maintain adequate safeguards, and periodically reassess service provider security measures and compliance.

8

Maintain Secure Disposal

Customer information that is no longer needed for business purposes must be securely disposed of in a manner that prevents unauthorized access or use. This includes both physical documents and electronic records.

9

Develop Incident Response Plan

Dealerships must establish procedures to respond to security incidents, including processes to detect and respond to security events, procedures to notify appropriate parties when incidents occur, and documentation of incident response activities and outcomes.

How FTC Safeguards Rule Requirements Affect Auto Dealership Operations

Customer Financing and Credit Applications

The most obvious impact area is customer financing operations. Every credit application, financing arrangement, and lease transaction involves collection and transmission of customer financial information subject to the Safeguards Rule. Dealerships must implement controls throughout the financing workflow including secure storage of credit applications and supporting documentation, encrypted transmission of customer data to lenders and financing sources, access controls limiting who can view or modify customer financial information, and secure disposal procedures when documents are no longer needed.

Dealer Management Systems and Third-Party Access

Dealer management systems contain extensive customer information including purchase history, service records, contact details, and often financial data. The FTC Safeguards Rule requires protection of this information and oversight of all third parties who access it. This creates obligations around DMS vendor selection and contract terms, remote access security for DMS support and updates, vendor access logging and monitoring, and periodic review of DMS security configurations.

Employee Access and Training

Dealership employees across sales, finance, service, and administrative functions regularly access customer information. The rule requires that access be limited based on business need and that all employees receive appropriate security training. Implementation includes role-based access controls tied to job functions, mandatory security awareness training for all staff, documented access request and approval processes, and regular access reviews to remove unnecessary permissions.

Remote Access and Mobile Devices

Many dealership personnel require remote access to systems for after-hours support, mobile sales operations, or work-from-home arrangements. The Safeguards Rule specifically requires multi-factor authentication for remote access to customer information. This affects remote access to DMS and customer relationship management systems, mobile device management for smartphones and tablets accessing customer data, secure email access for employees handling customer information remotely, and VPN configuration and access controls.

Documentation and Audit Readiness

Compliance requires comprehensive documentation of security policies, procedures, and activities. Dealerships must maintain records including the Written Information Security Program, risk assessment reports and remediation activities, security incident logs and response documentation, vendor agreements and security assessments, employee training records, and system audit logs and monitoring reports.

Risks of Non-Compliance

Failure to comply with FTC Safeguards Rule requirements exposes dealerships to multiple categories of risk, including regulatory penalties, civil liability, operational disruption, and reputational damage.

Regulatory Enforcement

The Federal Trade Commission has enforcement authority over Safeguards Rule violations. The FTC can initiate investigations based on consumer complaints, data breach notifications, or routine compliance reviews. Enforcement actions can result in civil penalties, consent orders requiring specific compliance measures and ongoing monitoring, mandatory reporting obligations to the FTC, and public disclosure of violations and required remediation.

Civil Liability and Class Action Risk

Data breaches resulting from inadequate security controls can expose dealerships to civil liability. Customers whose information is compromised may pursue individual or class action lawsuits alleging negligence, breach of fiduciary duty, or violation of state data protection laws. Non-compliance with FTC requirements can strengthen plaintiffs' negligence claims by establishing a violation of regulatory standards.

Cyber Insurance Implications

Cyber insurance policies increasingly require policyholders to maintain specific security controls and compliance with applicable regulations. Non-compliance with FTC Safeguards Rule requirements may result in denial of coverage following a data breach, increased premiums or reduced coverage limits upon renewal, or inability to obtain cyber insurance at any reasonable cost.

Business Disruption from Security Incidents

The security controls required by the Safeguards Rule protect against attacks and incidents that can severely disrupt dealership operations. Ransomware attacks can shut down all systems including DMS, preventing vehicle sales and service operations. Data breaches require extensive investigation, notification, and remediation efforts. Business email compromise can result in significant financial losses from fraudulent wire transfers.

Reputational Damage

Security incidents and regulatory violations become public knowledge, damaging dealership reputation. Customers may lose trust in dealerships that fail to protect their information, potentially affecting sales and service business. Local media coverage of data breaches or FTC enforcement actions can have lasting effects on dealership standing in the community.

Lender and Manufacturer Relationships

Lending institutions and vehicle manufacturers increasingly scrutinize dealership security practices. Some lenders may refuse to work with dealerships that cannot demonstrate adequate security controls. Manufacturer audits may identify security deficiencies that affect dealership standing or franchise agreements.

Steps to Achieve and Maintain FTC Safeguards Rule Compliance

Implementing an effective information security program requires a structured approach that addresses regulatory requirements while supporting dealership operations.

1

Initial Compliance Assessment

Begin with a comprehensive assessment of your current security posture against FTC requirements. This assessment identifies compliance gaps, evaluates existing security controls, documents current policies and procedures, and establishes a baseline for improvement efforts. The assessment provides a clear roadmap for achieving compliance.

2

Designate Qualified Individual

Identify or engage a Qualified Individual to oversee your information security program. This may be an internal staff member with appropriate expertise, or more commonly for dealerships, a Virtual CISO or security consultant who provides ongoing guidance and oversight.

3

Conduct Comprehensive Risk Assessment

Perform a thorough risk assessment that identifies all systems containing customer information, evaluates threats and vulnerabilities affecting those systems, assesses likelihood and potential impact of identified risks, and prioritizes risks for remediation based on severity and feasibility.

4

Implement Required Security Controls

Deploy technical and administrative controls to address identified risks and meet FTC requirements. Priority controls typically include multi-factor authentication for remote access, encryption of customer data in transit and at rest, endpoint protection and monitoring, email security and anti-phishing controls, network segmentation and firewall rules, and access control and identity management systems.

5

Develop Written Information Security Program

Create comprehensive WISP documentation that describes your security program, policies, and procedures. The WISP should be tailored to your dealership's specific environment and risk profile, written in clear language accessible to non-technical readers, and organized for easy reference and regular updates.

6

Implement Training and Awareness Programs

Develop and deliver security awareness training to all employees, with role-specific training for those with significant security responsibilities. Training should be provided upon hire, annually thereafter, and when significant security changes occur.

7

Establish Vendor Oversight Processes

Review and address vendor relationships that involve access to customer information. Ensure vendor contracts include appropriate security requirements, assess vendor security capabilities and compliance, and establish processes for ongoing vendor risk management.

8

Deploy Monitoring and Testing

Implement continuous security monitoring and establish regular testing procedures including vulnerability scanning, penetration testing where appropriate, log review and security event analysis, and periodic assessment of control effectiveness.

9

Maintain Ongoing Compliance

Compliance is not a one-time achievement but requires continuous effort. Maintain compliance through annual risk assessments and program reviews, regular policy and procedure updates, continuous monitoring and improvement of security controls, periodic testing and validation, and documentation of all security program activities.

Partner with FTC Safeguards Rule Compliance Specialists

Achieving and maintaining FTC Safeguards Rule compliance requires ongoing expertise and dedicated attention. We provide comprehensive compliance support including risk assessments, WISP development, security control implementation, Virtual CISO services, ongoing monitoring and program management, and documentation maintenance for regulatory readiness.

Our approach positions us as your compliance partner, not just your IT support provider. We understand the regulatory requirements, the unique challenges of auto dealership operations, and the most effective path to sustainable compliance.

Schedule Compliance Assessment Call (844) 852-9378

Discuss your dealership's compliance status and required next steps with an experienced security professional.

Additional Compliance Resources

Related Services

External References