Pub. 62 2021-2022 Issue 4

By now, almost all dealerships are aware that the Federal Trade Commission (FTC) revised the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, for the first time in 20 years, with the new regulations going into effect on Dec. 9, 2022. In conjunction with these new regulations, the FTC released a 145-page publication of comments and clarifications to certain aspects of the new Rule, and dealers have been bombarded with seminars, webinars, articles, and sales pitches from various sources about its interpretation. Unfortunately, all that information has caused some misinformation as well. So, let’s bust the most common myths and misconceptions about the revised Safeguards Rule. Myths & Misconceptions About the Revised FTC Safeguards Rule MYTH # 1: Dealers don’t need to perform penetration testing or vulnerability scanning if they’re doing 24/7 threat detection monitoring through an EDR, MDR, or SIEM tool. The regulations create an exception to annual penetration testing and biannual vulnerability scans if the dealer is performing “continuous monitoring.” However, many IT companies and Managed Service Providers (MSPs) have gotten into the habit of liberally throwing around the term “continuous monitoring” to describe their EDR, MDR, and SIEM tools. We believe that many of those tools may not satisfy true “continuous monitoring” requirement in the way it is defined by By Chris Cleveland, CFO and Hao Nguyen, Esq., General Counsel, ComplyAuto 10

RkJQdWJsaXNoZXIy ODQxMjUw