Pub. 2 2022 Issue 1

In its announcement, the FTC specifically names “automobile dealerships” as non-banking financial institutions that fall under the purview of these new revisions. The Rule requires dealers to implement operational changes regarding their data protection and cybersecurity measures, such as creating, updating, and implementing a written information security program (“ISP”) to protect consumer financial information as well as to conduct periodic risk assessments to make sure the organization is abiding by strict protocols to protect this information. Dealers must act immediately to meet compliance with the new rules or otherwise face stiff penalties of up to $46,517 per violation. What does the revised Safeguards Rule require? Here is a short list of requirements that impact dealerships the most: 1. Submit a periodic written report to the dealership’s board of directors or senior officers on compliance with these new requirements and the overall status and results of the Information Security Program (ISP). 2. Implement a written Incident Response Plan in case of a data breach. 3. Perform periodic written risk assessments within the organization that adhere to certain requirements. This will be discussed at length below. 4. Encrypt all data in transit over external networks and at rest. 5. Require Multi-Factor Authentication (MFA), such as an SMS/text verification code, for all systems containing customer nonpublic personal information (NPI). 6. Implement a data retention policy and dispose of customer information within two years after the end of a customer relationship, unless doing so conflicts with state or federal law. 7. Adopt procedures for IT change management. 8. Appoint a single Qualified Individual to oversee the dealership’s ISP. 9. Monitor and log the activity of authorized users and detect unauthorized use or access of customer information. 10. Implement a system or software to continuously monitor cybersecurity threats, including annual penetration tests and bi-annual vulnerability tests. This will be discussed at length below. 11. Perform security awareness training for all employees. 12. Periodically assess service providers for their adequacy of physical and technical safeguards and have agreements that contractually obligate them to implement and maintain appropriate safeguards. Written Risk Assessment: The Revised Rule revisits the requirement and expands on it with more detail and specificity. The Revised Rule requires that dealerships create a written risk assessment that includes: • Criteria for the evaluation and categorization of identified security risks or threats faced by the dealership; • Criteria to assess the confidentiality, integrity, and availability of the dealership’s information systems and customer information, including the adequacy of existing controls; and • Requirements describing how identified risks will be mitigated and how the information security program will address the risks. Annual Penetration Testing: New to the Revised Rule, dealers are required to perform annual penetration testing to evaluate the effectiveness of the safeguards’ key controls, systems, and procedures. Penetration testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems. Additionally, the FTC cited “social engineering and phishing” as an important part of penetration testing because the testing involves employees with access to the information system rather than the system itself, which does not exclude them from the definition of penetration testing. Biannual Vulnerability Assessments: The Rule now requires that dealers conduct biannual vulnerability assessments to detect publicly known vulnerabilities. Note that these tests, in this context, are not relevant to information in the physical form. In its comments, the FTC notes free resources are available that automate vulnerability assessments, such as “OpenVAS” and “Nmap.org.” Service Provider Agreements and Other Requirements: The definition of “service provider” is not updated with this revision, nor is the requirement for dealers to “take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguard for customer information and require those service providers by contract to implement and maintain such safeguards.” First, dealers should contractually require the service providers (i.e., any person or entity that receives, maintains, processes, or otherwise is permitted to access customer information through its provision of services directly to a financial institution) they work with to implement and maintain appropriate safeguards including encrypting the information they process for the dealers. Second, dealers must periodically assess these measures that their service providers have purported to put in place. To accomplish this, dealers should consider requiring vendors to complete a risk assessment questionnaire to ensure the vendor confirms to applicable industry standards regarding physical and technical safeguards. For example, any vendor with access to nonpublic personal information should confirm that they support MFA login and encryption of data at rest and in transit. Incident Response Plan: New in the Rule, these required plans must outline goals and address internal processes for responding to security events, define clear roles and responsibilities of parties involved, prescribe internal and external communications and CONTINUED ON PAGE 18 17

RkJQdWJsaXNoZXIy ODQxMjUw