Pub. 2 2022 Issue 2

FTC SAFEGUARDS RULE COMPLIANCE: More of a Trick and Hardly a Treat By Hao Nguyen, Esq., General Counsel, ComplyAuto As we get closer to wrapping up 2022, it should come as no surprise by now that the Federal Trade Commission (FTC) remains active in directing its attention toward dealerships across the country. side from the Motor Vehicles Trade Regulation Rule that is taking up most dealer attorneys’ attention as of late (as well as the National Automobile Dealers Association), another looming, and arguably just as important, regulation will come knocking at your showroom door come December 9th called the Gramm-Leach-Bliley Act’s revised Safeguards Rule. They won’t be looking for candy. Oh yes, the Safeguards Rule. Dressed up as a set of consumer protection regulations (and for all intents and purposes, they are), the Safeguards Rule represents another arrow in the FTC’s quiver as it goes hunting for violating dealers. Having provided Safeguards Rule compliance services to over 6,000 dealerships of all sizes for over a year now, I can tell you now that the FTC should drop the bow and pick up a rifle because the concept of data protection in the automotive retail space likens dealerships to fish in a barrel more than deer in the great outdoors. Your IT or MSP Company is Not Enough – ComplyAuto Works with Them A quick read of the regulations suggests that the Safeguards Rule is a set of data protection and cybersecurity requirements that all dealerships must follow by December 9 this year. It is tempting to think that your IT company or Managed Service Provider (MSP) can provide you with all of the tools necessary for compliance, but contrary to popular belief, they are just one piece to the equation. The Safeguards Rule consists of both technical and non-technical requirements. Some of the non-technical requirements that IT companies and MSPs may not be equipped to help you with are: • Creating an Information Security Program (and designating a “Qualified Individual”) • Creating required policies in the Incident Response Plan, IT Change Management Plan, and Data Retention Plan • Training all employees in security awareness that complies with applicable state and federal rules • Create written physical/administrative and technical risk assessments • Overseeing and monitoring Service Providers in fulfilling their obligations • Annual reporting to the Board of Directors (or equivalent) ComplyAuto can help you in all of these areas and more. Some dealers are happy with their existing providers, and ComplyAuto will work closely with them to help get your dealership in full compliance with federal regulations. 34