This article addresses the Federal Trade Commission’s ("FTC") delay of the revised Safeguards Rule (“Rule”) and its practical impact on your dealerships. The article also contains an explanation of why dealers should not wait to implement data protection and cybersecurity safeguards at your dealership because the FTC will still come after you under another section of the FTC Act. Safeguards Rule — Some Requirements Delayed Until June 9, 2023 The FTC gave dealers an early Christmas present when it announced on November 15, 2022, that it was extending the deadline for the Rule by six months. However, it is important to note that this extension only affects some of the requirements that will become effective on June 9, 2023. Specifically, the provisions that have been extended to June include the following: • Designating a qualified individual to oversee the information security program; • Completing written risk assessments; • Monitoring the access and use of sensitive customer information; • Completing a penetration test & vulnerability scan; • Encrypting systems containing customer information; • Training employees on security awareness; • Conducting Vendor & Service Provider risk assessments; • Implementing multi-factor authentication (MFA) on all systems containing customer information; and • Creating and updating a device and systems inventory. Notably, the provisions that have not been delayed (and never were) are: • Creating a written Information Security Program (ISP) for your organization; • Obtaining signed contracts from your vendors (“Service Providers”) who collect customer information, promising to implement reasonable safeguards; • Periodically assessing your Service Providers to ensure that they have reasonable safeguards in place; and • Implementing a system capable of detecting attacks and intrusions on your network. Dealers Should Not Wait to Implement Safeguards Rule Solutions On paper, the delay sounded good. However, once you dig into the details, the delay is not as sweet as it sounds. Because some aspects of the Rule still became effective in January of last year, dealers should not take this delay for granted. This is the time to press on with reinforcing data protection and cybersecurity practices. Why? Firstly, completing all requirements of the Rule can be time-consuming. You will need to coordinate with your vendor to oversee compliance, the dealership staff, any Service Providers they work with (to complete their requirements), and potentially your IT company or Managed Service Provider. Unless you are working with an efficient and responsive team, natural bottlenecks may arise as one party waits on the other. Secondly, the FTC should not be the main reason why your dealership is establishing these data protection and cybersecurity protocols. Dealerships want to ensure compliance with the requirements to keep the federal government at bay, but the main focus should be to prevent data breaches, ransomware attacks, or other cybersecurity incidents! Think about the different forms of damage that could arise as a result of a data breach or ransomware attack: • Reputational damage: Dealerships are pillars in their community, and word of a data breach will spread quickly. Additionally, vendors may be wary about working with you in the future. 29 njcar.org
RkJQdWJsaXNoZXIy MTg3NDExNQ==