THE DELAY IN THE REVISED SAFEGUARDS RULE IS OVER — ARE YOU PREPARED? BY HAO NGUYEN, ESQ. CHIEF LEGAL OFFICER, COMPLYAUTO SAFEGUARDS RULE — REQUIREMENTS EFFECTIVE JUNE 9, 2023 The FTC gave dealers across the country an early Christmas present when it announced on November 15, 2022 that it was extending the deadline for the Rule by six months. The six months has now passed, and on June 9, the following requirements took effect: • Designating a qualified individual to oversee the information security program; • Completing written risk assessments; • Monitoring the access and use of sensitive customer information; • Completing a penetration test & vulnerability scan; • Encrypting systems containing customer information; • Training employees on security awareness; • Conducting Vendor & Service Provider risk assessments; • Implementing multi-factor authentication (MFA) on all systems containing customer information; and • Creating and updating a device and systems inventory. Notably, the provisions that were never delayed are: • Creating a written Information Security Program (ISP) for your organization; • Obtaining signed contracts from your vendors (Service Providers) who collect customer information promising to implement reasonable safeguards; • Periodically assessing your Service Providers to ensure that they have reasonable safeguards in place; and • Implementing a system capable of detecting attacks and intrusions on your network. DEALERS SHOULD IMPLEMENT SAFEGUARDS RULE SOLUTIONS NOW Firstly, completing all requirements of the Rule can be time-consuming because so many players are involved. You will need to coordinate with the vendor to oversee compliance (like ComplyAuto), the dealership staff, any Service Providers they work with (to complete their requirements), and potentially your IT company or Managed Service Provider. Unless you are working with an efficient and responsive team, natural bottlenecks may arise as one party waits on the other. Secondly, you should not “miss the forest for the trees,” meaning that the FTC should not be the main reason why your dealership is establishing these data protection and cybersecurity protocols. Yes, we want to fulfill these requirements to keep the federal government at bay, but I would argue that the main focus should be to prevent data breaches, ransomware attacks, or other cybersecurity incidents! Think about the different forms of damage to your organization that could arise as a result of a data breach or ransomware attack: • Reputational damage: Dealerships are pillars in their community and word of a data breach will spread quickly. Additionally, vendors may be wary about working with you in the future. • Data breach mitigation: Depending on the level of your cybersecurity coverage from your insurance company (or lack thereof), you could be paying out of pocket for forensic professionals to “stem the bleeding,” so to speak, and try and recover what you can. • Dealership downtime: You can bet that your dealership will suffer significant delays as you try to survey the extent of the breach and work through the mitigation efforts. • Data recovery: If it was a ransomware attack that resulted in the loss of employee, customer, and 25 THE GENERATOR
RkJQdWJsaXNoZXIy MTg3NDExNQ==