Protecting consumer information has always been very important for auto dealers. However, an ever-rising uptick in data breaches has forced the Federal Trade Commission (FTC) to get involved. In an effort to further improve cybersecurity throughout the industry, the FTC adjusted the Gramm-Leach-Bliley (GLB) safeguards rule to include car dealerships in addition to traditional finance institutions. Recently, some new updates were also made to the GLB safeguards rule, here’s what you need to know.
Enacted on November 12, 1999, the GLB was created to address concerns related to consumer financial privacy in the financial industry. The rule requires the FTC and other government regulators to implement and enforce cybersecurity standards financial institutions must adhere to. The GLB was later amended to expand the definition of “financial institution” to include businesses that offer financial services like loans, financial advice, and more.
With this new change, auto dealerships became classified as financial institutions. As a result, if you are an auto dealer, you must meet safeguard compliance requirements. This includes assessing risk to consumer data security, implementing a plan to follow car dealership privacy laws, regularly monitoring and updating the plan, and designating an individual responsible for the plan.
While automotive dealership compliance has been around for decades, it’s important to stay on top of your compliance efforts. Especially now that the FTC has made final updates to the GLB safeguards rule. If you don’t meet the new requirements, your business could become noncompliant and be subject to lawsuits and enforcement actions.
Announced on October 27, 2021, the latest adjustments to the GLB impose new specific criteria you must follow. Previously, the requirements were more general and up for interpretation. Expected to go into full effect in October 2022, here are the updates:
Your dealership is still expected to perform risk assessments to ensure the security of consumer information. However, now you’re going to have to address specific topics in your risk assessment. In addition to the assessment, you’re going to have to produce a written report to document your evaluation’s results.
Another important update focuses on the issues you address in your safeguarding plan. You must now address specific issues such as:
- Access controls
- Data inventory and classification
- Secure development practices
- Information disposal procedures
- Change in management
- Incident response
The best way to ensure your plan works is to put it to the test, and your cybersecurity plan is no exception. This update is based on this philosophy. To be compliant with this change, you must adopt measures to oversee your GLB safeguards rule plan’s effectiveness. You are also expected to manage employee training and any third party services you receive.
Before the rule adjustments, it was acceptable to nominate two or more employees to be responsible for your company’s safeguards program. The new rule requires you to choose only one qualified person to oversee the program.
As you assess your cybersecurity measures, you’re going to have to also create reports. These reports must be provided to your board of directors or governing bodies. This is meant to raise the stakes for managers and owners as it demands direct involvement to protect consumer data.
While there are a number of changes that lead to new requirements, one of the updates makes a few compromises. If your auto dealership collects information from less than 5,000 consumers, you are exempt from providing written risk assessments and incident response plans. You are also exempt from having to report annually to your board of directors.
Computer Technology Management Services is a managed service provider that specializes in auto dealership compliance. We stick with you every step of the way to make GLB compliance easy. Let our consultants help you achieve compliance so you’re ready before the deadline hits.
Contact us today to learn more.
CTMS is a technology management provider based in Akron, Ohio. For years, our team has offered a variety of technical solutions for our partners in a wide range of industries. Our primary services are IT security, data backup, disaster recovery, and cloud computing, among a host of other IT consulting solutions.