Page 8 - PIADA-FEB 2022-Final-web_Neat
P. 8
compliance feature
FTC Expands Data Security Requirements,
Impacting Dealers
By Robert Ebin, Esq. and Emily Hartman
At the end of October, the Federal or employees” to take responsibility for the the Rule. Additionally, several other
Trade Commission (FTC) announced its information security program, but the definitions were directly added to the
expansion of the Safeguards Rule to better new rule requires only one “Qualified Rule from the Privacy of Consumer
protect consumer financial information Individual.” This person must write an Financial Information Rule.
from cyberattacks and security breaches. annual status report and provide it to
The amended Rule’s most significant the board of directors or the business’s Open Comment Period: Should
requirements will take effect one year governing body. The report must cover
from the date it’s published in the Federal overall status updates of the program, Organizations Report Large Data
Register, which means dealers will need to compliance, and all security breaches or Breaches to the FTC?
comply likely by the fourth quarter of 2022. events that occurred in the past year. On top of the updates, the FTC announced
Here are five things you need to know. a 60-day open comment period regarding
If You Have Less Than 5,000 Customers, whether or not the Safeguard Rule should
Rule Expands Data Security You Could Be Exempt From Some be further amended to require financial
Requirements for Written Programs institutions to report to the FTC any
For background, the FTC created the Requirements data breaches or other security incidents
Safeguard Rule as part of a directive There is an included exemption for that impact 1,000 or more customers’
from the Gramm-Leach-Bliley Act. The financial institutions that collect data information.
Safeguard Rule has been around since on less than 5,000 customers. These
2003, directing financial institutions, which organizations are exempt from certain What Should You Do?
includes dealerships that extend credit and requirements, including the written risk Continue to monitor for more information
lease terms, to develop and implement a assessment, incident response plan, and from the FTC. Seek out your legal counsel
written information security program. submitting the report to the Board of to review your current policies and
Directors. procedures, help determine what changes
The updated Rule includes much more you’ll need to make, and figure out how
detail about the required elements that The Definition of Financial Institution you’ll make them in the coming year.
must be included in an information Is More Expansive
security program, like addressing access The Safeguard Rule applies to any KPA is Here to Help
controls, data inventory and classification, financial institution, which includes If you use KPA’s Vera F&I software and
encryption, secure development practices, dealerships that extend credit and lease services, our customer information
authentication, information disposal terms. The updated Rule now includes security training and consultants are here
procedures, change management, testing, any organizations participating in to help ensure you and your employees
and incident response. activities that the Federal Reserve understand these changes and how they
Board identifies as incidental to impact your business. Our Cybersecurity
Identify One Qualified Individual to financial activities. This change brings Training Package can help educate your
Oversee Data Security “finders,” or companies that bring employees on what to look for and prevent
The previous Rule allowed “an employee together buyers and sellers, under a data breach before one occurs. t
6 | MIDATLANTIC DEALER NEWS | MIDATLANTICAUTODEALERSUNITED.ORG • FEBRUARY 2022
