FTC December 9, 2022 Deadline...Extended (At Least Part Of It!)
Dealers are feverishly working on a mandate from the Federal Trade Commission (FTC) to comply with new standards to keep their customers’ information safe.
Many of the new standards are set to go into effect on December 9, 2022. The Small Business Administration’s Office of Advocacy recently wrote a letter to the FTC requesting an extension of the deadline, arguing that it was necessary due to a shortage of professionals to help financial institutions, including dealers, implement security programs. The extended deadline is now June 9, 2023.
PARTNER SPOTLIGHT
F & I/Aftermarket Products, Insurance, Automotive Technology Training & Compliance
A NHADA Diamond PARTNERDealer Management System, Computer Technology, Media/Advertising, Automotive Auction, F & I/Aftermarket Products, Automotive Technology Training & Compliance
A NHADA Platinum PARTNERComputer Technology, Automotive Shop Equipment, Environmental Services
A NHADA Platinum PARTNERF & I/Aftermarket Products, Automotive Technology Training & Compliance, Safety & Compliance
A NHADA Diamond PARTNERThis is great news for dealers; however, they should “keep their foot on the gas” since June 9, 2023 will be here before we know it. The provisions of the rule that were specifically extended to June 9, 2023 include:
- designate a qualified individual to oversee and implement your information security program;
- develop a written risk assessment;
- limit and monitor who can access sensitive customer information;
- design and implement a program that identifies and manages data, personnel, devices, systems and facilities;
- encrypt all sensitive information;
- adopt practices to ensure in-house developed applications used to transmit, store or access sensitive information are secure and test externally developed applications for security;
- implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information;
- develop procedures that address securely disposing of sensitive information;
- adopt procedures for change management;
- train security personnel;
- implement policies and procedures designed to log activity of authorized users and detect unauthorized access to information;
- implement policies and procedures designed to log activity of authorized users and detect unauthorized access to information;
- develop an incident response plan; and
- periodically assess the security practices of service providers.
Provisions of the rule that were not extended and are still due December 9, 2022 include:
- periodically reexamine whether or not customer information is secure;
- regularly test or otherwise monitor the effectiveness of your safeguards’ key controls;
- take reasonable steps to only work with service providers that are capable of securing customer information;
- require service providers to maintain safeguards over customer information to which they have access; and
- evaluate and update your program based on the results of your testing and monitoring.
Again, June 9, 2023 will be here before we know it. We highly recommend that you keep your momentum and continue working on this program.