In 2021, the Federal Trade Commission (FTC) revised its “Standards for Safeguarding Customer Information” (the “Safeguards Rule”). The Safeguards Rule applies broadly to all financial institutions, including dealerships and other entities that provide or facilitate financial services. The Safeguards Rule requires dealerships to develop, maintain, and implement an information security program to protect customer information. The deadline for complying with the revised requirements of the Safeguards Rule is Friday, June 9, 2023.
The revised Safeguards Rule requirements include the following:
1. Designation of a “qualified individual” to oversee the information security program.
2. Preparation of a written risk assessment, information security program, incident response plan, and reports to a board of directors about information security.
3. Implementation of IT requirements including encryption, multifactor authentication, and systems monitoring.
4. Developing and monitoring access to customer information and disposal procedures for customer information.
5. Training for employees.
6. Periodically reviewing the security practices of service providers.
Knowing what type of customer information is covered under the Safeguards Rule is key for compliance. The Safeguards Rule defines “customer information” to mean “any record containing nonpublic personal information…whether in paper, electronic, or another form, that is handled or maintained by or on behalf of you or your affiliates.” The FTC has interpreted this broadly to mean nearly any information you collect from or about a customer. This means that the Safeguards Rule extends far beyond just credit card information and Social Security Numbers. Out of an abundance of caution, we highly suggest that you treat the Safeguards Rule as covering all customer-related information in your control or possession, whether it is on a dealer-owned computer or on your salesperson’s personal cell phone.
One issue that is often overlooked is an employee’s ability to access customer information onsite and offsite. For example, many dealerships allow their employees to access the customer relationship management (CRM) system via an application on their personal device(s) and/or offsite. However, such access may violate the Safeguards Rule. Dealers should strongly consider removing employee access to the CRM system from employees’ personal cell phones and/or devices. Further, employees should not use their personal devices to contact customers. Rather, such contact should take place via company phones onsite.
To the extent a dealership must communicate with customers after-hours, dealerships should designate a small number of employees to have access to company-owned cell phones equipped with “wipe clean” software. The dealership should also keep a log of when company devices are taken off the property.
These are just a few of the changes that dealerships may need to make to comply with the Safeguards Rule before Friday, June 9, 2023. To the extent you have additional questions, we recommend that you connect with your legal counsel and/or information technology partner to evaluate the best solution to fit your needs.