FTC Safeguards

FTC Safeguards Rule

The Federal Trade Commission’s (FTC’s) Safeguards Rule governs the safeguarding of non-public customer information:

Non-public customer information is defined in the rule as any information that a dealership is provided by a customer in conjunction with a financial transaction.

Whereas public customer information is defined as any information that is publicly available through a government organization, information that is widely distributed in media such as the phone book or the Internet, or any other information that is readily available to the public.

The Rule authorizes the FTC to impose fines upon dealerships for non-compliance. The maximum fine is $11,000 per day per occurrence, and the required compliance date was May 23, 2003. To keep the FTC from imposing a fine, dealerships must comply with the rule’s five elements:

  1. The dealership must assign a program coordinator to be responsible for overseeing compliance of the rule. The program coordinator must be a dealership employee or a board of dealership employees. Additionally, the coordinator should be someone that is in a position of authority, understands the operations of the various departments within the dealership, and is able to carry out the responsibility of the position. Likely candidates include the controller, general manager, and finance director.
  2. The dealership must perform a risk assessment. The assessment should highlight the dealership’s policies and procedures that relate to the taking, processing, storing, and discarding of customer information. Additionally, the assessment must cover several functional areas of the dealership: employee training and management; information systems; and attacks, intrusions, and other systems failures.
  3. The dealership must develop an information security program and document it in writing. The program should state the dealership’s policies regarding the taking, processing, storing, and discarding of customer information. Additionally, it should cover any items described in the risk assessment, and it should meet three objectives: ensure the security and confidentiality of customer information, prevent anticipated threats or hazards to customer information, and protect against the unauthorized access of customer information.
  4. The dealership must oversee its service providers. The dealership is responsible for its interaction with third parties, which have access to the dealership’s customer information whether directly or indirectly. (E.g., direct access occurs when the dealership faxes a credit application to a bank; indirect access occurs when the dealership gives its cleaning company access to a room that contains unsecured customer information).
  5. The dealership must update, maintain, and train in relation to its information security program. Whenever there is a material change to the dealership’s operations, an update is mandated. Additionally, whenever there is a new interpretation of the rule by a court or other governmental agency, dealerships should review their programs for accuracy. Maintaining the program refers to ensuring that its policies are followed. Dealerships accomplish the maintaining portion of the rule by monitoring and testing the policies on a regular but periodic basis, documenting the results, and enacting appropriate corrective action where deficiencies are noted. Dealerships accomplish training by holding initial training sessions to introduce the FTC’s rule and the dealership’s policies as stated in its information security program regarding the rule. Additionally, dealerships should offer annual training to increase awareness and update employees on changes to the dealership’s policies, and it should require new hires to review the dealership’s information security program upon hiring.

Meeting the above elements requires an initial outlay of significant resources (i.e., someone’s time), and to ensure future compliance, a continual dedication of those resources. Many dealers originally decided to use internal resources to comply with the rule; however, they quickly realized those resources were not available because of lean operations. For these types of dealerships, an accounting firm, law firm, or consulting firm can provide the solution. For dealerships that have used internal resources to perform the initial requirements, a look from the outside can offer added security and help to fine tune a dealership’s program so as to further limit its liability.