Privacy & Information Security Law Blog

On June 16, the Federal Trade Commission (“FTC”) provided guidance on the updated Safeguards Rule (the “Rule”), and its application to automobile dealers, by releasing a series of Frequently Asked Questions.  The Rule was originally enacted in 2003 and serves to implement the requirements of the Gramm-Leach-Bliley Act.

The FTC’s recent guidance follows the Rule’s amendments in 2021 and 2023, which tailored the Rule to stay current amidst technological developments.  On December 9, 2021, the FTC issued final amendments to the Rule requiring covered businesses to have a written information securities program to protect customer information.  On November 13, 2023, the FTC issued final amendments to the Rule, requiring covered businesses to report certain data breaches and security incidents involving customer information. 16 CFR 314.2 defines customer information as “any record containing nonpublic personal information [(i.e., personally identifiable financial information)] about a customer of a financial institution.”

The FAQs clarify that “[a]utomobile dealers who finance (or facilitate the financing of) automobiles for consumers are financial institutions for purposes of the Safeguards Rule, since lending money is considered a financial activity under the relevant federal law.” 

At the center of the FTC’s recent guidance and FAQs on the Safeguards Rule is an effort to facilitate the development, implementation, and maintenance of security programs for automobile dealers, including guidance on what to report when—despite those security programs—a breach incident occurs.

As stated in the FAQs, security programs developed and implemented by covered businesses should be designed to ensure:

• the security and confidentiality of customer information;
• protection against anticipated threats or hazards to the security or integrity of the customer information; and
• protection against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to the customer.

Both the FAQs and the text of the amended Rule outline ten elements that businesses should adhere to as a step towards compliance.  Businesses are not required to implement all ten elements, and are expected to tailor their security programs to their assessed level of risk exposure.  The following elements, introduced over the course of the 2021 and 2023 amendments, are the focus of the FTC’s recent guidance and FAQs:

• Design and implement the following safeguards (as is reasonably necessary based on the results of the business’s risk assessment) to comply with the Rule’s amended requirement to have a written information security program:
  • implement and periodically review access controls to customer information;
  • identify and manage the data, personnel, devices, systems, and facilities based on their importance to business’s objectives and risk strategy;
  • encrypt all customer information to enhance security;
  • adopt secure development practices for applications developed in-house for the purpose of transmitting, accessing, or storing customer information, and implement procedures to assess the security of external applications used for the same purposes;
  • implement multi-factor authentication (MFA) for any individual accessing any information system;
  • securely dispose of customer information no later than two years after the last date the information was used in connection with legitimate business purposes, and periodically review the business’s data retention policy to minimize unnecessarily retained data;
  • adopt procedures for change management; and
  • implement procedures to monitor and log the activity of authorized users and detect unauthorized access to or use of customer information.
• Notify the FTC of data breach incidents—defined as unauthorized access to the unencrypted information of at least 500 customers—as soon as possible and no later than 30 days after the discovery of the incident. “Discovery” means the first day that the breach incident is made known to the business (including its officers, employees, and other agents).  The notice must be submitted to the FTC via a form on its website, and shall include the following information:
  • name and contact information of the reporting financial institution;
  • description of the types of information involved in the breach incident;
  • date or date range of the breach incident, if possible to determine;
  • number of affected individuals;
  • general description of the breach incident; and
  • whether delay of notification is necessary to avoid impeding a criminal investigation.

To read more about the amendments to the Rule, see our posts covering the 2021 amendment and the 2023 amendment.