Information security rules and regulations are constantly changing to keep up with the increasing need to strengthen security measures and protect sensitive data and critical systems. The Federal Trade Commission’s (FTC’s) Safeguards Rule is no exception. In addition to preserving the flexibility of the original Safeguards Rule, the updated Safeguards Rule provides more structured guidance for organizations and reflects the core data security principles that businesses must implement.

According to a report, personally identifiable information (PII) was the most common type of record lost in 44% of breaches. Any security breach leaking PII — including access to personal details like images, account numbers, names, addresses, dates of birth, driver’s license details, and credit card information — leads to identity theft and legal complications.

This article focuses on explaining the intricacies associated with the new Safeguards Rule – especially as it relates to the automotive industry – whom the mandate applies and how to collaborate with reputable cybersecurity partners to implement the security and privacy requirements mentioned in the mandate.

What are the Safeguards Rule, and to Whom Does it Apply?

The main objective of the FTC’s Safeguards Rule is to ensure that entities have adequate security measures to protect their customers’ information. Although the Safeguards Rule has been in action since 2003, the FTC amended it in 2021 owing to public comments and reviews of customers and businesses on the national forum. As a result, the recently updated FTC Safeguards Rule mandates strict information security protection for all consumers.

At its core, the Safeguards Rule protects consumer data, especially financial information. As far as the Safeguards Rule is concerned, any entity that engages in a financial transaction is considered a ‘financial institution,’ and this FTC mandate applies to them.  For example, a transportation or automotive company that leases vehicles for longer than 90 calendar days is considered a financial institution because customer financial information is collected and held in the leasing business.

According to the Safeguards Rule, organizations that engage in financial transactions must strengthen and improve their information security posture, using proactive security tools and best practices to detect, prevent, and mitigate security incidents. In addition to implementing the changes to protect consumer data, non-conventional financial institutions like auto dealerships must conduct occasional security awareness training and third-party audits to ensure continuous privacy and security compliance.

Understanding Key Updates in the New Safeguards Rule

The amendments to the FTC Safeguards Rules respond to recent high-profile data breaches that continue to impact the supply chain of businesses linked to US critical infrastructures. The updated mandate requires that companies that collect and hold customer financial data in the automotive industry, for example, must satisfy specific technical, procedural, and personnel security requirements — irrespective of their size, systems, types, or the scope of the data they maintain.

For businesses like auto dealerships, the new changes in the Safeguards Rule imply that, in addition to developing safeguards for normal business operations, the dealers must ensure that third-party service providers, suppliers, and other affiliates also comply with the security and privacy measures required to protect the customer information they possess.

In addition, the updated Safeguards Rule prioritizes ongoing data security practices, such as security monitoring, gap assessments, vulnerability management, supply chain risk assessments, etc. Businesses subject to this FTC mandate must audit their suppliers and vendors to ascertain security compliance because failure to comply will result in penalties or fines (for all parties involved) if a security breach occurs.

Below are five significant changes to the Safeguards Rule:

1. First, the new Safeguards Rule defines terms and provides relevant examples instead of incorporating the terms with a reference from the related FTC rule.
2. The present-day Safeguards Rule expands the definition of financial institutions to include ‘finders.’ Finders are businesses that process buyers’ and sellers’ information for processing a transaction.
3. The updated Safeguards Rule adds detailed requirements for developing and implementing a written information security program. The security program must include the scope for risk assessment, system access control, authentication, encryption, and mechanisms for ensuring service providers’ oversight and effectively training employees.
4. According to the updated Safeguards Rule, subject entities must appoint a qualified information security leader to lead the corporate information security program. That individual is responsible for submitting periodic reports to governing bodies, the board of directors, and other relevant parties interested in knowing the risk appetite and overall security posture.
5. Under the updated Safeguards Rule, subject entities collecting information on 5,000 or fewer customers are exempt from certain compliance requirements, including incident response planning, written risk assessments, and annual reporting to the board of directors.

Supporting the Efforts and Requirements for the Safeguards Rule

The changes in the Safeguards Rule focus on limiting access to customer information and ensuring that adequate measures are taken to protect sensitive data. For instance, the FTC mandate requires the implementation of frequent reviewing of account access controls, including physical, management, and technical controls. Some of the critical security controls required by the Safeguards Rule include:

1. Using encryption and multi-factor authentication on protected accounts.
2. Annual penetration tests.
3. Ongoing vulnerability scans and assessments.
4. Development, implementation, and testing of security policies and procedures.
5. Development and testing of incident response plans.
6. Security awareness training, including tabletop exercises and wargaming.
7. Data backups and change management processes.
8. Adopting secure code development practices for apps that transmit, store, and access sensitive customer information.
   • Application security experts must test these apps to ascertain their security posture and risk appetite.

Conclusion

From assessing the functionality of security controls to providing cybersecurity awareness training to employees, cybersecurity details are often overwhelming for unprepared organizations, especially those in fast-moving industries like the automotive industry. Therefore, collaborating with qualified cyber risk management partners to manage information security programs is critical to achieving compliance with the Safeguards Rule.

To ease some of the pressure associated with the implementation of the security requirements highlighted in the FTC’s Safeguards Rule, opting for a reliable cybersecurity service provider helps your organization to leverage the expertise required to help your organization develop a robust incident response plan, conduct risk assessments, prepare periodic reports, and provide employee training to enhance cybersecurity awareness across the organization. As a result, save time and cost and expedite the time-to-compliance by collaborating with GoldSky for your Safeguards Rule needs.