The FTC has made the first update to the GLBA Safeguards Rule in 20 years. Do you know what it means for your automobile dealership in Virginia?
In October 2021, The FTC finalized its revisions to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (“Revised Rule”). This is the first update to the rule in the 20 years since it was first issued.
The update now requires certain classifications of financial institutions to implement written information security plans, and follow other compliance measures to ensure that consumer information is properly protected.
If you need assistance with compliance for your auto dealership, book a meeting with the HRCT team.
How Is The Safety Rule Being Revised?
In what is essentially an extension of the compliance measures that already apply to conventional financial institutions like banks, the FTC is naming automobile dealerships as “non-banking institutions”.
That means that auto dealers need to begin complying with a range of measures listed under the Revised Rule within 30 days of the Federal Register publication. If you are not yet compliant, you need to start the process right away to avoid any penalties or consequences.
How To Comply With The Revised Rule
- Develop and report on an Information Security Program (ISP).
- Select a “Qualified Individual” to oversee your ISP.
- Implement a written “Incident Response Plan”.
- Perform written risk assessments on a regular basis.
- Encrypt all data in transit and at rest.
- Implement Multi-Factor Authentication (MFA) for all systems that access customer nonpublic personal information (NPI).
- Implement a data retention policy; dispose of NPI within two years of the end of a customer relationship (unless doing so conflicts with state or federal law).
- Maintain procedures for IT “change management”.
- Monitor and log activity to detect unauthorized use or access of customer information.
- Continuously monitor for cybersecurity threats.
- Perform “security awareness” training for all employees.
- Verify your vendors’ physical and technical safeguards
Your Key Compliance Considerations
Written Risk Assessment
Your written risk assessment must include:
- Criteria for identifying and addressing known cybersecurity threats
- Criteria to evaluate the confidentiality, integrity, and availability of NPI
- An explanation as to how known risks are mitigated and addressed
Biannual Vulnerability Assessments
A vulnerability assessment is a full analysis of your IT infrastructure’s performance and potential security vulnerabilities.
It examines all components of your network and how they are used by your staff to determine your degree of security. By assessing for gaps and misconfigurations, we work with you to reduce the risk of cyber-attacks.
A vulnerability scan will find:
- Known software vulnerabilities
- Insecure configuration within networks and systems
- Default or weak passwords
- Web application vulnerabilities
- Information leaks
MFA protects accounts by requiring the user to utilize two methods to confirm that they are the rightful account owner. The one you use is typically your username and password, which is something you know. The other could be:
- Something you have. A cellphone, keycard, or USB could all verify your identity.
- Something you are. Fingerprints, iris scans, or some other biometric data.
Make sure that any vendors with access to NPI also have MFA implemented on their systems.
Annual Penetration Testing
The penetration test is an authorized attack on your organization’s technology and staff and is one of the best ways to accurately evaluate your security controls. In combination with a red team exercise (in which a full-scope attack simulation is executed to test organizational security), you can double-check each and every aspect of your cybersecurity posture.
Incident Response Plan
An Incident Response Plan provides the plans, procedures, and guidelines for the handling of data breach events at your office(s), or via any of our servers or mobile devices.
The plan encompasses procedures on incident response engagement and how the incident response team will communicate with the rest of the organization, with other organizations, with law enforcement, and provides guidance on federal and local reporting notifications processes.
This plan is necessary to clarify the roles and responsibilities of your employees so you can quickly mitigate risks, reduce the organization’s attack surface, contain and remediate an attack, and minimize overall potential losses.
Don’t forget about your supply chain—all your vendors and business associates that access your NPI are subject to the same compliance systems that you are.
Service provider agreements are an important part of compliance for your dealership. These contracts should clearly outline a vendor’s responsibilities regarding your NPI and can pose a serious liability risk if the agreement isn’t negotiated effectively.
Any outside entity or individual that is charged with receiving, maintaining, creating, or transmitting NPI must be compliant and needs to have an agreement of their own in place with your dealership.
What Happens If You Don’t Comply?
In a nutshell, it will be expensive for you. Penalties can cost as much as $43,792 per violation.
Regardless of how much it may cost you to manage your compliance, it’s undoubtedly less than it would cost to pay for noncompliance.
HRCT Will Help You Manage Your Compliance
As you can see, failing to manage compliance is damaging and expensive.
That’s why you shouldn’t bother trying to oversee your compliance personally. You’re too important in your actual role in your business to split focus and risk overlooking something.
Let HRCT take care of it for you. Don’t put your compliance at risk—HRCT ‘s team of compliance experts is available to manage it for you.