There’s a great deal of interest and confusion among dealers regarding the new FTC Safeguards Rule. When working on compliance with the Rule, it’s helpful to remember the intention of the Rule. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said “financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it.” He went on to say that “the updates adopted by the commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”
The intention of the Rule is NOT to push organizations to accumulate a bunch of documents that simply show that they have a plan and a set of policies. The intention is that the plan and the policies be implemented so that they can in fact strengthen the organization’s cyber defenses. For instance, suppose a vulnerability assessment shows that an organization has obsolete hardware and unpatched software connected to their network. If the organization then revises their information security plan to include a procedure for regularly replacing obsolete hardware and patching software, then has the vulnerability been addressed? Assessments, plans, and policies are worthless unless they are put into action, monitored for performance, and regularly tweaked for improvement.
The steps that the FTC wants organizations to take to protect consumer data are not difficult. They’re a set of common-sense best practices that we’ve been pushing for years. But these practices aren’t something you set and forget. They aren’t a set of operations that can be magically implemented in a couple of days. There is no magic pill to complying with the intent of the new Rule.
In addition to a set of assessments and plans – which are all incredibly valuable – there’s a set of IT/cybersecurity operational functions that you must implement and manage in order to comply with the intent of the Rule. For dealerships to implement and manage these functions, you need IT and cybersecurity expertise coupled with an understanding of the business of selling and servicing cars and trucks. Some of the operational functions the Rule requires includes the following:
- Continuous Monitoring – This is probably one of the most important requirements of the new Rule. Continuous monitoring is performed 24/7/365. It’s performed by skilled cybersecurity professionals leveraging a set of modern cybersecurity technologies. Now, you might think that the fact that this is 24/7/365 protection means that this is very expensive. And, if it was 2010 then you’d be right. But, today, any dealership can afford continuous monitoring. Since the Rule provides the option of either implementing continuous monitoring or performing an annual penetration test and semi-annual vulnerability assessments you can affordably opt for continuous monitoring. Although, penetration testing and vulnerability assessments are valuable, they are simply a snapshot in time. We know that the best way to minimize the impact of an attack is to detect and stop the attack in its infancy. Early detection and swift mitigation require continuous monitoring.
- Qualified Individual – Those who developed the new Rule understand that cybersecurity is a rapidly evolving function that requires ongoing training and certification to remain proficient. Therefore, the new Rule requires the appointment of a “qualified” individual to oversee and implement your information security program. The Rule specifically states that “in order to effectively comply, an institution’s coordinator must have some level of information security training and knowledge.”
- Multi-Factor Authentication (MFA) – The deployment of MFA needs to be unique to your dealership. The implementation needs to take into consideration who has access to what and when access is needed. You also need to consider the method of MFA you deploy. A staged and strategic roll out is essential.
- Data Encryption – The Rule requires dealers to encrypt data both in-transit and at rest. Consideration of how, where, and when data is encrypted is important to avoiding a detrimental impact to your dealership’s operations.
The list of operational functions above are just some of the functions you need to meet the objectives of the new Rule. The takeaway here is that complying with the intent of the Rule is something we all must do to protect our businesses. Cybercrime isn’t going away – it’s ramping up. And, although the work involved with achieving the FTC’s intent isn’t difficult – it is work that requires time, labor, and expertise. Unfortunately, there is no magic pill.