There’s some bad information floating around regarding the FTC Safeguards Rule, its intent, and cybersecurity best practice. This misleading information is related to the FTC’s use of the word “qualified.” More precisely, the FTC’s use of the term “qualified individual” and “qualified personnel.”
The claim that is spreading is that because the FTC doesn’t specifically define what it means to be “qualified” then it’s ok to make the logic leap that then anyone can fulfill the FTC’s requirement for “qualified” personnel. But does this really make sense to you?
Think about the people that wrote the Safeguards Rule. Most likely, attorneys had something to do with crafting this regulation. Attorneys are extremely careful about the words they use. The Safeguards Rule specifically uses the word “qualified” numerous times to describe the human resources required to devise, implement, and manage a “comprehensive information security program.”
The Oxford Dictionary’s definition of the word “qualified” is: “having passed the exams or completed the training that is necessary in order to do a particular job; having the experience to do a particular job.” This definition shouldn’t be a surprise to anyone. It’s what most of us would think is meant by use of the word “qualified.” And, most likely, the attorneys crafting the Safeguards Rule had this definition in mind when deciding to use the word “qualified.” If not, then why use the word “qualified” to describe the type of personnel needed to implement a comprehensive information security program?
The FTC also provides some insight into their use of the word “qualified” when they say that “institutions must verify that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.” This seems like the FTC wants “qualified” people to remain qualified. If the FTC’s use of the word “qualified” wasn’t in-line with the Oxford Dictionary’s definition, then why require the maintenance and verification of training and experience?
The FTC requires that “qualified” resources be responsible for overseeing and implementing your information security program. These qualified resources are also responsible for reporting to dealership management about cybersecurity vulnerabilities and devising a plan for how to address these vulnerabilities going forward. Is this something that just anyone in your dealership can handle?
The FTC’s decision to delay compliance with the new Rule was due in large part to a letter received from the Small Business Administration (SBA). The SBA claimed that a delay was needed because “there is a shortage of qualified personnel to implement information security programs.” But if anyone could wear the “qualified” hat then why would this be the case? The answer is because just anyone cannot claim to be qualified. This is just silly. Your dealership’s receptionist, porter, business development person or anyone else in your dealership that lacks technical cybersecurity training and experience simply won’t satisfy the Rules requirement for “qualified” personnel.
It might seem easy and cost effective to play dumb and make a sketchy logic leap that anyone can be qualified since the FTC doesn’t specifically state which cybersecurity certifications are required – but this will be a grave mistake. And, if someone is telling you that this is the case then they are misleading you. First, this kind of thinking will prevent your dealership from implementing an effective cyber defense. As a result, you risk falling victim to a successful cyberattack, financial and reputational damage, downtime, and legal liability.
Second, imagine the embarrassment of trying to explain to the FTC – or a judge – that your obligation to protect consumer information rests on the shoulders of someone who has no technical cybersecurity knowledge, training, or practical experience. When someone says “qualified” you know what they mean. Do the right thing.