At Black Hills Information Security (BHIS), we deal with all manner of clients, public and private. Until a month or two ago, though, we’d never dealt with a car dealership. But in the past few weeks, we’ve spoken to several dealerships.

What’s up?

Turns out that the US Federal Trade Commission (FTC) has ruled that auto dealers are now subject to the Gramm-Leach-Bliley Safeguard Rule. As of June 9, 2023, the rule applies to car dealers. The purpose of the Rule is to require financial institutions to take steps to ensure the security of consumer data they possess. What’s new is the fact that car dealerships in possession of 5,000 or more potential customer records are now considered “financial institutions.” If you’ve been in business for any length of time and sell more than a few cars a month, you’re subject to the new rules.

But what do you have to do to be in compliance?

Nothing more than follow basic industry best practices for data security: implement an Information Security program to safeguard customer data. Section 314.4 outlines what your Information Security program must contain. There are nine requirements.

You must:

Designate a Qualified Individual to oversee the program. This person can be an employee, a contractor, or a vendor.
Base the program on a written risk assessment. The risk assessment should include an honest evaluation of the adequacy of your current security posture.
Implement controls to mitigate the risks identified. In most cases, the expectation is that Multi-Factor Authentication is in place for all systems.
Evaluate the effectiveness of your controls through penetration testing.
Require that any third-party vendors you work with comply with sound security practices.
Keep your Information Security Program up to date as your technology posture changes, and especially in light of results of the penetration testing described above.
Maintain a written Incident Response (IR) Plan. An IR Plan outlines steps to be taken in the case of a data breach or other data security incident.
Have the Qualified Individual report status to senior leadership on at least an annual basis.

Those institutions not in compliance are subject to fines levied by the FTC.

If you’re an auto dealer dipping into cybersecurity for the first time as a result of these new rules, your head may be swimming. Just remember that these are basic industry security practices that all but the smallest businesses are beginning to roll out. As such, free and low-cost resources to help organizations such as yours are plentiful.

BHIS can help!

Some related BHIS content:

Making Compliance Suck Less | John Strand | BHIS Nuggets – YouTube

AASLR: Intro to Tabletop Exercises & IR Playbook Fun (*Non-Denominational Winter Holiday Version) – YouTube

If you have further questions around compliance, feel free to reach out to [email protected].

Why Do Car Dealers Need Cybersecurity Services?