As many dealers are aware, the Federal Trade Commission (FTC) recently issued new requirements to its Safeguards Rule that take effect Dec. 9. The rule requires auto dealerships with more than 5,000 customer records in their database to develop, implement and maintain an information security program to protect customer information.
To help with compliance, many dealers have hired third-party service providers such as a DMS vendor, law firm or information technology (IT) firm to write, implement and supervise the required information security program.
However, many dealers are not aware that they cannot rely solely upon third-party vendors in order to attain compliance. This means that the dealership must also designate a qualified employee to oversee said third-party supervision. The employee does not have to hold a particular degree or title, but they do need to be aware of, and knowledgeable about, the Safeguards Rule, to ensure that the dealership is compliant.
Section 314.4 of the new FTC rule states “Designate a senior member of your personnel responsible for direction and oversight of the Qualified Individual” (if the qualified individual is employed by a third-party service provider).
This makes it clear that ultimately, the buck stops with the business owner. If a breach happens or there is a customer problem, a dealer cannot get off the hook by pointing a finger at the third-party service provider.
Additionally, it is the dealership employee’s responsibility to complete a risk assessment of all third-party providers that the dealership uses. For example, if you hire a document shredding company, a risk assessment must be completed before that company takes any documents offsite.
Additionally, the dealership employee is responsible for enforcing the rule and training other employees on the rule. The dealership employee must also write and submit an annual written report to the governing body of the dealership.