Free Safeguards Course Toolkit
The deadline for compliance with the Federal Trade Commission’s (FTC) “Safeguards Rule” is June 9, 2023. CIADA is here to help you meet and understand that deadline. This checklist is designed to assist automobile dealers on a budget to comply with the FTC Safeguards Rule. However, the FTC is clear that larger organizations have more requirements based on their size. No matter the size, do not just go out and get a one size fits all program. The FTC has been clear that an unfollowed compliance program offers you no protection from enforcement. It would help if you had the following in place no later than June 9, 2023.
Register HERE for a Complying with the Safeguards Rule Class.
The original deadline for compliance was December 9th, 2022. The FTC extended that deadline to June 9th, 2023.
DISCLAIMER: This is not an official Safeguard Regulation list. This is an outline and key point summary to ensure that you are following needs. If your company needs actual cyber security, please look at Comply Auto to ensure you are up to regulations.
Click the image to view CIADA's free Safeguards Checklist!
The Rule is to protect financial institutions' safety to ensure the confidentiality of customers' information, protect against any security threats, and protect against any unauthorized access on behalf of your customer's safety from substantial harm or inconvenience. The scope of customer information is any nonpublic information containing a customer that is gathered on behalf of your financial institution.
Written forms needed for this policy:
- Employeeagreest to comply with policies and information security standards
- Written Vendor Agreement
A source for these policies can be found at FRSecure . You MUST follow these guidelines that YOU create, so be mindful of which policy you are adopting and adapt the policy to YOUR business needs.
A Designated Qualified Person
A person who oversees, implements, and enforces information security programs that protects your business. No necessary degree or field is required, the person can work at your company or for another affiliated service provider.
Create or have an automatic updating system software to ensure you have the latest software. Also, make sure the softwarecano learn of any new security risk.
Encryption for Consumer Information
The FTC says "Encryption means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material." Try measures like encrypting emails, and data from your vendors, and ensuring protection on devices by your employees.
Policies and Procedures
The following policies and procedures should be developed, and if you hold information on more than 5,000 consumers, they must be written:
- A security risk assessment: You can’t formulate an effective information security program until you know what information you have and where it’s stored. After completing that inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information. Among other things, your risk assessment must be written and must include criteria for evaluating those risks and threats. Think through how customer information could be disclosed without authorization, misused, altered, or destroyed. The risks to information constantly morph and mutate, so the Safeguards Rule requires you to conduct periodic reassessments in light of changes to your operations or the emergence of new threats.
- Incident Response Plan (Must Include Requirements at the bottom of this article): You should also consider state law which can be obtained by contacting your state association.
- Process for reporting breaches and safeguards-related items to the ownership at least annually.
Before accessing any of your customer's private information, the rule is that you have at least two authentication factors. An example would be first put in a password and then a second form such as a biometric characteristic (face ID, fingerprint). The only exception would be if your Qualified Individual has approved the use of another equivalent form of secure access control in writing.
Security and Awareness Training
Provide your people with security awareness training and schedule regular refreshers. Insist on specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program and verify that they’re keeping their ear to the ground for the latest word on emerging threats and countermeasures.
Secure Data Deconstruction
Securely dispose of customer information NO LATER than two years after the most recent use of that customer's information. EXCEPTION: only if the Qualified Individual has approved the use of another equivalent form of secure access controls in writing.
Monitoring and Testing of Safeguards
Implement procedures and controls to monitor when authorized users are accessing customer information and detect if any unauthorized users are trying to access data. Test your system by detecting when there are actual or attempted attacks. Testing can be done by continuous monitoring, annual penetration testing, vulnerability assessment, and system-wide scans.
A System Ensuring Vendors Compliance
Establish a system for ensuring vendor compliance with their requirements to protect the data you share with them. You should send a questionnaire to vendors and review their controls.
- Make sure your contract indemnifies you from any breach of data that occurs due to the vendor.
- A tracking mechanism should be implemented that lists all vendors, contractors, or subcontractors and identify those that have access to business/confidential, sensitive, and protected information.
Make sure to create a written Incident Response Plan on all possible "What Ifs" scenarios. This plan MUST cover:
- The goals of your plan;
- The internal processes your company will activate in response to a security event;
- Clear roles, responsibilities, and levels of decision-making authority;
- Communications and information sharing both inside and outside your company;
- A process to fix any identified weaknesses in your systems and controls;
- Procedures for documenting and reporting security events and your company’s response; and
- A post-mortem of what happened and a revision of your incident response plan and information security program based on what you learned.