What Used Car Dealerships Must Do to Comply With New FTC Requirements

September 16, 2022| Zach Klempf

Automotive dealerships will need to start planning right away if they want to comply with the new FTC regulations. The FTC recently released new regulations requiring dealerships to set up a security program that protects sensitive customer data. The Safeguards Rule was created to ensure that businesses that manage customer data, especially financial data, defend their data against misuse or data breaches, and prevent customer identity theft. This new regulation is a significant challenge for many dealers since it calls for them to do more than just secure their existing dealership data; it also calls for them to take measures against insider threats and assess the dangers posed by unauthorized users of their technology.

As part of the requirements for the upcoming deadline, dealerships must put eight (8) separate measures into place:

1. Dealerships are required to designate an individual who will be in charge of managing the dealership's information security program. This individual should be in charge of making sure that the IT Department or outside vendor follows these procedures.

2. The dealership information security program must be continuously updated and enforced using the results of periodic risk assessments. These risk assessments must be documented in writing.

3. The dealership must establish safeguards for client information to manage the risks outlined in the risk assessments.  Access controls, system inventory, encryption, secure development practices, multi-factor authentication, disposal procedures, change management procedures, and activity tracking for authorized users are a few of the security measures that must be in place. Importantly, the FTC Safeguards Rule's definition of "client information" is extremely broad, so it is best to treat whatever information a client provides—especially sensitive information such as their contact and social security details.

4. Continuous monitoring, annual penetration testing, and bi-annual (every six months) vulnerability assessments are all required for assessing information system vulnerabilities.

5. Dealerships must put policies and procedures in place to ensure that employees are properly implementing and carrying out the information security program. 

6. Dealerships must ensure that service providers or other parties who have access to company information uphold security measures that are consistent with the dealership's information security program and routinely evaluate the extent of their access to such information.

7. The procedures to be done in the event of a breach of information systems or exposure of client information that the dealerships maintain must be laid out in a written incident response plan that the dealerships must develop and implement. The plan should specify the roles and duties of decision-makers in managing the crisis and provide rules for internal and external communication and information exchange.

8. The designated Individual shall report in writing, at least annually, to the board of directors or an equivalent governing body of the dealership, the status of the dealership's information security program; compliance with FTC Safeguard; and any significant events relating to the security of information systems and the implementation or enforcement of the dealership's information security program.


Violations of the requirements of FTC Safeguards may result in consent decrees with the FTC (a monitored, strictly-managed settlement agreement where the FTC periodically evaluates the dealers compliance), fines for violating a consent order, and increased enforcement by the FTC.


Many dealers may find it difficult to understand this because they never anticipated having to adhere to such rules. Thankfully, it is possible to implement the necessary safeguards without placing a significant burden on the dealers. Automotive cloud-based dealership software providers with data protection models will assist in compliance with these new FTC standards. The data stored in cloud-based dealership software may be safer than the data stored on a computer's hard drive like many legacy auto software applications. Even the way we communicate and save information has been completely reimagined by the cloud. It has enabled us to move past the restrictions imposed by using a physical device and unlocked a completely new level of data storage and protection. This makes cloud-based dealership software providers essential in helping used car dealers comply with the increasingly strict data security and privacy standards.

In addition to keeping compliance in mind, the data protection program will also build customer trust and confidence in providing information. And the earlier a dealer implements this, the safer their customers and business will be from misuse, data breaches, and identity theft. Regardless of their business size or circumstances, all dealers must comply with these new regulations on or before the December 9th deadline. This is a critical issue that dealers need to focus on to avoid getting penalties and ensure the continuity of their business.


Selly is here to help independent dealers work their way toward complying with these new requirements with our cloud-based CRM technology. See our system in motion here.

Tags: compliance dealership compliance dealerships FTC data protection cybersecurity

Discover how
to increase
sales 30%

and give your dealership that extra edge!

WATCH DEMO
Download the Guide: Automotive CRMs for Used Car Dealers