FTC Cyber Regulation Changes for Auto Dealerships

Published July 27, 2022

  • Articles

The Federal Trade Commission (FTC) has introduced new cybersecurity standards auto dealerships must implement by December 9, 2022. The cybersecurity landscape has drastically changed, and bad actors are continuously finding new ways to steal critical information. While auto dealers may be familiar with the Gramm-Leach-Bliley Act (GLB Act), requiring auto dealers to introduce risk assessments and information security programs, recent changes to the Act require auto dealers to make critical changes to their cybersecurity and information technology programs.

Background Information

The GLB Act has been in effect since 2001, addressing concerns of consumer financial privacy. The Act originally limited the amount of shared nonpublic personal information with third parties and required companies to notify their customers of their practices and inform them of their rights to opt-out. Recently, the FTC amended the Act to keep up with new technologies and security threats. This ruling holds auto dealers and financial institutions to a higher standard and will require these institutions to make changes to their documentation and security tools as well as requirements surrounding the responsibility of their processes.

To help you understand the new responsibilities required of auto dealerships, we have summarized the FTC’s ruling below:


Dealerships will now be responsible for creating and following IT general controls. This includes conducting a risk assessment, implementing safeguards to control risks, regularly monitoring, and testing the effectiveness of your safeguards, updating and reporting your documentation and writing an incident response plan. While this might sound like a tedious process, these documents allow for quicker and more consistent responses to problems going forward.

Some things that need to be covered in these documents include but are not limited to who has access to data, what is the retention policy for data, access controls and an inventory of systems. These documents need to be reviewed and updated on a regular basis to ensure security and reported to a board of directors or governing body.


Protecting your data by creating and implementing safeguards to control risks are an important part of your information security process. Auto dealers will be required to:

  • Implement and review access controls
  • Create an inventory of data and note where it is collected, stored, or transmitted
  • Encrypt customer information
  • Evaluate the security of apps
  • Implement multifactor authentication for anyone who accesses customer information
  • Ensure customer information is being disposed securely
  • Evaluate changes that need to be made to the network
  • Maintain a log of users’ activity and monitor for unauthorized access

Testing your protection is key. Continuous monitoring tools are need on devices as well as annual penetration testing and vulnerability assessments as a part of the reporting process. Verification is not just the responsibility of IT department. All employees should be required to receive training year-round on data protection and these results should be collected and reported.

Service providers also play a large role in protecting your data. You must make your security expectations clear, hold them to your standards and document who has access. For example, if you have a third-party warranty vendor that receives data, they will need to be validated.

Some upgrades might be necessary to keep your company secure such as multifactor authentication across all platforms that house data, data encryption to ensure client information cannot be intercepted with unauthorized access, as well as access control systems. Companies might also consider installing applications that allow monitoring of suspicious network activity and file access or movement. These upgrades will make sure only those who need access to the data will have it and alert you when someone else attempts to access it.


According to the act, eligible entities who collect information on fewer than 5,000 consumers are exempt from the following requirements:

  • Written risk assessment
  • Incident response plan
  • Reporting annually to the board of directors


The Safeguards Rule requires a designated employee or contractor to implement and oversee the security program. There are no specific requirements for a “qualified individual” however, they must know the company and the circumstances that surround it. They are required to report findings to a board of directors or governing body at least once per year.

We’re here to help.

Auto dealers now must make IT security a priority, and our team can help. MCMTS is experienced in auto dealership cybersecurity and can create a custom plan to confirm your business meets the compliance standards. The December 9, 2022 deadline will be here before we know it, and it’s critical to begin making changes now. If you would like more information, visit the FTC’s website or reach out to Jim Kramer, MCM Technology Solutions Partner at JKramer@MCMTSG.com or by phone 502.882.4348.



Source:  https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know, https://www.ftc.gov/