90 Second Safeguards

Why Comply with the Revised Safeguards Rule? The original rule became law in 2003 and saw very little enforcement in the years since. Many dealers essentially ignored it with little consequence. But that's why the rule was revised.

One of the revised Safeguards Rule's requirements is that a dealership designates a Qualified Individual. What does that mean and who should it be?

Once a QI has been designated, that person’s first task should be to conduct a Risk Assessment. A Risk Assessment is an evaluation of the internal and external risks to the security and integrity of data on a network.

A Risk Assessment should tell you what needs to be done. Implementing Safeguards is the doing. Some Safeguards are mandatory. The ones I consider most important include...

Let's continue with the list of mandatory safeguards...

Here are the last of the mandatory categories of Safeguards under the revised Rule...

Regular testing and evaluation of your Information Security Program is a must. Of all the safeguards the Rule mandates, this one may do the most to actually protect customer data – if it’s done right.

The greatest threat to customer data security is located between the monitor and the chair – in other words, your own employees.

The Safeguards Rule requires you to oversee your service providers. In this episode Jim discusses this requirement and its four subparts.

What do you do in the aftermath of a “security event” – anything that results in unauthorized access to or misuse of an IT system and its contents?

As you recall, the original enforcement date for the revised Safeguards Rule was December 9th, 2022. By the time you're watching this that day has passed. Fortunately, on November 15th, the FTC postponed enforcement of the revised rule.