Here are the last of the mandatory categories of Safeguards under the revised Rule:
When you no longer need customer data you must dispose of it in a secure manner.
Paper records should be shredded.
Electronic records deleted.
Used computers that contain customer data must be scrubbed.
Data must be kept no longer than necessary.
The rule would like to see customer data disposed of within 2 years but recognizes that it may be retained for longer if required by law or if there are legitimate business reasons to do so. This is a good topic to discuss with your local council.
Change Management Procedures
Changes to a dealership’s IT infrastructure can introduce new risks. Those risks need to be recognized and addressed. Change Management Procedures are how that is done. NADA included a sample policy in its Dealer Guide to the FTC Safeguards Rule it's a good place to start.
Monitoring and Logging of Authorized User Activity
All systems usage must be logged. Authorized users’ activity must be recorded and unauthorized use must be detected. The rule doesn't specify how dealerships must accomplish this requirement but one way is to engage a Security Operation Center or SOC to handle the task. That's what we use!