Employees are your biggest risk in data security. A well-trained employee is your best protection against internal hacking. An untrained employee is your worst nightmare.
What is Safeguards Training?
A great deal of consumer nonpublic personal information (NPI) flows through your dealership, and it’s up to you to protect it. To do this, your employees must be trained on the relevant aspects of the Safeguards Rule as it applies to their relationship with customer data in their role at the dealership.
The Federal Trade Commission considers failure to follow the Safeguards Rule to be a deceptive trade practice, with potentially devastating results for you and your dealership, so training employees to follow the Rule is paramount. Employees should take the time to read your dealership’s Information Security Program (ISP) or Safeguards Policy and should receive training that reflects your policies.
Mosaic has trained dealers and their employees on the Safeguards Rule for over 15 years. Our online, video-based, interactive training modules cover all the federal regulatory topics applicable to the retail automotive industry, but we have always put a particular emphasis on the FTC Safeguards Rule because of the ever-growing importance of protecting customer data and the fact that so many employees within the industry interact with sensitive customer data in the course of their job.
Mosaic’s Safeguards training covers the following topics and is broken down into several levels or “paths” depending on the role of the employee who will be taking the training.
All employees receive training on the following topics:
What is Non-Public Personal Information?
Recognizing NPI in the dealership
Employee responsibilities to protect customer data
Understanding your dealership’s computer network and how to safely use it
Internet safety, including password best practices and how to identify and avoid phishing email attacks
GMs, Ownership, and Compliance Officers receive the above training along with training on the following topics:
Conducting a security risk assessment
Assessing risks of internet and phone sales
Storing nonpublic personal information
Conducting a network vulnerability assessment on your computer network
Understanding physical, technical, and administrative Safeguards
Identifying and overseeing service providers
Ensuring service providers comply with the Safeguards Rule
Testing your Safeguards Program for effectiveness
Reviewing your Safeguards Program
Auditing your Safeguards Program
Obtaining a contractor to conduct a network vulnerability assessment
Reacting to data breaches
Handling employees after a data breach
Notifying affected customers after a data breach
Learning from a data breach
IT personnel and your Qualified Individual receive additional training and the Qualified Individual will receive ongoing monthly training updates in accordance with the ongoing training requirement of the Revised FTC Safeguards Rule.
Unlike the original Rule, the revised Rule requires certain dealership employees to receive ongoing training that covers new threats to customer data as they evolve. Mosaic accomplished this by monthly video update episodes that are coupled with brief tests that confirm the relevant employees understood the content. All of this documentation rolls up into the mandatory annual written reports.
Mosaic is partnered with Automotive Compliance Education (ACE) to provide the ACE Safeguards Specialist Certification. This certification program is intended to address the Safeguards Rule’s requirement that dealers provide Qualified Individuals and IT personnel with “training sufficient to address relevant security risks.” It also supports awareness of the Rule’s requirements and compliance with its applicable terms.
What is a Qualified Individual?
The dealership must designate a single individual to fill this role and bear responsibility for the program. That person doesn’t need to be qualified to perform the necessary duties, just qualified to competently oversee that the necessary duties are performed and documented. The actual duties may be performed by a third party, such as a Managed Service Provider (“MSP”), but responsibility will remain with the designated dealership representative.
The FTC Safeguards Rule requires your dealership to conduct a risk assessment, design and implement a safeguards program, train your employees regularly on safeguards, oversee your service providers, and regularly test the effectiveness of your program’s key controls, systems, and procedures.
The Safeguards Rule does not require the Qualified Individual to perform these tasks personally – an outside consultant can do it. But the Qualified Individual is responsible for either doing it or seeing that it is done right. Therefore, this person should have a very good understanding of the Rules requirements, your dealership's Safeguards Program, and emerging threats.
The revised Safeguards Rule requires enhanced training of all dealership employees, with particular emphasis on IT workers and the dealership’s Qualified Individual. To meet this need, Mosaic offers its award-winning training program that addresses the Rule’s requirements and the NADA approach to addressing those requirements.
Do I need to train all my employees?
Employees are your biggest risk in data security. Phishing attacks using emails with attachments or links to malware-infested websites or spoof calls or texts seeking an employee’s password are the primary means used by attackers to gain access to your system.
Employee education on best Internet practices (not clicking on links or attachments, not using Web-based email on dealership networks, monitoring for spikes in user access to NPI, etc.) is critical. A well-trained employee is your best protection against internal hacking. An untrained employee is your worst nightmare.