On Tuesday, November 15th, the FTC postponed enforcement of some, but not all, of the requirements of the revised Safeguards Rule. While you may be tempted to pause your compliance efforts, this extension is based on dealers who have already been working on compliance for 12 months, not those who have yet to begin the process. As a result, we urge all dealers to take action now, and here’s why:
Many of the rules’ most critical requirements are still due on December 9th. Cybersecurity measures such as continuous monitoring, security awareness training, and an information security program must be in place. Failing to implement these foundational elements will leave your dealership exposed to cyber-attacks and in violation of the law – leading to potential class action lawsuits should the noncompliance be discovered.
The key requirements that were postponed (MFA, Encryption, and Service Provider oversight) may take the most time to implement. Having breathing room is nice, but collecting service provider agreements and migrating email platforms to enable MFA and encryption take months, not days.
Finally – these safeguards protect you, the dealer, and your clients. There is no upside to your network being hacked or firing employees for clicking that phishing email that led to a breach. As CDK outlined in its annual report, the cost of a ransomware payout increased 17x in 2021, averaging $220,298 per incident and 16 days of downtime.
For these reasons and the fact that it’s the law, we urge every dealer to comply now. Reduce your risk of breaches, lawsuits, and financial loss, and let’s get back to selling cars.
For help with any of the Safeguards requirements:
What you need at a minimum to comply by December 9th:
Security Awareness Training for Employees
Continuous Monitoring
Unauthorized Activity Monitoring
Systems Monitoring and Logging
Data and Systems Inventory
Written Information Security Program
Secure Development Practices
Secure Disposal Practices
Change Management Procedures
Annual Report
Download a printable version of this memo:
Comments