top of page

Safeguards Rule Enforcement Extension


Deadline Extended


As you recall, the original enforcement date for the revised Safeguards Rule was December 9th, 2022. By the time you're watching this that day has passed. Fortunately, on November 15th, the FTC postponed enforcement of the revised rule.


Many dealers (probably most) took the news as allowing them to back-burner safeguards compliance. There are many dealers out there who are acting as if they don't need to think about safeguards compliance until June rolls around. Spoiler alert—bad idea. Did the FTC delay enforcement of all the rule's requirements? Or just a few? Sadly it was just a few. So if your dealership is not already in substantial compliance with the rule, you are on shaky legal ground.


The Rule's Requirements


Let's look at what the FTC actually postponed. Here's a list of the requirements dealerships must comply with under the revised Safeguards Rule.

  • Qualified Individual

  • Written Risk Assessment

  • Access Controls

  • Encryption

  • Training for Security Personnel

  • Incident Response Plan

  • Service Provider Oversight

  • Multifactor Authentication

  • Continuous Vulnerability Scanning

  • Data and Systems Inventory

  • Systems Monitoring and Logging

  • Continuous Monitoring

  • Unauthorized Activity Monitoring

  • All-Employee Security Awareness Training

  • Secure Development Practices

  • Safe Data Disposal Practices

  • Change Management Procedures

  • Written Information Security Program (WISP)

  • Written Annual Report

Postponed Requirements


By my count, that's 18 items. Now here's a list of the requirements the FTC is postponed until June 9th, 2023. A delay of about six months:

  • Qualified Individual

  • Written Risk Assessment

  • Access Controls

  • Encryption

  • Training for Security Personnel

  • Incident Response Plan

  • Service Provider Oversight

  • Multifactor Authentication

As you can see that leaves the bulk of the requirements still subject to the December 9th enforcement deadline which as I said is now in the past.


Get Started


So what's a dealer to do? The short answer is: get started. Get started on the items that are already required which is to say most of them and get started on the items that need to be completed by June 9th.


The one long lead-time item is overseeing your service providers. That's the one area dealers can't control. If you start right now there's no guarantee you'll be done by June 9th. You can ask your service providers to document their consumer data protection procedures. You can ask them, “pretty please,” but you can't make them do it. If they don't, you need to fire them and find service providers that will. But even that takes time. How do you get started? That would take more than 90 seconds to unpack so just download the white paper from the link below.






Comments


bottom of page