Requirement of the Revised FTC Safeguards Rule
One of the revised Safeguards Rule's requirements is that a dealership designates a Qualified Individual. What does that mean and who should it be?
To start, notice that the rule requires a qualified individual, not qualified individuals. There must be one person in the dealership (or dealership group) whose name is on the blame line. The buck needs to stop somewhere.
Having said that, it is a best practice to have a designated individual at each dealership location to oversee Safeguards compliance efforts at that store. But that person is not the Qualified Individual.
What Qualifications Are Needed?
What qualifies a person to be a Qualified Individual or QI? The primary qualification is the ability to oversee the organization's Information Security Program. The QI does not need to be a computer science major or IT professional. You don't need to know how to conduct a Network Vulnerability Assessment to ensure that one has occurred.
In fact, many of the necessary tasks can be performed by dealership employees or outside vendors such as Managed Service Providers. But the ultimate responsibility cannot be outsourced. It has to remain within the dealership or group in the person of the QI.
Certifying a Qualified Individual
Automotive Compliance Education (ACE) has created a Safeguards Specialist Certification. If your QI needs a framed qualification on the wall, this is it. It explains what a QI needs to know and what to do. At least one such certified individual at each location is itself a good Safeguard.