The Federal Trade Commission's Standards for Safeguarding Customer Information — commonly known as the FTC Safeguards Rule — applies to financial institutions as defined under the Gramm-Leach-Bliley Act (GLBA). For automotive dealerships, this means any business that extends credit, arranges financing, or handles customer nonpublic personal information (NPI) is likely subject to these requirements.
Why This Matters for Dealerships
Automotive dealerships handle significant volumes of sensitive customer data: Social Security numbers, credit applications, financial account information, and driver's license details. The amended Safeguards Rule, which took full effect in June 2023, significantly expanded the requirements beyond the original 2003 version.
Non-compliance can result in FTC enforcement action, state attorney general investigations, and significant financial penalties. Beyond regulatory risk, a data breach at a dealership can result in customer lawsuits, reputational damage, and loss of manufacturer relationships.
The Nine Key Elements
The amended Safeguards Rule requires dealerships to implement a comprehensive information security program with these elements:
1. Designate a Qualified Individual
Your dealership must designate a single qualified individual to oversee and implement the information security program. This person does not need to be a full-time employee — you can use a third-party service provider — but the dealership retains ultimate responsibility.
2. Conduct a Risk Assessment
A written risk assessment must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. This is not a one-time exercise; it must be updated periodically.
3. Design and Implement Safeguards
Based on your risk assessment, implement safeguards to control the risks identified. This includes access controls, encryption, multi-factor authentication, and secure data disposal.
4. Monitor and Test Safeguards
You must regularly test or monitor the effectiveness of your safeguards. This can include vulnerability assessments, penetration testing, or continuous monitoring systems.
5. Train Your Staff
All personnel must receive security awareness training. This training should be relevant to their roles and updated as threats evolve.
6. Monitor Service Providers
If you share customer data with service providers — DMS vendors, CRM platforms, credit bureaus — you must ensure they maintain appropriate safeguards.
7. Keep Your Program Current
Your information security program must be evaluated and adjusted based on changes in operations, threat landscape, or risk assessment results.
8. Create an Incident Response Plan
You must have a written incident response plan that addresses how you will detect, respond to, and recover from security events.
9. Report to the Board
The qualified individual must report at least annually to the board of directors (or equivalent) on the status of the information security program.
Common Gaps We See
In our experience working with automotive dealerships, the most common compliance gaps include:
- No formal risk assessment — Many dealerships have never conducted a structured security risk assessment.
- Weak access controls — Shared logins, excessive user permissions, and no multi-factor authentication.
- No employee training program — Staff cannot identify phishing attempts or understand data handling procedures.
- DMS security gaps — Misconfigured dealer management system access and inadequate audit logging.
- Missing incident response plan — No documented plan for responding to a data breach.
- No vendor oversight — Third-party service providers with access to customer data are not assessed for security practices.
Where to Start
If your dealership has not yet addressed FTC Safeguards compliance, the most practical starting point is a gap assessment against the nine required elements. This gives you a clear picture of where you stand and what needs to be addressed first.
Prioritize the highest-risk gaps — typically risk assessment, access controls, and MFA — and build a phased remediation roadmap that fits your dealership's resources and timeline.
Important: Compliance assessments support readiness. Consult qualified legal counsel for formal legal determinations about your obligations under the FTC Safeguards Rule.