Skip to content

Safeguards Update: What Dealers Need to Know

Caity Benston

In this episode of The F&I Minute, KPA's Partner Marketing Manager, Caity Benston, and Helion Technologies CEO, Erik Nachbahr, discuss the FTC's Safeguards Rule, the recent extension, and what dealers need to be aware of and prepare to be compliant.

[00:00:34]

Erik, could you tell us a little bit, just give to us a brief overview of Helion Technologies and the services you provide, and then we’ll jump into our Safeguards discussion.

So, Helion Technologies is the largest IT-managed service provider for dealers in the U.S. We work with about 850 dealerships, about 35,000 dealership employees, and we specialize in day-to-day dealership technology operations. And one of our focuses is, of course, security and regulatory compliance, and all the different things dealers need to do, from a technical aspect, to comply with all of the different federal statutes and local state statutes that they need to be mindful of.

 

Can you give us a brief synopsis of the FTC’s Safeguards Rule and the amendments that they’ve made, and maybe what dealers should look out for?

Sure. Well, the thing about Safeguards, and a lot of dealers don’t know this, is it’s not actually new. It’s been a component of GOBA for a long time. And what the FTC did in the last year is really they updated the Safeguards Rule, and they called it the Safeguards Final Rule, which I don’t know that it’ll be the final rule. But it really clarifies, in many cases, and gives more specificity to the particular things that dealers need to do really to safeguard their customers’ data and secure their networks.

That’s really the focus of the new rule. And it’s really been pushed by consumers that are fed up with the great amount of exposure of their personally identifiable information via businesses that are attacked by cyber criminals.

 

We know that originally, this revision of the Safeguards Rule that includes these technical requirements, the deadline was actually December 9th of 2022, and FTC recently extended that to June of 2023. Can you break this down a bit for dealers? What does that extension mean, and what should dealers be aware of?

The big change that happened, of course, the rule was initially supposed to go live in December of this year, and the FTC pushed back a number of the provisions. And really the thing that they cited is the shortage of professionals that are available and capable of assisting all businesses, you know, but in this case dealers, to implement the requirements of the rule. So, there was a lot of pushback from small businesses in the U.S. and ADA that said, “Look, it’s unreasonable, we can’t get things done in time.” So the FTC decided to push back a number of components of the rules.

Certain pieces they still have to put in place, but they pushed back the requirement, for example, to have a designated individual to encrypt all of their data. They have to have a risk assessment, but it doesn’t need to be a written risk assessment. They have more time to develop an incident response plan and, you know, assess their security practices. So they really just gave them more runway to get things in place, is what essentially it came down to.

 

[00:03:55]

And for dealers who now have this extension, some may think, “Okay, well, now I have time.” But how long does it actually take to implement these processes and get them up to compliance?

Yeah. Well, that’s the challenge. I mean, I think we all deal with that in businesses where you’ve got these deadlines, and everybody’s working with a lot of irons in the fire. And so, we saw a lot of activity with dealers saying, “Oh, my gosh, we need to get this in place right away.” And then everyone breathed the sigh of relief, you know, including us where, “Okay, great, we don’t have to have everything in place by December 9th.”

[:00:05:00]

And the challenge the dealers have, and why they need to act now and not wait until May when the deadline approaches again is the dealers typically have a lot to do. So, they don’t have a lot of the foundational pieces, they don’t have control of their PCs, they don’t have active directory to secure who’s able to log on to PCs. They certainly don’t have multi-factor authentication, right, where they’ve got, you know, codes that, for web-based technologies, for administrative access. So, there’s a lot of these pieces that require some pretty substantial foundational things get put in place, and that can’t happen overnight.

 

[00:06:12]

What other pitfalls do you think are out there that dealers should avoid when they’re trying to address these requirements and these provisions?

Well, I think the thing that I see a lot is that it’s oversimplified of what needs to happen. So, there are a lot of checklists out there, and we’re seeing this where dealers are getting presented with, kind of, a quick fix of, “Hey, check all these boxes, maybe install this thing, do this thing, and then you’re just magically compliant with the FTC.” And, you know, it’s not that simple.

The Safeguards Final Rule is requiring a true assessment by folks that know what you have technologically, but on the technology side, and then administratively on the administrative side, to assess where you are, and then there needs to be a plan and a prescription. And the FTC Safeguards Final Rule does have some very specific things. You have to encrypt all of your data. You have to have multifactor authentication. You have to have continuous monitoring of your IT systems. You have to restrict administrative access.

So you need to do a lot of things that take a lot of time. And, you know, I think dealers are thinking, “Well, I can just check these boxes.” And a lot of times they’re having folks check in the boxes that aren’t really sure what those questions mean. And I think the challenge is, and this is gonna be, I think the biggest pitfall for dealers is, they check a bunch of boxes on a form, they’re not actually doing what the Safeguards Final Rule is truly insisting on, which is evaluating your system and making those changes, and then they’re gonna think they’re protected from liability somehow when they have a cyber incident.

 

[00:09:30]

So, Erik, why would you suggest dealers avoid maybe a checkbox solution or an all-in-one solution? Is that a potential pitfall for dealers as they’re looking to address Safeguards?

Yeah, I mean, it is. The challenge that you get with, kind of, a checkbox solution, or a, “Hey, you know, do these couple things and in a couple days, you know, you’ll be compliant and guaranteed compliant with the FTC.” And we’re seeing those kinds of things being set out in the industry. And, you know, the fundamental challenge with that is dealers are not cybersecurity and FTC compliance experts.

So then they’re being asked, you know, “Do you have these essential pieces in place?” And typically, they don’t really understand what that question is asking, and how that’s truly implemented in the dealership. So, again, the fundamental essence of what FTC is asking is a professional evaluation of what you have, what you should have to mitigate the risks in the organization, and then continuously re-evaluating that.

 

[00:11:33]

My only tip I’ll say for now because I think we’ve said a lot with it is don’t wait until the week before the deadline.

Don’t procrastinate. Well, thank you so much, Erik, for joining us today, and thank you to all of our KPA clients and customers.

Back To Top