Skip to content

FTC Revises Safeguards Rule Updates: Are You Up to Speed on the New Data Breach Rules?

Adam Crowell

In today’s digital age, data breaches have become a major concern for businesses of all sizes and industries, but especially for dealers. The Federal Trade Commission (FTC) has recently announced new revisions to the FTC Safeguards Rule, a regulation aimed at protecting consumer information supplied to financial institutions, that will require dealerships to report data breaches involving unencrypted information on more than 500 consumers.

This new requirement puts a greater emphasis on the need for businesses to implement proper technical, physical, and administrative security measures to prevent data breaches.

On October 27, 2023, the Federal Trade Commission (FTC) announced a revision to the FTC Safeguards Rule, a regulation aimed at protecting consumer information supplied to financial institutions. The revision, which goes into effect in 6 months, requires dealerships and other non-bank financial institutions to report data breaches to the FTC within 30 days of discovering that unencrypted information of more than 500 consumers was obtained by third parties without authorization.

The data breach report must be submitted electronically through the FTC’s website, and include:

  • The name and contact information of the business;
  • A description of the types of information involved;
  • The date or date range of the notification event;
  • The number of consumers affected or potentially affected;
  • A general description of the notification event; and
  • Whether any law enforcement official has provided a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.

The data breach reporting revision comes on the heels of major changes to the FTC Safeguards Rule that went into effect on June 9, 2023, and included:

  • The designation of a “Qualified Individual” to implement, oversee, and enforce administrative, physical, and technical safeguards of an established a written information security program (ISP)
  • Mandatory and documented employee training
  • Creation and management of the following documents:
    • Initial and ongoing risk assessments
    • An information security program
    • An incident response plan
    • An annual report to the board of directors (or equivalent executive management)
  • IT requirements:
    • Enabling multi-factor authentication (MFA) on systems containing customer information
    • Encrypting systems containing customer information
    • Performing:
      • Continuous monitoring of information systems
    • Absent effective continuous monitoring, annual penetration testing and vulnerability scans at least every 6 months
  • Ongoing monitoring of:
    • Access controls to documents and data
    • Customer information storage
    • Disposal procedures
    • Change management procedures
    • Security practices
  • Assessing the risks of vendors with access to customer information, and contractually requiring them to meet or exceed the Safeguards Rule standards

KPA’s here to help dealerships prevent data breaches that would require notifications to the FTC and others.

KPA offers solutions that guide dealerships in implementing the proper technical, physical, and administrative security measures while documenting and demonstrating compliance.

To learn more about KPA’s Privacy and Safeguards solutions, request a demo.

Adam Crowell

Adam Crowell is a licensed practicing attorney and nationally recognized compliance expert and speaker that regularly contributes on a variety of compliance and risk mitigation subjects. He brings to KPA over 21 years of legal experience and thought leadership for the development of strategic relationships and solutions for proactively avoiding claims, fines, and lawsuits.

More from this Author >

Back To Top