Skip to content

The Latest on the Safeguards Rule: An Interview with KPA’s Robert Ebin

The Latest on the Safeguards Rule: An Interview with KPA’s Robert Ebin

In this episode of The F&I Minute, Emily is joined by KPA Senior Manager of Legal Affairs, Robert Ebin, Esq., to dig into the Safeguards Rule and what companies can do to avoid getting dinged by regulators.

So, Robert, I’m hoping that you can kind of tell us a little bit about all the buzz that’s happening about it [the Safeguards Rule] right now.

Yeah, sure. So, let’s first start with some quick background, because I think it’s good to just get everybody on the same page. So, with the Safeguards Rule, it was created by the FTC, pursuant to a directive in what many of you have heard of the Gramm-Leach-Bliley Act or GLBA.

And so, the rule became effective back all the way in 2003. And in short, the rule requires that financial institutions develop, implement, maintain a written information security program, and this security program is designed to protect your customer information.

And so, going back to your question, why is there all this buzz? Well, now, some years later, the FTC officially published revisions to the Safeguard Rule. They actually published that back in December 2021. Some of these revisions became effective on January 10th of this year, but the majority of the revisions are going to be applicable as of December 9, 2022.


All right, so why should we care about this?

Yeah, so, I mean, I guess in the frame of dealers, the important part, which many dealers are already aware of, none of this part has changed from the Safeguards Rule, is that dealers are considered financial institutions in the rule. And so, therefore, the rule’s requirements apply to car dealers.

Secondly, dealers should care because these new requirements are pretty extensive. Dealers are going to need to take a few steps in advance of December 9th to ensure compliance. And let me give you a little flavor of some of the new requirements under this revised rule. They’re actually quite specific, too, which is impressive and important because it gives kind of a game plan for dealers.

And, you know, so one of these new requirements is that dealers need to perform written risk assessments that need to be conducted over or on a periodic basis. They need to implement multi-factor authentication to access customer information. They need to perform annual internal penetration testing, also bi-annual vulnerability assessments of their information systems.

They also need to implement policies and procedures and controls to monitor and log activity of users and detect unauthorized access of their systems. Customer information needs to now be encrypted both at rest and in transit. You have to create a written incident response plan, basically, that’s designed to promptly respond to and recover from a security breach.

There’s actually specific requirements of that written incident response plan in the revised rule. The new rule also needs or forces financial institutions to select service providers that maintain appropriate safeguards. And you need to periodically assess these service providers as well to ensure compliance.

Another interesting part is that financial institutions under the new rule are now required to affirmatively dispose of customer information, which is something new and something that wasn’t required under the old rule. Finally, the amended rule now requires the dealership to designate a single qualified individual to be responsible for this information security program.

And so, the old law or the old rule said, it could be a single person or people, but now it’s a single individual, qualified individual. And this qualified individual is now required to provide a written status report, at least every year, at least annually to the board of directors, or the governing body of the dealership. So, those are some… I mean, it’s pretty onerous when you hear all those things, but, you know, and that’s why dealers should care.


Yeah, I was just gonna say, I feel a little overwhelmed by everything that you have just gone through. And I imagine it’s going to be kind of, like, a multi-phase process of making all of this kind of work, and get into play, come into being and place. Is there anything that, you know, folks should be doing right now?

So, I think a couple of things that dealers can start doing right now is they can start performing those periodic risk assessments. They should be already doing that under the old rule. But so, if they haven’t been doing that now, now is a good time to start.

They can regularly test and monitor the effectiveness of their safeguards, both their physical safeguards and their digital IT ones. They can start overseeing the service providers, by selecting those, as we discussed, that can maintain appropriate safeguards. And then they would need to put the required terms into those service provider contracts and the specific language that the rule requires to have in those contracts.

And then they can continue to evaluate and adjust their information security programs. And, you know, they can also tackle a few of these other requirements that I just mentioned before, too, and I think, you know, maybe perhaps the best place to start is to designate that qualified individual. And they are also probably going to want to start getting going on creating a data and systems inventory.

And what I mean by that is taking inventory of all the data in their possession, and inventory of the systems that where the data is stored, or where they collect the data or the systems where the data is transmitted. So, creating, basically, an inventory, a list of those things to get started. Because I think the first place always should be determining what you have and what you use, and then you can start doing those assessments and adjusting your information security program accordingly.

Sure. Leading by example, we love to see it. What would you say that OSHA is really focusing on for 2022? What should we be really narrowing in on?

Yeah. So COVID-19 is still lingering out there. Yeah, that one is- so, OSHA did have some different emergency temporary standards that they tried to enact in the past year or so. Back in late 2021, they tried with the vaccination mandate, but that was recently found to be unconstitutional by the Supreme court.

So that one did not actually go through. And that would have been a big precedent set across the entire country. It would have given OSHA some power that maybe they never had in the past. But really, even though that got shot down in the Supreme court, that doesn’t mean that OSHA is going to stop with COVID-19.

We understand that that is a very important agenda item for the current president’s administration. And it is a public safety issue. It’s a workplace issue as well, too. It’s still a hazard in the workplace. Just because you know, a mandate on vaccinations got shot down. That doesn’t mean that OSHA is still not going to cite an employer for exposing workers to potential COVID-19 outbreaks.

Yeah, yeah. This is, obviously, a topic that we are going to be talking a lot more about in the coming months. And, Robert, I’m glad that you came on. I expect I will have you on again to talk more about this.


But I think, for now, that kind of wraps up what we plan on talking about today, and I hope that everyone will keep listening in, in the coming months, for more information because there will definitely be a lot more that we have to say about this. So, thank you all for listening.

Thanks, everybody.

About The Author

Emily Hartman

Emily is a Marketing Manager here at KPA. She’s using the mad communications skills she learned in Washington, D.C., to break down technical information into news you can use.

More by this Author >
Back To Top