OFFICIAL PUBLICATION OF THE KENTUCKY AUTOMOBILE DEALERS ASSOCIATION

Pub. 2 2022 Issue 2

Two Business Men in a Dealership showroom shaking hands and holding paperwork

KADA Partners with ComplyAuto for GLBA Compliance

This story appears in the
Kentucky Auto Dealer Pub 2 2022 Issue 2

The Kentucky Automobile Dealers Association (KADA) is continually looking for ways to protect its dealer members, and we are proud to be working with ComplyAuto, whose goal is to help Kentucky dealerships comply with the Gramm-Leach-Bliley Act (GLBA). Although the Federal Trade Commission recently extended the deadline to comply with certain provisions of the Amended Safeguards Rule to June 9, 2023, it is still imperative that dealerships are preparing for these new requirements.

Dealers need to be compliant with the updated Federal Safeguards Rule as soon as possible, given that the law went into effect Jan. 10, 2022. Compliance with these federal regulations will not be an overnight solution, and the penalties associated with not complying are extremely expensive (up to $46,517 per violation, to be exact). Dealers are urged to begin immediately if they want to put themselves in a position to succeed in the ever-changing legal landscape.

With over 60 years of dealer experience, ComplyAuto’s dealer-focused suite of tools is helping over 1,000 dealerships across the country achieve state and federal compliance in an efficient and cost-effective way.

What is the revised Safeguards Rule under the Gramm-Leach-Bliley Act?

On October 27, 2021, the Federal Trade Commission (FTC) announced the revision of the GLBA’s Safeguards Rule (“Rule”) for the first time since the Rule was issued in 2002. In its announcement, the FTC specifically names “automobile dealerships” as non-banking financial institutions that fall under the purview of these new revisions. The Rule requires dealers to implement operational changes regarding their data protection and cybersecurity measures, such as creating, updating, and implementing a written information security program (“ISP”) to protect consumer financial information as well as to conduct periodic risk assessments to make sure the organization is abiding by strict protocols to protect this information. Dealers must act immediately to meet compliance with the new rules or otherwise face stiff penalties of up to $46,517 per violation.

What does the revised Safeguards Rule require?

Here is a short list of requirements that impact dealerships the most:

  1. Submit a periodic written report to the dealership’s board of directors or senior officers on compliance with these new requirements and the overall status and results of the Information Security Program.
  2. Implement a written Incident Response Plan in case of a data breach.
  3. Perform periodic written risk assessments within the organization that adhere to certain requirements. This will be discussed at length below.
  4. Encrypt all data in transit over external networks and at rest.
  5. Require Multi-Factor Authentication (MFA), such as an SMS/text verification code, for all systems containing customer nonpublic personal information (NPI).
  6. Implement a data retention policy and dispose of customer information within two years after the end of a customer relationship, unless doing so conflicts with state or federal law.
  7. Adopt procedures for IT change management.
  8. Appoint a single qualified individual to oversee the dealership’s ISP.
  9. Monitor and log the activity of authorized users and detect unauthorized use or access of customer information.
  10. Implement a system or software to continuously monitor cybersecurity threats, including annual penetration tests and bi-annual vulnerability tests. This will be discussed at length below.
  11. Perform security awareness training for all employees.
  12. Periodically assess service providers for their adequacy of physical and technical safeguards and have agreements that contractually obligate them to implement and maintain appropriate safeguards.

Written Risk Assessment

The Revised Rule revisits the requirement and expands on it with more detail and specificity. The Revised Rule requires that dealerships create a written risk assessment that includes: 

  • Criteria for the evaluation and categorization of identified security risks or threats faced by the dealership;
  • Criteria to assess the confidentiality, integrity, and availability of the dealership’s information systems and customer information, including the adequacy of existing controls; and
  • Requirements describing how identified risks will be mitigated and how the information security program will address the risks.

Annual Penetration Testing

New to the Revised Rule, dealers are required to perform annual penetration testing to evaluate the effectiveness of the safeguards’ key controls, systems, and procedures. Penetration testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems. Additionally, the FTC cited “social engineering and phishing” as an important part of penetration testing because the testing involves employees with access to the information system rather than the system itself, which does not exclude them from the definition of penetration testing. 

Biannual Vulnerability Assessments

The Rule now requires that dealers conduct biannual vulnerability assessments to detect publicly known vulnerabilities. Note that these tests, in this context, are not relevant to information in the physical form. In its comments, the FTC notes free resources are available that automate vulnerability assessments, such as “OpenVAS” and “Nmap.org.”

Service Provider Agreements and Other Requirements

The definition of “service provider” is not updated with this revision, nor is the requirement for dealers to “take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguard for customer information and require those service providers by contract to implement and maintain such safeguards.”

First, dealers should contractually require the service providers (i.e., any person or entity that receives, maintains, processes, or otherwise is permitted to access customer information through its provision of services directly to a financial institution) they work with to implement and maintain appropriate safeguards including encrypting the information they process for the dealers. Second, dealers must periodically assess these measures that their service providers have purported to put in place. To accomplish this, dealers should consider requiring vendors to complete a risk assessment questionnaire to ensure the vendor confirms to applicable industry standards regarding physical and technical safeguards. For example, any vendor with access to nonpublic personal information should confirm that they support MFA login and encryption of data at rest and in transit.

Incident Response Plan

New in the Rule, these required plans must outline goals and address internal processes for responding to security events, define clear roles and responsibilities of parties involved, prescribe internal and external communications and information sharing, identify weaknesses in information systems and how to remediate, document and report security events and related response activities, and evaluate and revise the incident response plan as necessary following the security event. It needs only to establish a system that outlines the dealers’ response if such incidents should occur.

If you feel overwhelmed by the content and potential time and expense that abiding by these new revisions may require, you’re not alone. In 2019, the National Automobile Dealers Association (NADA) suggested that fulfilling these new rules would cost dealerships an average of $277,000 per year.

Introducing: ComplyAuto

ComplyAuto is the most trusted privacy software tool for dealers representing over 1,000 dealerships and some of the largest groups in the United States. Partnered with NADA as their first Affinity Provider in compliance, ComplyAuto can not only help dealerships at a fraction of this cost, but it can also get dealerships compliant with these new rules in a matter of days, not months. 

Here is a short summary of what ComplyAuto’s suite of tools can accomplish.

  1. Privacy Rights Management
    This software serves as an all-in-one privacy solution for dealers. It offers an efficient data mapping tool and vendor management system that identifies how consumers’ personal information is captured and which vendors have access.
  2. Federal Safeguards Rule Compliance
    This is the first dealership software to operationalize and automate the complexities of the FTC Safeguards Rule. It creates information security programs unique to each dealership with a user-friendly tool that updates all required documents in real-time. It also allows dealers to perform and document required physical and technical risk assessments and efficiently collect data processing agreements from service providers using its proprietary built-in eSign feature.
  3. Advanced Cybersecurity Suite
    This solution reinforces data protection and cybersecurity protocols through completely remote vulnerability assessments and penetration testing (VAPT) software. With online security training, it integrates dealership-specific phishing simulation software into your data protection processes.
For more information on ComplyAuto products and services, or to learn more about its transparent pricing, please visit complyauto.com or email them at info@complyauto.com.
 
Disclaimer: Nothing in this article is intended to be legal advice. Please consult with competent legal counsel if you have questions regarding this article, the Gramm-Leach-Bliley Act, or the federal Safeguards Rule.