As many of our Car Dealer friends are no doubt aware, the FTC Standards for Safeguarding Customer Information, or Title 16, Chapter I, Subchapter C, part 314 (Rolls right off that tongue!) takes effect this Friday, after a six-month delay. The "Safeguards Rule" proscribes a Cybersecurity standard of care for financial institutions, a group in which many most medium to large dealerships are included by virtue of their financing operations.
The stated objectives of the rule are Music to my security practictioner ears.
Specifically:
(1) Insure the security and confidentiality of customer information;
(2) Protect against any anticipated threats or hazards to the security or integrity of such information; and
(3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
The basic requirements boil down to the following:
(a) Designate a qualified individual responsible for your information security program
(b) Base your information security program on a risk assessment
(c) Design and implement safeguards to control the risks you identity through risk assessment,
(d) Test or otherwise monitor the effectiveness of the safeguards' key controls
(f) Oversee service providers
(g) Evaluate and adjust your information security program
(h) Establish incident response plan
(i) Regular reporting to board of directors or equivalent governing body.
These required controls are pretty standard Cybersecurity fare, but if you don't already have an established Information Security Plan and GRC function, the task can be a bit of a challenge.
Reach out if you need help. principia/RAID can help.