Table of Contents Table of Contents
Previous Page  131 / 284 Next Page
Information
Show Menu
Previous Page 131 / 284 Next Page
Page Background

HOT TOPICS

2017

MEMBERSHIP

DIRECTORY

116

IMPORTANT LAWS AND REGULATIONS

The FTC Safeguards Rule

The FTC Safeguards Rule requires auto dealers to ensure the security and confidentiality of their customers’personal

information by using appropriate administrative, technical, and physical safeguards. The Rule also requires auto

dealers to take reasonable steps to ensure that affiliates and service providers safeguard the customer information

provided to them.

Under the Safeguards Rule, an auto dealer must develop and implement a written information security program

that is appropriate to the dealership’s size and complexity, the nature and scope of its activities, and the sensitivity

of the customer information at issue (“Information Security Program”). The dealer’s Board of Directors (or its

highest governing authority) must approve the initial Information Security Program, and take responsibility for it.

A senior officer must be appointed to be the Information Security Program manager responsible for developing,

overseeing, implementing, training, updating, and administering the Information Security Program, but the final

responsibility will rest with the Board of Directors or the senior management team.

An Information Security Program must include certain basic elements to ensure it addresses relevant aspects of a

dealer’s operations. The Information Security Program must:

Describe how the program will protect customer information – both in paper and electronic format – and

protect against anticipated threats to information security;

Designate one or more employees to coordinate the information security program;

Identify and assess the risks to customer information in each relevant area of the company’s operation, and

evaluate the effectiveness of the current safeguards for controlling these risks;

Design and implement a safeguards program, and regularly monitor, test, and update it;

Select service providers that can maintain appropriate safeguards, make sure your contract requires them to

maintain safeguards, and oversee their handling of customer information;

Include a security incident and data breach response plan in your information security program for use in the

event of any irregularity or in the event any consumer information is lost, stolen, or compromised;

Test, evaluate, and adjust the program in light of relevant circumstances, including changes in the firm’s

business or operations, or the results of security testing and monitoring.

Dealers must regularly monitor and test their Information Security Program, evaluate its effectiveness, and

adjust it accordingly. Three critical areas to address are: 1) employee training and management; 2) information

systems; and 3) monitoring, detecting, preventing, and responding to attacks, intrusions, and systems failures.

The FTC has found that failing to have a defensible password security policy or permitting “weak” administrative

passwords such as common words with no capitalization (e.g., “password”), numbers, or symbols (e.g., “12345”)

can constitute inadequate data security. The FTC also faulted a leading social networking provider for storing and

sending passwords in plain text emails.