It’s no secret that financial institutions are continuously the target of cyberattacks due to the sensitive information they store on their systems and these attacks are only becoming more frequent and severe as new technologies are introduced. In an effort to combat these attacks, the US government and industry governing bodies have implemented new regulations and requirements to protect consumers and their information.
The Gramm-Leach-Bliley Act (GLBA) is one such federal regulation that was implemented to protect consumers.
What is the GLBA?
Originally enacted in 1999 by the Federal Trade Commission (FTC), the Gramm-Leach-Bliley Act controls how financial institutions collect, store and transmit sensitive customer data.
This Act requires financial institutions to clearly disclose their information-sharing practices to consumers and offer them an opportunity to opt in or out of those sharing practices. Only after the financial institution receives a consumer’s consent to opt in, can they disclose that consumer’s nonpublic personal information with unaffiliated third parties.
Of the three sections of the GLBA, we’ll focus our discussion on the Safeguards Rule.
What is the Safeguards Rule?
The FTC’s Standards for Safeguarding Customer Information – Safeguards Rule – requires that financial institutions implement and maintain safeguards to protect the security of customer information.
Initially put into effect in 2003, the Safeguards Rule was again updated in 2021 in order to account for changes in current technology. The update also expanded the types of businesses that were required to comply.
How does the Safeguards Rule affect auto dealerships?
Auto dealerships regularly collect sensitive customer information – name, address, phone number(s), social security number, and credit and financial information. Unfortunately, not all dealerships have the proper protections in place to guard that information from theft or misuse. The Safeguards Rule requires that dealerships create, implement and maintain a comprehensive information security program to protect that sensitive customer information, both in electronic and physical form.
The requirements of the Safeguards Rule as it pertains to auto dealerships applies to all dealerships, regardless of their size and failure to comply comes with hefty fines from the federal government.
What is an information security program?
An information security program is a written set of policies, procedures and guidelines used by a company to protect its customer information. While each program may differ depending on the size and complexity of the dealership, your company’s information security program needs to…
- ensure the security and confidentiality of customer information
- protect that information against anticipated threats or hazards to its security or integrity
- protect that information against unauthorized access which could result in substantial harm or inconvenience
The FTC has identified 9 key elements that must be included in the program including designating a qualified individual, conducting a risk assessment, implementing safeguards, monitoring effectiveness of those safeguards, staff training, monitoring service providers, keeping the program current and creating a written incident response plan.
What are the requirements of the Safeguards Rule?
The Safeguards Rule identifies 9 elements that must be included in your written information security program. Those elements are:
1. Designate a qualified individual to implement and supervise your company’s information security program. The qualified individual can either be an employee of your dealership or a service provider.
2. Conduct a risk assessment. The risk assessment should start with an inventory of what customer information you collect, how it’s stored and how it’s transmitted. Mapping this out will help to identify any vulnerabilities or risks to the security and confidentiality of the information. The risk assessment must be written and include criteria for evaluating risks and threats.
3. Design and implement safeguards to control those risks. This is an ongoing task that will require periodic review of how sensitive data is collected, who can access it, where it’s stored, how it’s transmitted, how it’s protected and how it’s disposed.
4. Regularly monitor the effectiveness of your safeguards. There are 2 options – continuous monitoring or regular penetration testing and vulnerability assessments.
5. Train your staff. Every member of your staff (regardless of their role) should receive comprehensive and ongoing security awareness training and testing.
6. Monitor your service providers. Take steps to ensure that you select service providers that implement and maintain the appropriate safeguards.
7. Keep your information security program current. Make sure your program is flexible to accommodate changes in security needs.
8. Create a written incident response plan. Identify the necessary steps to take in the event of a security breach. This written plan includes the internal processes that will be activated once a breach has occurred, the roles and responsibilities of team members, processes for finding and fixing the weakness(es) in your system, and procedures for documenting and reporting. This plan should be regularly reviewed and adjusted as needed.
9. Your Qualified Individual must report to leadership. The person that has been designated as the Qualified Individual must report to leadership (or Board of Directors if your dealership has one) in writing at least annually. This report includes an overall assessment of your dealership’s compliance with its current information security program and any recommended adjustments.
How can EZ Micro help your dealership?
We understand that it can seem a bit overwhelming with so many requirements to not only become compliant but maintain your compliance as well. The good news is that you don’t have to forge ahead alone… our team of IT experts can help! Here’s how…
Managed IT Services
We’re your partner in all things related to information security.
Cybersecurity Testing
We’ll conduct a penetration test to get a thorough assessment of your current IT security.
Cybersecurity Training
We’ll train all of your employees so they understand their responsibilities for protecting your dealership’s data, how to identify a phishing email or suspicious link, what they should do in the event they click a link they shouldn’t have, the importance of strong passwords and more.
We’ll also test your employees so they can apply what they’ve learned since studies show that people are much more likely to retain information they’ve learned through experience using it.
Network Security
We’ll constantly monitor, update and track your network to consistently make sure that your systems are not compromised.
Regular Reporting
We’ll provide regular reporting so that you’ll always know the status of your network. We can also serve as your Qualified Individual responsible for reporting the status of your information security program to your leadership.
Proactive Support and Strategic Planning
We’ll help you plan for growth and keep problems from arising. By thoroughly understanding your business and its needs, we’ll use our expertise in technology to help you make your business better.
Ready to get started? Contact us today!