Revised FTC Safeguards Rule

On October 27, 2021, the Federal Trade Commission (FTC) revised the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (“Revised Rule”) for the first time since the rule was issued in 2002. The Safeguards rule requires certain financial institutions to implement a written information security program (“ISP”) to protect consumer financial information as well as conduct periodic risk assessments to make sure the organization is abiding by strict protocols to protect this information. In the announcement, the FTC specifically names “automobile dealerships” as a non-banking financial institution that would fall under the purview of these new revisions. Within thirty days of the Federal Register publication, these covered companies (i.e. dealerships) must implement written risk assessments, an ISP based on those risk assessments, and conduct regular testing of their systems safeguards and controls. Additionally, the revised Safeguards Rule requires  covered companies maintain written incident response plans and implement specific security requirements. Dealers must act immediately to meet compliance with the new rules or otherwise face stiff penalties of up to $43,792 per violation.

But these are things you already know. As dealer attorneys yourselves, I’m sure you have been inundated with these kinds of articles and newsletters since the FTC’s announcement. So, I’m going to spend the rest of this article to go over the salient points of the new revisions in bullet-point fashion and explore concepts buried in the 145-page publication that may not have immediately jumped out at you. I will then discuss specific topics that both clarify certain issues and remind you of what your dealer clients should be doing.

What does the revised Safeguards Rule require?

Our team here has gone through every page and here are the rules that impact dealers the most (Note that this list is not meant to be exhaustive):

1. Submit a periodic written report to the dealership’s board of director or senior officer on compliance with these new requirements and overall status and results of the Information Security Program (ISP).

2. Implement a written “Incident Response Plan”.

3. Perform periodic written risk assessments that adhere to certain requirements.

4. Encrypt all data in transit over external networks and at rest.

5. Require Multi-Factor Authentication (MFA), such as an SMS/text verification code, for all systems containing customer nonpublic personal information (NPI). 

6. Implement a data retention policy and dispose of customer information within two years after the end of a customer relationship, unless doing so conflicts with state or federal law.

7. Adopt procedures for IT “change management”.

8. Appoint a single “Qualified Individual” to oversee the dealership’s ISP.

9. Monitor and log the activity of authorized users and detect unauthorized use or access of customer information.

10.  Implement a system or software for continuous monitoring of cybersecurity threats, including annual penetration tests and bi-annual vulnerability tests.

11.  Perform “security awareness” training for all employees.

12.  Periodically assess service providers for their adequacy of physical and technical safeguards.

Written Risk Assessment[1]:

Even though the prior version of the Safeguards Rule speaks of a risk assessment requirement, the Revised Rule revisits the requirement with more detail and specificity. The Revised Rule requires that dealerships create a written risk assessment that includes: 

  • criteria for the evaluation and categorization of identified security risks or threats faced by the dealership; 
  • criteria to assess the confidentiality, integrity, and availability of the dealership’s information systems and customer information, including the adequacy of existing controls; and 
  • requirements describing how identified risks will be mitigated and how the information security program will address the risks.

Multi-Factor Authentication[2]:

Multi-factor authentication (“MFA”) occurs when an individual’s identity is authenticated through verification of at least two of the following types of authenticating factors: 1) knowledge factors, such as a password; 2) possession factors, such as an email token or SMS/text code; and 3) inherence factors, such as biometric information. 

Dealers should begin to ask their vendors that process customers’ nonpublic personal information to begin requiring MFA when individuals access their database. This should not be a tall order in light of the FTC’s complaint (and consent order) against DealerBuilt in 2019. In it, DealerBuilt was considered to be a financial institution itself because it “significantly engaged in data processing for its customers, auto dealerships that extend credit to customers.” With this in mind, dealers should not run into any significant difficulties when asking their own CRM and DMS to provide MFA.

Annual Penetration Testing[3]:

New for the Revised Rule, financial institutions are required to perform continuous monitoring or annual penetration testing to evaluate the effectiveness of the safeguards’ key controls, systems, and procedures. Penetration testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems. An interesting point here is that the FTC cited “social engineering and phishing” as an important part of penetration testing because the fact that the testing involves employees with access to the information system, rather than the system itself, does not exclude them from the definition of penetration testing. Scott Wallace, a penetration tester for the Department of Homeland Security, says that preparing for a phishing campaign is the first thing he does when conducting penetration testing for the federal agency. 

Biannual Vulnerability Assessments[3]:

In addition to annual penetration testing, the Revised Rule requires that financial institutions conduct biannual vulnerability assessments to detect publicly known vulnerabilities. Note that these tests, in this context, are not relevant to information in the physical form. In its comments, the FTC notes that there are free resources available that automate vulnerability assessments, such as “OpenVAS” and “” Your dealer clients should also take this opportunity to comply with Center for Internet Security (CIS) Critical Security Controls as some states, like Utah, Connecticut, and Ohio, are offering forms of safe harbor from civil data breach liability for CIS compliance.

Service Provider Agreements and Other Requirements[4]:

The definition of “service provider” is not updated with this revision nor is the requirement for financial institutions to “take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguard for customer information and require those service providers by contract to implement and maintain such safeguards.” However, it is important nonetheless to remind your dealer clients what they must do when working with their service providers.

First, dealers should contractually require the service providers (i.e. any person or entity that receives, maintains, processes, or otherwise is permitted to access customer information through its provision of services directly to a financial institution[5]) they work with to implement and maintain appropriate safeguards including encrypting the information they process for the dealers. Second, dealers must periodically assess these measures that their service providers have purported to put in place. To accomplish this, dealers should consider requiring vendors complete a risk assessment questionnaire as part of their vetting process to ensure the vendor confirms to applicable industry standards regarding physical and technical safeguards. For example, any vendor with access to NPI should confirm that they support MFA login and encryption of data at rest and in transit.  

(h) Incident Response Plan[6]:

New in the Revised Rule, financial institutions must establish written incident response plans. These plans must outline goals and address internal processes for responding to security events, define clear roles and responsibilities of parties involved, prescribe internal and external communications and information sharing, identify weaknesses in information systems and how to remediate, document and report security events and related response activities, and evaluate and revise the incident response plan as necessary following the security event. When some commenters argued that this requirement was too burdensome, the FTC clarified that the plan must address only events that “materially” affect customer information, not every security event that may occur. Nor does the incident response plan need to detail all possible scenarios and dig into the minutiae of it all. Rather, it needs only to establish a system that outlines the financial institutions’ response.

If you feel overwhelmed by the content and potential time and expense that abiding by these new revisions may require, you’re not alone. In 2019, the National Automobile Dealers Association suggested that fulfilling these new rules would cost dealerships an average of $277,000 per year. ComplyAuto is the most trusted privacy software tool for dealers representing over 600 dealerships and some of the largest groups in the United States. Not only can we help your stores or clients at a fraction of this cost, we can get them compliant with these new rules in a matter of days, not months. For more information and pricing, please visit:

 Disclaimer: Nothing in this article is intended to be legal advice. Please consult with competent legal counsel if you have questions regarding this article, the Gramm-Leach-Bliley Act, or the federal Safeguards Rule.

[1] 16 CFR § 314.4(b)

[2] 16 CFR § 314.4(c)(6)

[3] 16 CFR § 314.4(d)(2)

[4] 16 CFR § 314.4(f)

[5] 16 CFR § 314.2(d)[6] 16 CFR § 314.4(h)

Leave a Reply

ComplyAuto partners with the Center for Internet Security (CIS) for enhanced cybersecurity offerings
Myths & Misconceptions About the Revised FTC Safeguards Rule

We want to enroll our employees in preventative training to prevent BAR citations and fines.

We received a citation or disciplinary action and need to take remedial training.

Mock OSHA Assessment


  • On-demand eight-hour assessment that imitates a real OSHA audit.
  • Conducted by an EHS Pro with OSHA-10 or OSHA-30 certification and 5+ years of experience. 
  • Simulated employee interviews
  • Issue tracking and task management
  • Detailed assessment reports after the assessment with images, videos, and recommended steps for remediation.

    Privacy & Cyber Compliance Suite


    • Custom legal policies with real-time updates, including the Information Security Program (ISP)
    • Customized Incident Response Plan (IRP)
    • Internal risk assessment tools and hands-on guidance
    • Biannual penetration testing (2) 
    • Biannual vulnerability scans (2)
    • Employee security awareness training and completion tracking
    • Extensive vendor management library – hundreds of vendor-completed GLBA contracts & risk assessments
    • Device & systems inventory automation and mapping tools
    • Unlimited industry-specific internal phishing simulations to train staff
    • Complete 50-state privacy compliance required by your state (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, VA)
    • Website cookie consent banners and unique consumer privacy request portals
    • Annual report to the Board of Directors generated every year
    • Compliance Guarantee

      CPR/AED Certification


      • Instruction provided by Certified American Red Cross Instructors.
      • Practical, hands-on training sessions to practice CPR and AED techniques
      • Proper automated external defibrillator (AEDs) instruction and operation
      • American Red Cross exam and certification
      • Access to study materials, manuals, and resources for continued education and reference.
      • Available for organizations and groups, allowing for tailored training sessions.

      HR Fundamentals


      • Customized policy builder with real-time updates
      • E-sign functionality for required employee policies 
      • Online HR training with employee completion tracking
      • State-specific policies and training
      • Employee management tool
      • Training and policies include Workplace Violence, Active Shooter, IT and Electronic Device Use, Biometric Data Privacy, Sexual Harassment, and more 
      • HR Fundamentals access is included with any other ComplyAuto product

        Encrypted Messaging


        • Encrypt SMS text and email messaging among staff, clients, and customers when sending and receiving files
        • Track usage and detect violations in real-time
        • Advanced security features include auto-deletion of files, Multi-Factor Authentication protection, IP safelisting, and domain blocklisting
        • Supports compliance with various state and federal regulations and recognized industry standards: GLBA, HIPAA, SOC 2, ISO 27001, NIST, CIS Controls, SEC

          Safety Compliance Suite


          • Concierge on-site onboarding 
          • On-demand safety walkthroughs conducted by experienced EHS Pros at various intervals – once, twice, or four times per year
          • Comprehensive Online Training Library and employee progress tracking
          • Automated 50-State Legal Injury & Illness Reporting
          • Policy Builders with Automatic Updates
          • Simplified SDS Creation and Management
          • Guided risk mitigation
          • Signage builder & tracking
          • Efficient equipment inspections with QR Codes
          • Tier 1 Spill Prevention Control and Countermeasure Plan 
          • Automated Tier 2 environmental reporting for all 50 states 
          • Unlimited one-on-one support from our dedicated team
          • Workplace Violence and Active Shooter Policy and Training
          • Unlimited one-on-one support from our dedicated team
          • Automated Tier II environmental reporting for all 50 states.

            EduTech Course 3

            Program to Fulfill AG Disciplinary Order - $299/student

            The California AG routinely penalizes facilities that violate these laws and requires them to perform specific remedies while on probation. One of these remedies requires the ARD to take a course that outlines the laws and regulations of the Automotive Repair Act. This program fulfills the requirement.


            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            EduTech Course 2

            Remedial Training and Attorney General Disciplinary Order - $299/student

            The Bureau of Automotive Repair (BAR) has allowed violating automotive repair dealers to take a remedial training program in lieu of having their information posted on a public website. Additionally, automotive repair dealers are required to take a training course as part of the California Attorney General’s disciplinary order. 

            This course fulfills both of these requirements.

            Created by California attorneys with over 35 years of combined experience in the automotive repair industry, this course is the only course on the market that is taught by instructors who are certified by the BAR.


            • Comprehensive online course about the Automotive Repair Act
            • Instruction by providers certified by the BAR
            • Access to training materials anytime (24/7/365)
            • Comprehensive manual that is a companion to the course
            • Quizzes and final exam to track student engagement and information retention
            • Certificate generated upon completion
            • Automated notification to the Bureau of Automotive Repair, if applicable


            EduTech Course 1

            Automotive Repair Act Certification Training - $49/month per rooftop

            With new regulations giving the Bureau of Automotive Repair (BAR) more authority to find violations and enforce citations upon repair facilities, it is now more important than ever to make sure your staff is knowledgeable about the Automotive Repair Act. Protect your repair facility from BAR scrutiny by enrolling into EduTech’s Automotive Repair Act Certification Training. This is the only training in California that is approved by BAR. 

            “Evidence of voluntary participation in retraining [of]…employees” as a mitigating factor. – Guidelines for Disciplinary Orders and Terms of Probation, BAR

            BAR has allowed retraining to be a “factor in mitigation” when investigating a repair facility. Therefore, as a preventative measure, it is strongly recommended that all technicians and service writers enroll into this course to show the BAR that you acknowledge and understand these rules before any investigation ever occurs. 

            All students enrolled in this product will be eligible for our “EduTech Guarantee” which financially protects repair facilities from enforcement by the Bureau of Automotive Repair. For more information, please visit our Terms of Service.


            • Online training course about the Automotive Repair Act
            • Only training course that is approved by BAR
            • Access to training materials anytime (24/7/365)
            • Quizzes and final exam to track student engagement and information retention
            • Certificate generated upon completion


            • Lower risk of BAR scrutiny by standardizing correct practices
            • Increased customer satisfaction
            • Establishes good faith efforts and may avoid BAR citation and fine
            • Professional development for service writers and technicians
            • Eligibility for the EduTech Guarantee

            Students enrolled in this product will also have complimentary access to HR training materials and policy builders. Topics include:

            • Sexual harassment (supervisory and non-supervisory)
            • Active shooter
            • Workplace violence
            • Social media use
            • Biometric data (timekeeper or key lockbox)

            F&I Compliance Suite

              • Precise Deal Jacket Audits to identify and address real-world F&I compliance issues accurately.
              • Focused Compliance on specific F&I compliance concerns such as Fair Lending Compliance Solutions, California Litigation, Vehicle Safety Recalls, Used Vehicle History, FTC Buyers Guide & Federal Warranty Disclosures, 
              • Automated EZ Cash Reporting & Anti-Money Laundering with IRS Reporting 
              • Spot Delivery & Unwind Management
              • Real-Time Issue Identification Quickly detect compliance gaps and issues, enabling swift corrective action and risk mitigation.
              • Online F&I Compliance Training 
              • Compliance Guarantee

                Device & Email Security


                The combined features create a dynamic defense system that adapts to evolving cybersecurity threats and secures the organization's digital ecosystem.

                • Continuous threat detection and response powered by Coro:
                  • EDR (Endpoint Detection and Response) 
                  • MDR (Managed Detection and Response) 
                  • 24/7 Security Operations Center team
                  • Swift response and alert to potential security breaches
                • Enhanced authentication and access control via Multi-factor Authentication (MFA) powered by Duo Security™
                • Advanced email security to shield e-threats such as phishing, malware, spam, and scams – integrates with Google Workspace & Microsoft Office 365.
                • Data governance and Data Loss Prevention (DLP)  detect and manage employee data-sharing practices. 
                • Device-level encryption for Windows and macOS
                • Public & unencrypted wifi blocking
                • Next-gen antivirus
                • Automated password policy and session locking enforcement