Myths & Misconceptions About the Revised FTC Safeguards Rule

Posted by

on

By now, almost all dealerships are aware that the Federal Trade Commission (FTC) revised the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule for the first time in 20 years, with the new regulations going into effect on December 9, 2022. In conjunction with these new regulations, the FTC released a 145-page publication of comments and clarifications to certain aspects of the new Rule and dealers have been bombarded with seminars, webinars, articles, and sales pitches from various sources about its interpretation. Unfortunately, with all that information has come some misinformation as well. So, let’s bust the most common myths and misconceptions about the revised Safeguards Rule.

MYTH # 1: Dealers don’t need to perform penetration testing or vulnerability scanning if
they’re doing 24/7 threat detection monitoring through an EDR, MDR, or SIEM tool.

The regulations create an exception to annual penetration testing and biannual vulnerability scans if the dealer is performing “continuous monitoring.” However, many IT companies and Managed Service Providers (MSPs) have gotten into the habit of liberally throwing around the term “continuous monitoring” to describe their EDR, MDR, and SIEM tools. We believe that many of those tools may not satisfy true “continuous monitoring” requirement in the way that it is defined by the FTC’s regulations. Not that those tools aren’t valuable — they are in fact very valuable and we highly recommend them — it is just unlikely that it exempts you from completing the required penetration tests and vulnerability assessments. The regulations define “continuous monitoring” as a system that performs the following items in a real-time, ongoing manner:

  1. Monitoring for security threats;
  2. Detection of misconfigured systems; and
  3. Vulnerability assessments.

While most tools do the first item (monitoring for security threats), the vast majority are not performing items two and three (realtime, ongoing configuration scanning and vulnerability assessments). There are tools out there that offer various packages that can do true continuous monitoring (e.g., Splunk, DataDog, Qualys, to name a few), but they’re going to be very expensive. It was noted in an FTC Workshop that the type of continuous monitoring referenced in the Safeguards Rule could cost a small to midsized company around $600,000 per year. The FTC even implies that you’d need dedicated and experienced staff to monitor the logs and activity by a system around-the-clock, 24/7/365. In fact, the prohibitively high cost is precisely why the FTC allows businesses to complete an annual penetration test and biannual vulnerability assessment as an alternative to continuous monitoring. In short, most dealers will not be performing “continuous monitoring” as contemplated by the new regulations and will therefore still need to perform an annual penetration test and biannual vulnerability assessment.

MYTH # 2: Dealers need to hire a full-time Chief Information Security Officer (CISO) or
other security professional under the law.


While the originally proposed rules were contemplating requiring a CISO be appointed to oversee your information security program, this was ultimately replaced by a requirement that you simply appoint a single “qualified individual” at the dealership. No particular level of education, experience, or certification is defined by the Safeguards Rule. According to the FTC, dealers may designate any qualified individual who is appropriate for their business as based on their size and complexity. The purpose behind requiring designation of a single coordinator is to improve accountability, avoid gaps in responsibility in managing data security, and improve communication. Note that while the “qualified individual” must have ultimate responsibility for overseeing and managing the information security program, dealers may still delegate particular duties, decision making, and responsibilities to other staff members. Moreover, the Safeguard Rule does not require that this be the person’s sole job – he or she may have other duties.

MYTH # 3: Dealers who host all their customer information in the cloud (e.g., in their
DMS and CRM) don’t need to worry about the new requirements because information
security is the vendor’s responsibility.

Actually, this is quite the opposite. Not only is it naïve to think that all your customer non-public personal information (NPI) is in the cloud (think every time a sales or finance person downloads a bank “stip” from their email onto their PC), but the regulations specifically make verifying service providers’ security the dealer’s responsibility. For example, dealers are required to both (1) require their service providers by contract to implement and maintain reasonable safeguards and (2) periodically assess their service providers based on the risk they present and the continued adequacy of their safeguards. In any event, dealers are responsible for their own network security and implementation of the new Rule (e.g., encryption, multi-factor authentication, penetration testing, etc.), regardless of their service providers’ level of involvement.

Leave a Reply

Revised FTC Safeguards Rule
From CCPA to CPRA 

Mock OSHA Assessment

FEATURES:

  • On-demand eight-hour assessment that imitates a real OSHA audit.
  • Conducted by an EHS Pro with OSHA-10 or OSHA-30 certification and 5+ years of experience. 
  • Simulated employee interviews
  • Issue tracking and task management
  • Detailed assessment reports after the assessment with images, videos, and recommended steps for remediation.

    Privacy & Cyber Compliance Suite

    FEATURES:

    • Custom legal policies with real-time updates, including the Information Security Program (ISP)
    • Customized Incident Response Plan (IRP)
    • Internal risk assessment tools and hands-on guidance
    • Biannual penetration testing (2) 
    • Biannual vulnerability scans (2)
    • Employee security awareness training and completion tracking
    • Extensive vendor management library – hundreds of vendor-completed GLBA contracts & risk assessments
    • Device & systems inventory automation and mapping tools
    • Unlimited industry-specific internal phishing simulations to train staff
    • Complete 50-state privacy compliance required by your state (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, VA)
    • Website cookie consent banners and unique consumer privacy request portals
    • Annual report to the Board of Directors generated every year
    • Compliance Guarantee

      CPR/AED Certification

      FEATURES:

      • Instruction provided by Certified American Red Cross Instructors.
      • Practical, hands-on training sessions to practice CPR and AED techniques
      • Proper automated external defibrillator (AEDs) instruction and operation
      • American Red Cross exam and certification
      • Access to study materials, manuals, and resources for continued education and reference.
      • Available for organizations and groups, allowing for tailored training sessions.

      HR Fundamentals

      FEATURES:

      • Customized policy builder with real-time updates
      • E-sign functionality for required employee policies 
      • Online HR training with employee completion tracking
      • State-specific policies and training
      • Employee management tool
      • Training and policies include Workplace Violence, Active Shooter, IT and Electronic Device Use, Biometric Data Privacy, Sexual Harassment, and more 
      • HR Fundamentals access is included with any other ComplyAuto product

        Encrypted Messaging

        FEATURES:

        • Encrypt SMS text and email messaging among staff, clients, and customers when sending and receiving files
        • Track usage and detect violations in real-time
        • Advanced security features include auto-deletion of files, Multi-Factor Authentication protection, IP safelisting, and domain blocklisting
        • Supports compliance with various state and federal regulations and recognized industry standards: GLBA, HIPAA, SOC 2, ISO 27001, NIST, CIS Controls, SEC

          Safety Compliance Suite

          FEATURES:

          • Concierge on-site onboarding 
          • On-demand safety walkthroughs conducted by experienced EHS Pros at various intervals – once, twice, or four times per year
          • Comprehensive Online Training Library and employee progress tracking
          • Automated 50-State Legal Injury & Illness Reporting
          • Policy Builders with Automatic Updates
          • Simplified SDS Creation and Management
          • Guided risk mitigation
          • Signage builder & tracking
          • Efficient equipment inspections with QR Codes
          • Tier 1 Spill Prevention Control and Countermeasure Plan 
          • Automated Tier 2 environmental reporting for all 50 states 
          • Unlimited one-on-one support from our dedicated team
          • Workplace Violence and Active Shooter Policy and Training
          • Unlimited one-on-one support from our dedicated team
          • Automated Tier II environmental reporting for all 50 states.

            EduTech Course 3

            Program to Fulfill AG Disciplinary Order - $299/student

            The California AG routinely penalizes facilities that violate these laws and requires them to perform specific remedies while on probation. One of these remedies requires the ARD to take a course that outlines the laws and regulations of the Automotive Repair Act. This program fulfills the requirement.

            FEATURES:  

            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            EduTech Course 2

            Program to Fulfill BAR Remedial Training - $299/student

            As part of their authority to levy fines and corrective actions against repair facilities, the Bureau of Automotive Repair may direct them to take a remedial training program. This program is intended for facilities who have already been identified by the BAR as needing corrective action and have committed to taking a remedial training course in lieu of specific penalties.The California Attorney General (AG) has required violating automotive repair dealers to take a course that instructs students on the laws and regulations of the Automotive Repair Act as part of the disciplinary order.

            FEATURES:

            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            • Automated notification to the Bureau of Automotive Repair

             

            EduTech Course 1

            Automotive Repair Act Certification Training - $49/month per rooftop

            Provide advisors and technicians with the knowledge and tools necessary to comply with California laws and regulations and be viewed favorably by the Bureau of Automotive Repair.

            FEATURES:

            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            F&I Compliance Suite

              • Precise Deal Jacket Audits to identify and address real-world F&I compliance issues accurately.
              • Focused Compliance on specific F&I compliance concerns such as Fair Lending Compliance Solutions, California Litigation, Vehicle Safety Recalls, Used Vehicle History, FTC Buyers Guide & Federal Warranty Disclosures, 
              • Automated EZ Cash Reporting & Anti-Money Laundering with IRS Reporting 
              • Spot Delivery & Unwind Management
              • Real-Time Issue Identification Quickly detect compliance gaps and issues, enabling swift corrective action and risk mitigation.
              • Online F&I Compliance Training 
              • Compliance Guarantee

                Device & Email Security

                FEATURES:

                The combined features create a dynamic defense system that adapts to evolving cybersecurity threats and secures the organization's digital ecosystem.

                • Continuous threat detection and response powered by Coro:
                  • EDR (Endpoint Detection and Response) 
                  • MDR (Managed Detection and Response) 
                  • 24/7 Security Operations Center team
                  • Swift response and alert to potential security breaches
                • Enhanced authentication and access control via Multi-factor Authentication (MFA) powered by Duo Security™
                • Advanced email security to shield e-threats such as phishing, malware, spam, and scams – integrates with Google Workspace & Microsoft Office 365.
                • Data governance and Data Loss Prevention (DLP)  detect and manage employee data-sharing practices. 
                • Device-level encryption for Windows and macOS
                • Public & unencrypted wifi blocking
                • Next-gen antivirus
                • Automated password policy and session locking enforcement