Can Your IT Service Provider Manage Your FTC Compliance?

Here Are Our Top 10 Questions to Ask Your IT Provider

By Andy Graff Chief Operating Officer

If you are confused about the intricacies of the Gramm-Leach-Bliley Act’s revised  Safeguards Rule (Safeguards Rule) that went into enforcement on June 9, 2023, welcome to the club. For many dealerships, regulatory compliance presents a formidable challenge. As a result, many vendors are quick to claim to be experts in managing the Safeguards Rule and it’s not uncommon to hear some dealers say, “My MSP or IT company can handle everything.“

Dealerships contemplating full reliance on an MSP for this specific regulation must weigh several factors because the intricacies of compliance demand expertise that extends beyond the realm of IT. If your MSP says they can manage your entire Safeguards Rule compliance program, there are a multitude of factors to consider. Here are my top 10 questions to ask your MSP or IT provider when they claim that they can completely handle all of your Safeguards Rule compliance requirements.

1. Do they have qualified legal experience?

Whether it is your in-house or outside counsel, it is important to have legal expertise in data protection when drafting internal policies and procedures to ensure they are compliant. When policies are drafted they need to include language that speaks to both state and federal regulations depending on where you do business. Having legal expertise you can rely on is critical for both the timeliness and accuracy of your compliance in this ever-changing legal landscape.

2. Can they help you complete all the elements of an internal Annual Risk Assessment?

I recently got a message from a dealer friend who asked, “Do I really have to answer every single one of these questions in the assessment?” Unfortunately for her, the answer was a resounding “Yes!” The rules, regulations, and possible citations that are coupled with risk assessments are extensive to say the least (if you know, you know). An MSP or IT provider may be able to complete a technical risk assessment, but they also need to be knowledgeable about how your staff manages the paperwork that is generated, moved, and stored in your dealership.

3. Will they help you create an Annual Board Report?

Generating the required annual report for the Board of Directors is no simple task. The annual report will need to include every action taken on every requirement of the Safeguards Rule. As I am sure you’ve heard before from countless other sources, a violation of the Safeguards Rule carries the price tag of $50,120 per violation. I wouldn’t saddle your MSP or IT company with this responsibility especially if they do not have the legal knowledge to do so. If you’re suddenly feeling like they’re back in school and have to turn in a huge project for a class that you never attended, welcome to the club.

4. Can they manage your Vendor Data Processing Agreements?

The mandatory question on this topic is, does my provider have the legal expertise to create Vendor Data Processing Agreements for my other relevant vendors? The idea of getting the contacts and signatures of all my third party vendors is enough to make me itchy. I don’t know about you, but I would very much prefer this process to be someone else’s problem as much as possible because not only is it time consuming it is also extremely confusing. For example, not all vendors will have to complete these Data Processing Agreements, only the “Service Providers.” Huh? Additionally, you have to be sure that the questionnaire provided to the vendors fulfills all legal requirements for vendors and needs to be processed annually. Good grief.

5.  Will they train your employees?

I personally find that old saying of “those who cannot do, teach” to be wildly inaccurate. I’m an expert in my field but the process of teaching what I’ve learned to others has proved to be more difficult than I ever dreamed. Adult learners, in my experience, are just taller versions of their younger selves: easily distracted and quick to dismiss lessons that do not feel realistically applicable to their daily lives. Additionally, managing training for everyone amidst their daily responsibilities can feel like herding cats. Therefore, I value anyone who can expertly take on this task while also tracking every individual’s completion.

6. What about data mapping?

I know a compliance officer that once spent six months mapping out how vendors collected, stored, and transmitted data because he had to do it all by hand. I don’t know anyone who has time for that kind of task. Will your MSP or IT provider be able to handle this for you? If they can, how long will it take and how much of the heavy lifting will you have to do? Most importantly, is your MSP or IT provider knowledgeable enough about your business to know where all your dealership’s data is derived from and stored?

7. Can they provide vulnerability and pen testing?

Vulnerability and Pen testing – required biannual and annual. Many service providers do not include this in your monthly service plan and will hit you with a costly bill when it is time to do it. Furthermore, some IT service providers are misguided and think this is not a requirement if you dealer has continuous monitoring. Check out this article why this is a myth. 

8. Will they create your Incident Response Plan?

The Incident Response Plan (ISP) is a critical component of your FTC compliance. It should encompass contacts for dealership legal counsel and cybersecurity insurance.

9. Will they provide tools to help keep NPI safe?

Gone are the days when a salesperson could simply request a pay stub through an email or SMS text message. It is becoming increasingly important that private information remain private, lest the dealership be held responsible. Be sure that the IT provider offers an encrypted messaging tool. What’s more, while your store is in possession of that information, you need a way to make sure it stays safe, and that means implementing tools such as Multi-Factor Authentication etc.

10. Will they guarantee their products and services?

In the world of compliance, peace of mind goes a long way. I need to be sure that my provider will stand by their work, so that in the event that something beyond my control and expertise happens I am not the one left holding the metaphorical bag.

Bonus Question: Don’t Forget Website Tools Many states are implementing their own regulations regarding consumer privacy protection. So it wouldn’t hurt to also ask them about the tools available. In our family we often say, “Buy cheap, buy twice,” which essentially means that if you are going for a quick or inexpensive solution then it is probably not worth the savings in the long run. This is especially true when it comes to cookie banners and other website tools. Though there are many on the market these days, they may not entirely work the same way nor do what specific states are now requiring through their personal data laws (twelve states have adopted their own laws as of this writing), so you should consider more than just the price of the tool. Remember to assess whether or not the website tools provided will allow for online consumer consent and comply with local laws because website cookies are becoming increasingly complex. While we’re on the topic of websites, you need to make sure that your IT provider can develop a bespoke privacy policy for your website with proper state disclosures and based on how you collect consumer information, with whom you share it, and for what purpose it is collected.

Unfortunately, this list only scratches the surface of compliance, but it’s a good place to start when assessing whether or not your IT provider really can provide you with everything you need. Moving forward, cybersecurity will be a cornerstone in our industry, and it’s never been more imperative for the longevity of our success that we keep customer information safe.