inquiry@complyauto.com
(661) 214-9760
CALL TODAY!

The #1 Most Overlooked Rule: How DLP Tools Address the Safeguards Rule’s “Unauthorized Activity Monitoring” Requirement

Posted by

Chris Cleveland

on

By Chris Cleveland Co-Founder, Chief Executive Officer

A particularly critical, yet often overlooked, requirement of the revised FTC Safeguards Rule that went into effect earlier this year requires dealers to “…implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users” (emphasis added). Through our extensive research on the FTC Safeguards Rule, review of published manuals and articles, and scrutinizing other solutions available in the market, we have found that this requirement is routinely completely overlooked.

Upon reading this portion of the regulation, many concerned dealers are often left wondering, “How can I possibly accomplish this type of monitoring?” This is because the modern dealership is usually bustling with activity and managing vast amounts of customer data daily. To require them to monitor every email, document access, and employee login manually is not only impractical but dang near impossible. Relying solely on someone to oversee this process is fraught with risks and potential human error, leading to oversights and potential breaches. This is where Data Leak/Loss Prevention (DLP) tools come into play. How DLP Satisfies the Regulation DLP tools are designed to systematically automate the surveillance of data access and sharing. By using technology to monitor thousands of electronic communications and device activities at your dealership in any given day, DLP tools can do the following:

  • Detect Mass Downloading of Data: Through monitoring file access and transfer activities, DLPs can flag when large blocks of data are being downloaded, such as a salesperson attempting to take a customer list to a competitor.
  • Monitor Mass Deletion: DLPs track file and database activities and alert administrators if significant amounts of data are deleted either maliciously or by accident. This deleted information can then be restored remotely.
  • Identify Suspicious Password Exposure: DLPs scan emails and other communications for commonly used patterns that resemble passwords and raise flags if employees are carelessly sharing or exposing credentials. For example, a dealer employee might carelessly share a password for a sensitive credit system like RouteOne or DealerTrack with a colleague who isn’t authorized. DLPs tools will alert the team of such breaches.
  • Spot Unencrypted NPI Transmission: By examining email contents and attachments, DLPs can identify if sensitive nonpublic personal information (NPI) is being sent outside secure channels and alert the necessary parties. For example, an employee might send a customer’s Social Security Number (SSN) or credit report outside the dealership by using regular, unencrypted email, which DLP will detect and can prevent.
  • Alert on Foreign Logins: DLPs track login locations. If an account logs in from an unexpected foreign country, an alert can be generated so that dealership personnel can follow up accordingly.
  • Monitor Access Permissions Violations: By overseeing which accounts access what data, DLPs can detect when an authorized user accesses data they should not have access to.

To further illustrate a common dealer scenario, consider John, a salesperson at your dealership who is moving to a rival store. On his last day, he wants to take his clients to his new dealership, so he downloads his customer database from the CRM or DMS and sends it to his personal email account. Without a DLP tool, it is likely this action goes unnoticed until it is too late to prevent. But with an efficient DLP tool, such unauthorized downloads are instantly detected and appropriate action can be taken. A Comprehensive Solution Navigating the “unauthorized activity monitoring” mandate of the FTC Safeguards Rule can be daunting. Fortunately, ComplyAuto’s Advanced Device & Email Security package is tailored for this very challenge. Beyond its integrated endpoint detection & response (EDR) and multi-factor authentication, the third core feature of this product is its DLP tool. Operating 24/7 in real-time, this solution is finely tuned to the unique needs of the dealership environment. With the FTC Safeguards Rule as a guiding light, it is imperative for dealerships to equip themselves with the right tools to stay ahead in this era of digital data threats.

Leave a Reply

Didn’t See That Coming: The Real Threat to Dealerships is Not the Revised FTC Safeguards Rule 
Can Your IT Service Provider Manage Your FTC Compliance?

Mock OSHA Assessment

FEATURES:

  • On-demand eight-hour assessment that imitates a real OSHA audit.
  • Conducted by an EHS Pro with OSHA-10 or OSHA-30 certification and 5+ years of experience. 
  • Simulated employee interviews
  • Issue tracking and task management
  • Detailed assessment reports after the assessment with images, videos, and recommended steps for remediation.

    Privacy & Cyber Compliance Suite

    FEATURES:

    • Custom legal policies with real-time updates, including the Information Security Program (ISP)
    • Customized Incident Response Plan (IRP)
    • Internal risk assessment tools and hands-on guidance
    • Biannual penetration testing (2) 
    • Biannual vulnerability scans (2)
    • Employee security awareness training and completion tracking
    • Extensive vendor management library – hundreds of vendor-completed GLBA contracts & risk assessments
    • Device & systems inventory automation and mapping tools
    • Unlimited industry-specific internal phishing simulations to train staff
    • Complete 50-state privacy compliance required by your state (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, VA)
    • Website cookie consent banners and unique consumer privacy request portals
    • Annual report to the Board of Directors generated every year
    • Compliance Guarantee

      CPR/AED Certification

      FEATURES:

      • Instruction provided by Certified American Red Cross Instructors.
      • Practical, hands-on training sessions to practice CPR and AED techniques
      • Proper automated external defibrillator (AEDs) instruction and operation
      • American Red Cross exam and certification
      • Access to study materials, manuals, and resources for continued education and reference.
      • Available for organizations and groups, allowing for tailored training sessions.

      HR Fundamentals

      FEATURES:

      • Customized policy builder with real-time updates
      • E-sign functionality for required employee policies 
      • Online HR training with employee completion tracking
      • State-specific policies and training
      • Employee management tool
      • Training and policies include Workplace Violence, Active Shooter, IT and Electronic Device Use, Biometric Data Privacy, Sexual Harassment, and more 
      • HR Fundamentals access is included with any other ComplyAuto product

        Encrypted Messaging

        FEATURES:

        • Encrypt SMS text and email messaging among staff, clients, and customers when sending and receiving files
        • Track usage and detect violations in real-time
        • Advanced security features include auto-deletion of files, Multi-Factor Authentication protection, IP safelisting, and domain blocklisting
        • Supports compliance with various state and federal regulations and recognized industry standards: GLBA, HIPAA, SOC 2, ISO 27001, NIST, CIS Controls, SEC

          Safety Compliance Suite

          FEATURES:

          • Concierge on-site onboarding 
          • On-demand safety walkthroughs conducted by experienced EHS Pros at various intervals – once, twice, or four times per year
          • Comprehensive Online Training Library and employee progress tracking
          • Automated 50-State Legal Injury & Illness Reporting
          • Policy Builders with Automatic Updates
          • Simplified SDS Creation and Management
          • Guided risk mitigation
          • Signage builder & tracking
          • Efficient equipment inspections with QR Codes
          • Tier 1 Spill Prevention Control and Countermeasure Plan 
          • Automated Tier 2 environmental reporting for all 50 states 
          • Unlimited one-on-one support from our dedicated team
          • Workplace Violence and Active Shooter Policy and Training
          • Unlimited one-on-one support from our dedicated team
          • Automated Tier II environmental reporting for all 50 states.

            EduTech Course 3

            Program to Fulfill AG Disciplinary Order - $299/student

            The California AG routinely penalizes facilities that violate these laws and requires them to perform specific remedies while on probation. One of these remedies requires the ARD to take a course that outlines the laws and regulations of the Automotive Repair Act. This program fulfills the requirement.

            FEATURES:  

            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            EduTech Course 2

            Program to Fulfill BAR Remedial Training - $299/student

            As part of their authority to levy fines and corrective actions against repair facilities, the Bureau of Automotive Repair may direct them to take a remedial training program. This program is intended for facilities who have already been identified by the BAR as needing corrective action and have committed to taking a remedial training course in lieu of specific penalties.The California Attorney General (AG) has required violating automotive repair dealers to take a course that instructs students on the laws and regulations of the Automotive Repair Act as part of the disciplinary order.

            FEATURES:

            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            • Automated notification to the Bureau of Automotive Repair

             

            EduTech Course 1

            Automotive Repair Act Certification Training - $49/month per rooftop

            Provide advisors and technicians with the knowledge and tools necessary to comply with California laws and regulations and be viewed favorably by the Bureau of Automotive Repair.

            FEATURES:

            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            F&I Compliance Suite

              • Precise Deal Jacket Audits to identify and address real-world F&I compliance issues accurately.
              • Focused Compliance on specific F&I compliance concerns such as Fair Lending Compliance Solutions, California Litigation, Vehicle Safety Recalls, Used Vehicle History, FTC Buyers Guide & Federal Warranty Disclosures, 
              • Automated EZ Cash Reporting & Anti-Money Laundering with IRS Reporting 
              • Spot Delivery & Unwind Management
              • Real-Time Issue Identification Quickly detect compliance gaps and issues, enabling swift corrective action and risk mitigation.
              • Online F&I Compliance Training 
              • Compliance Guarantee

                Device & Email Security

                FEATURES:

                The combined features create a dynamic defense system that adapts to evolving cybersecurity threats and secures the organization's digital ecosystem.

                • Continuous threat detection and response powered by Coro:
                  • EDR (Endpoint Detection and Response) 
                  • MDR (Managed Detection and Response) 
                  • 24/7 Security Operations Center team
                  • Swift response and alert to potential security breaches
                • Enhanced authentication and access control via Multi-factor Authentication (MFA) powered by Duo Security™
                • Advanced email security to shield e-threats such as phishing, malware, spam, and scams – integrates with Google Workspace & Microsoft Office 365.
                • Data governance and Data Loss Prevention (DLP)  detect and manage employee data-sharing practices. 
                • Device-level encryption for Windows and macOS
                • Public & unencrypted wifi blocking
                • Next-gen antivirus
                • Automated password policy and session locking enforcement