FTC Security Regulation: What you need to know


“Where do we even begin?” It’s a question being asked by auto dealerships across the country as they race to comply with updates to the FTC safety rule released late last year. With the deadline less than two months away, auto dealers are in a sprint to understand the specific steps they need to take to be compliant.

Mike Pedrick, VP of Cybersecurity Consulting at Nuspire, and Tony Haux, CISO and Chief Compliance Officer at Accelerate2Compliance, recently hosted a webinar to help auto dealerships navigate the complexity of the rule. Read on to hear their tips.

Why the FTC Security Rule Matters

“I always try to avoid focusing on fear, but I think it’s important to share some statistics to provide context for why the FTC safety rule is important,” Mike said.

According to Automotive News, car dealers are a prime target, with research finding:

  • 153 viruses blocked per day
  • 84 malicious spam emails are blocked per day
  • 212 instances of malicious activity through a firewall each month
  • 45 severe attacks per month
  • 6 suspicious files get through a firewall every month.

“The FTC security rule has been around for 20 years, but it didn’t have the specificity needed to adequately address today’s cyber threats,” Tony said. “There are so many factors at play when dealing with customer data that it is valuable to have clear direction as to what is required and who is doing what.”

Questions you get asked by the FTC and HHS

At any point after the December 9, 2022 deadline, an investigator could be at your door asking a variety of questions to ensure you have complied with the requirements of the FTC security rule.

“When they’re investigating a breach, they ask for your WISP (written information security program) and they want to see it,” Tony said. “They will ask you whether you regularly reviewed your information security and trained your employees appropriately. They’ll also want to know how you rated third-party providers who have access to customer data.”

Mike added that a written plan helps control variability in scoring.

“Every time an auditor arrives on site, they evaluate the controls, systems and processes you have in place against your documented plan,” Mike said. “If you haven’t written anything, you lose predictability in terms of what to expect and what to improve.”

6 standards for creating a written information security program

The updated FTC security rule requires auto dealerships to create a written information security program that includes six specific focus areas.

1. Designate an “single qualified person”

This standard is intended to provide a clear path of communication and accountability. The Qualified Person need not be a cybersecurity or information security expert. Most importantly, this individual is someone who can confidently and competently work between cybersecurity professionals and business leadership.

2. Generate regular security reports to the highest management of the organization

These reports should show the types of metrics you report and against which you assess, and that you meet regularly to assess compliance.

“The point of this report is to provide a history of engagement with the process,” Mike said. “Auditors like these reports because they can trust you to do your part to ensure compliance.”

Tony recommended that the report make clear what the organization’s goals are and provide regular updates on the process, including things like where you are in terms of conducting assessments, staff training, etc.

3. Have a written incident response plan available

This is a critical element of the security program because it specifically shows who is doing what and how you will respond when an incident occurs.

“A lot of the written IR plan is tactical because you don’t want to waste time deciding who’s doing what,” Mike said. “Every second you spend trying to figure out what to do is lost revenue. That’s why it’s important not only to have a written IR plan, but also to understand and rehearse it.”

“An IR plan can sometimes look like a business continuity plan because it’s not just about compliance, it’s also about good business sense,” added Tony.

4. Conduct penetration tests

The FTC security regulation gives merchants a choice: conduct penetration testing and vulnerability scans twice a year, or conduct continuous monitoring of endpoints that include desktops, servers, laptops, tablets, etc.

“There’s some controversy about this part of the rule, as many default to continuous monitoring because it’s not clearly defined and seems cheaper,” Mike said. “You have to be extremely thorough in monitoring because you might miss something that you could have found with a vulnerability scan or pen test.”

When it comes to penetration testing, Mike advises waiting until you’re sure you’ve covered your basics to protect your environment before planning a test.

“A penetration test is about validating your efforts,” Mike said. “If you’re not ready, meaning you have gaps, a pentest is pretty much a blank check for the tester and can get expensive.”

5. Have a written policy on the purpose of destroying private data

“Every business needs to keep data like credit reports for a certain period of time, but often that time expires, which means you have more data that can be exposed to threats,” Tony said. “I’ve seen deal jackets lying around at a dealership for years – they contain data that could be compromised.”

Mike added that not all data destruction is created equal and not all data is actually destroyed, so it’s important that you do your homework.

6. Deploy user activity logging and monitoring

Logging is one of the most important ways to track and investigate suspicious activity.

“If we’re under attack or data has been leaked, the wrong answer is to come back you don’t know when it was accessed,” Mike said. “It’s critical to provide an audit trail to determine when an incident occurred.”

Why is the FTC so harsh on traders?

It’s not just about the compliance factor alone. The FTC believes that with its Safeguard Rule, it has provided merchants with the recipe book they need to ensure the same quality of work in protecting consumer information. Why is that important?

Because if a company fully meets the requirements, additional costs arise. If another company doesn’t comply and is able to carry on as usual, they may be able to sell their cars cheaper because they didn’t incur the compliance costs. The FTC considers non-compliance to be an unfair trade practice.

Additional FTC Security Rules Resources

We’ve put together a helpful list of FTC Security Rules resources to help you navigate the process:

The post FTC Safeguards Rule: What You Need to Know appeared first on Nuspire.

*** This is a Nuspire Security Bloggers Network syndicated blog written by Team Nuspire. Read the original post at: https://www.nuspire.com/blog/ftc-safeguards-rule-what-you-need-to-know/