Phone: 630-495-2282 Fax: 630-495-2260 Map/Directions



FTC adds requirements to 2001's Safeguards Rule

November 12, 2021
The Federal Trade Commission has issued its long-awaited, final amendments to the FTC Safeguards Rule. The amended Rule, adopted by a 3-2 vote along party lines, contains a significant number of new and expanded procedural, technical, and personnel requirements that financial institutions, including dealers, must satisfy to meet their information security obligations. 
The new requirements include:
(a) developing and implementing specific components of an information security program, such as access controls, authentication, and encryption; and
(b) requiring actions related to the program’s accountability, such as hiring or retaining "qualified" personnel and conducting periodic reports to the financial institution’s governing body.
Since the amendments were proposed, The National Automobile Dealers Association’s regulatory affairs division presented to the FTC two sets of extensive written comments that challenged the need for and the practicality of many of proposed amendments and urged the FTC to conduct a cost-benefit analysis on each of them. The NADA’s comments included an independent, third-party cost study. 
Although the FTC made significant changes and provided important clarifications to the proposed amended rule in response to the NADA’s input, many of the amendments will require dealers to adopt new information security measures. While several of the new obligations may already be in place at many dealerships, others vastly expand what most dealers have developed and will require additional investments in software, technology, and potentially dealership personnel. The challenges involved in the satisfying the new obligations also could increase dealers’ liability exposure. 
Dealers, as well as their relevant technology vendors, must comply with the new requirements of the Rule within one year of its Nov. 5 publication in the Federal Register. Several of the new requirements do not apply to financial institutions that maintain customer information on fewer than 5,000 consumers.
The NADA is developing compliance guidance, and dealers are encouraged to reach out to their technology vendors as soon as is feasible to ensure they are taking the necessary steps to comply with the new requirements.