The Essential FTC Safeguards Rule Checklist for Auto Dealers

The FTC Safeguards Rule is no longer an abstract compliance topic reserved for banks and large financial institutions. For auto dealers, it has become a concrete, enforceable obligation that directly affects daily operations, IT strategy, vendor relationships, and incident response readiness. Since dealerships routinely handle financing, leasing, and credit applications, they fall squarely within the scope of the Gramm-Leach-Bliley Act and its Standards for Safeguarding Customer Information.

If you run or manage a dealership, this is not just about avoiding penalties. It is about protecting customer trust, maintaining business continuity, and building a security posture that matches modern threat realities. Below you will find a structured, practical explanation of what the FTC Safeguards Rule requires, how it applies to auto dealers, and how to translate legal obligations into an actionable compliance checklist.

What is the FTC Safeguards Rule and why it applies to auto dealers?

The FTC Safeguards Rule is issued by the Federal Trade Commission under the Gramm-Leach-Bliley Act. Its purpose is simple in theory but demanding in practice: any financial institution under FTC jurisdiction must create, implement, and maintain a written information security program designed to protect customer information.

Auto dealers qualify as financial institutions because they participate in financial activities such as arranging vehicle financing, leasing, and collecting sensitive consumer data. This includes nonpublic personal information like Social Security numbers, driver’s license details, credit reports, income data, and bank account information.

Since June 2023, compliance is mandatory for dealerships, and enforcement is active. The rule is no longer principles-based guidance. It now contains explicit technical, administrative, and physical safeguards that must be demonstrably in place.

What counts as customer information under the Safeguards Rule?

Customer information, as defined by the rule, includes any record containing nonpublic personal information about a consumer, whether in paper, electronic, or other form. For auto dealers, this typically means:

• credit applications,
• finance and insurance records,
• loan documentation,
• copies of IDs,
• employment and income verification,
• payment-related data.

What matters from a compliance perspective is not only where this data is stored, but how it is accessed, transmitted, processed, and eventually disposed of. The Safeguards Rule explicitly focuses on preserving the confidentiality, integrity, and availability of customer information across its entire lifecycle.

Core requirement: a written information security program

At the heart of FTC Safeguards Rule compliance lies a written information security program. This is not a generic policy document copied from a template. It must be tailored to your dealership’s size, complexity, systems, and risk profile.

The rule requires the program to be formally documented, approved by management, and actively maintained. Importantly, it must be operational, not symbolic. Regulators expect evidence that the program is implemented, tested, reviewed, and updated as the business evolves.

A key structural element is the appointment of a qualified individual responsible for overseeing the program. This person does not have to be an internal employee, but they must have appropriate knowledge, authority, and accountability. Their role includes reporting to senior leadership at least annually on the state of data security and compliance.

Risk assessment as the foundation of compliance

The Safeguards Rule explicitly requires an initial and periodic written risk assessment. This is where many dealerships struggle, because risk assessment is not simply an IT scan. It is a structured process that identifies reasonably foreseeable internal and external threats to customer information.

The risk assessment must:

• identify internal and external threats to customer information,
• evaluate risks related to systems, people, and processes,
• include network and system vulnerabilities,
• define criteria for assessing risk severity,
• be performed initially and periodically,
• directly inform the selection of safeguards.

The risk assessment must define criteria for evaluating and categorizing risks and explain how identified risks inform the selection of safeguards. In other words, your controls must clearly map back to the risks you identified.

Technical safeguards you must implement

The updated FTC Safeguards Rule introduced explicit technical requirements that remove ambiguity. Dealers must implement multi-factor authentication for any individual accessing customer information systems, unless the qualified individual documents a legitimate compensating control.

Encryption is another non-negotiable requirement. Customer data must be encrypted both in transit and at rest, unless infeasible, in which case alternative controls must be documented and justified. This applies not only to servers but also to laptops, backups, and cloud storage.

In addition, dealerships must implement continuous monitoring or conduct annual penetration testing and vulnerability assessments. The goal is not perfection but visibility. Regulators expect evidence that weaknesses are identified and addressed in a timely manner.

Secure development practices are also required if the dealership develops or customizes software that processes customer data. Even minor integrations or scripts must follow basic security principles.

Administrative and operational safeguards

Technology alone does not satisfy the rule. Administrative safeguards are equally critical. This includes security awareness training for employees who handle customer information. Training must be regular, relevant, and documented, focusing on real-world threats such as phishing, social engineering, and improper data handling.

Another major obligation concerns service provider oversight. Auto dealers rely heavily on third-party vendors, from DMS providers to IT support firms and F&I platforms. The Safeguards Rule requires dealerships to select service providers capable of maintaining appropriate safeguards, contractually require them to do so, and periodically assess their compliance.

Incident response planning is also mandatory. Dealers must maintain a written incident response plan that defines roles, escalation paths, and communication procedures in the event of unauthorized access or misuse of customer information.

Breach notification and regulatory exposure

One of the most concrete and often overlooked obligations is breach notification. If a security breach affects 500 or more consumers, the dealership must notify the FTC within 30 days of discovery. This is separate from any state-level breach notification laws and adds a federal reporting obligation.

Failure to comply with the Safeguards Rule can result in enforcement actions, consent decrees, reputational damage, and significant remediation costs. Compliance is therefore not just a legal checkbox, but a form of risk management.

FTC Safeguards Rule compliance checklist for auto dealers

To translate requirements into practice, a structured checklist helps align legal expectations with operational reality. A compliant dealership should be able to demonstrate the following:

• A formally documented information security program approved by management
• A designated qualified individual with authority and reporting responsibilities
• Written risk assessments conducted initially and periodically
• Implemented safeguards aligned with identified risks
• Multi-factor authentication and encryption in place for customer data
• Ongoing monitoring, penetration testing, or vulnerability assessments
• Documented employee security training
• Service provider contracts and oversight procedures
• A tested incident response plan and breach notification process
• Periodic program reviews reflecting business and technology changes

Each of these elements must be supported by evidence, not just intent.

Final perspective: compliance as a security baseline, not a ceiling

The FTC Safeguards Rule sets a minimum standard, not an ideal state. For auto dealers, treating compliance as a living security program rather than a one-time project pays dividends. It reduces the likelihood of costly breaches, strengthens vendor relationships, and builds trust with customers who increasingly expect their financial data to be protected.

Dealerships that approach the rule strategically often discover that many safeguards also improve operational resilience and efficiency. In that sense, compliance is not just about satisfying regulators. It is about running a modern dealership in a high-risk digital environment with confidence and control.

Margaret

PR Manager

Author