FTC Safeguards Regulations for Automotive Dealers

Helping Protect YOUR Brand

If you type “key elements of a brand” into a search engine, the first page of results will have a dozen different answers. One trait that rarely shows up is “security,” but it probably should be among the top results for marketers who consider their brand to be an integral asset to their company.

The hard reality is that, as marketers, we find ourselves at a unique inflection point. There is an increased demand for data, an increase in cybercrime, and privacy concerns, which come together to challenge companies—and their brands—like never before.

The transition to digital has improved our ability to collect and process data and empowers us to provide a better experience for our customers, employees and partners. But as the CMO of a company that offers a password-management app, I’ve found that it has also created new vulnerabilities that can significantly impact the “brand trust” we have worked so hard to create.

Security: Not Just for Big Brands

High-profile data breaches experienced by Microsoft(paywall) and Facebook in 2021 may get the majority of the news coverage, but small- to medium-sized (SMB) businesses may also be targets for cybercriminals for two key reasons:

Cybercriminals tend to look for the path of least resistance. 

SMBs often lack the in-house expertise or ability to find and contract with external security consultants to muster a proper defense. We recently published “The Future of Work,” a report that looks at how small and medium-sized businesses (SMBs) in the private and public sectors view cybersecurity and password management as they embrace the future of work. According to our findings—based on a 2022 survey of 604 employees and managers and 305 IT decision-makers, 83% of SMBs realize that stakes are high in the digital era and are taking steps toward better cyber preparedness.

SMBs may be ideal targets for so-called “supply chain attacks.” 

The increase in data sharing and interconnected systems among business partners, vendors and suppliers provides an ideal staging area for an attack on a larger target. Cybercriminals may find that enterprises are more vulnerable to an attack originating from a trusted source rather than a random phishing attack. In the EU, ENISA estimates that 62% of successful supply chain cyberattacks (download required) between January 2020 and early July 2021 involved exploiting customer trust in a supplier.

An estimate from IBM places the average monetary cost of a data breach in a company with fewer than 500 employees at $2.64 million. That is costly. But what I believe can be even more costly is the breakdown in trust between the SMB and its customers, vendors or employees. It’s the hit to the brand’s reputation that may be the death knell for companies that experience a data breach.

Communicating Trust to Customers

There is little doubt that the shift to remote and hybrid work has led to heightened awareness of security and privacy concerns. I’ve seen businesses and consumers alike scrutinizing the efforts and abilities of the brands they trust to keep their personal information and intellectual assets safe.

While this low level of trust may seem concerning, smart marketers and communications professionals recognize the opportunity this creates for brands that can demonstrate a tangible commitment to data security and privacy. Brands in industries with historically poor reputations for data security and cybercrime (like tech, government or e-commerce) could promote a commitment to privacy and security as a differentiating factor that appeals to customers and partners who have felt burned in the past.

Many brands have made their commitment to security a hallmark of their brand, both externally and when they communicate internally. Apple has proactively shared its approach to data privacy; Slack is widely known for promoting its SMB security practices and standards; and upstart search engine DuckDuckGo has ridden a strong data security and privacy stance right into steady market share growth in the U.S.

When it comes to maintaining (and growing) trust in our brands, I cannot overstate how important it is that we create and disseminate the message that security is a priority.

Creating A Culture of Security

Communications professionals can help create a culture of security within their organizations. Human error is the root cause of 23% of data breaches, according to IBM’s 2020 “Cost of a Data Breach” report. Whether it’s sending a sensitive document to the wrong person, failing to use a strong or original password, or simply losing a thumb drive or laptop, the common denominator in many cyberattacks is people.

Creating a culture of security means equipping employees with both the knowledge and tools required to become active participants in ongoing security conversations within the organization. Communicators should approach in-house cybersecurity awareness efforts with the same thoughtfulness, creativity and expertise that they would bring to a new product launch. And that makes sense when you consider the value of trust in your brand to the future of your business.

Making Security a Key Element of Your Brand

Data security is no longer just an “IT problem.” As marketing and communications professionals, we need to understand the potential impact—both positive and negative—that our commitment to cybersecurity has on our brand.

This is a reality for both consumer and B2B brands in a connected and data-driven marketplace. Internally, our commitment to security impacts every department, employee and partner who collects or has access to sensitive or private data. To the outside world, security can play a significant role in helping to achieve customer satisfaction by infusing trust (and eventually loyalty) into every interaction they have with your brand.

Federal Trade Commission Safeguards Rule

As you have hopefully heard by now, the Federal Trade Commission (FTC) recently issued complicated new amendments to its Safeguards Rule, which require dealers to undertake a series of procedural, technical, and contractual steps to protect consumer and other personal data. The amended Rule’s requirements must all be completed by December 9, 2022. There is quite a lot that dealers must do between now and December, and the time for dealers to act is now in order to ensure compliance by the deadline.

Contact us for more information

The FTC recently issued a guidance publication, FTC Safeguards Rule: What Your Business Needs to Know, that provides some further insight into the requirements. There, the FTC summarizes the requirements as follows:

a.  Designate a Qualified Individual to implement and supervise your information security program.

b. Conduct a risk assessment.

c. Design and implement safeguards to control the risks identified. Including:

    1. Implement and periodically review access controls. 
    2. Know what you have and where you have it. 
    3. Encrypt customer information on your system and when it’s in transit. 
    4. Assess your apps.
    5. Implement multi-factor authentication for anyone accessing customer information on your system. 
    6. Dispose of customer information securely. 
    7. Anticipate and evaluate changes to your information system or network. 
    8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
    9. Regularly monitor and test the effectiveness of your safeguards.


d. Train your staff.

e. Monitor your service providers.

f.  Keep your information security program current.

g.  Create a written incident response plan.

h.  Require your Qualified Individual to report to your Board of Directors.

Dealers should review the FTC publication for more details. The compliance requirements are also spelled out in detail in NADA’s Driven Guide to the Amended Safeguards Rule, which contains step-by-step guidance on how to comply with the Rule, as well as downloadable templates and other critical information to aid dealer compliance. NADA also has a series of webinars, workshops, and more to help dealers with these complex new requirements. Members can access these resources at nada.org/nada/issues/data-and-privacy.

We know that dealers have an extensive list of compliance issues to deal with, but this is a critical issue and a critical deadline – if you have not focused on this new Rule, jump in today!

DHI is offering to help

your dealership navigate the FTC requirements by proving a comprehensive security assessment and remediation program. Below you will find a summary of our Managed Security Services based on the needs of your dealership.

Tier One

$2500 Per Month

This gets an initial assessment and report (identify gaps for regulation adherence)

Remote assessment. In-person available at additional fee / travel expenses

They can pay it up front of $15,000 or monthly $2,500/month

With monthly: 

  • This also gives them a named qualified person to meet requirements
  • Engage with vendors and answer vendor questionnaires (up to 2 per month)
  • Monthly hours with vCISO up to 2 hours

Tier Two

$5000 per Month

  • Tier One plus
  • Creation of documentation and maintenance
  • Will include annual security awareness training delivered 2 times per year 
  • Conduct monthly external vulnerability assessments 
  • Engage with vendors and answer vendor questionnaires (up to 4 per month)
  • Monthly hours with vCISO up to 5 hours

Tier Three

$7500 Per Month


  • Tiers Two & Three plus 
  • Coordinate implementation of control or safeguard gap solutions 
  • Engage with vendors and answer vendor questionnaires (up to 4 per month)
  • Monthly hours with vCISO up to 10 hours