The Federal Trade Commission's updated Safeguards Rule took effect last month. Dealerships and other financial institutions will need to comply with its major provisions by Dec. 9. The new rule addresses topics similar to the old version, but it removes some of the ambiguity of the original.

Under the amended Safeguards Rule, which is mandated by Congress under the Gramm-Leach-Bliley Act, dealerships will be expected to:

• Appoint a "qualified individual" to oversee, implement and enforce the information security program and submit an annual written report to the board of directors or governing body.
• Prepare a written risk assessment that can be used to evaluate and identify security risks periodically.
• Encrypt all customer information, both at rest and in transit over external networks.*
• Require multifactor authentication "whenever any individual — employee, customer or otherwise — accesses an information system."*
• Implement policies and procedures for monitoring and logging the activity of authorized users and detecting unauthorized access to, use of or tampering with customer data by those users.
• Perform annual penetration tests and biannual vulnerability assessments.
• Ensure personnel are able to enact the information security program by providing security awareness training and other training programs that are updated as necessary.
• Oversee and monitor service providers, and assess those providers after onboarding.
• Adopt a written incident response plan.

For more information visit this article on Automotive News: https://www.autonews.com/finance-insurance/dealerships-other-financial-institutions-must-reach-full-compliance-ftc.