The Federal Trade Commission has amended its Safeguards Rule, which requires non-banking financial institutions including dealerships to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe.

 

Under the current Safeguards Rule, one or more individuals could be designated to oversee and implement the information security program. Under the Rule change, a single "Qualified Individual" must be responsible for overseeing and implementing the information security program.

 

The new requirements are effective Dec. 9, 2022, but they are not policies and procedures that can be implemented overnight. See this link for details of the FTC amendments.

 

The revised Safeguards Rule has been years in the making. When the FTC sought comment in 2019 on its proposed Rule changes, Andrew Smith, then-director of the FTC’s Bureau of Consumer Protection, said the changes would better protect consumers and provide more certainty for business.

 

Smith said, "While our original groundbreaking Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC’s almost 20 years of enforcement experience. It also shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments."

 

The new Rule also updates the employee security training requirement. Security awareness training must be updated to reflect risks identified in a risk assessment. Also, ongoing training for security personnel is required. That includes verification that security personnel are taking steps to stay current on emerging threats and countermeasures.