FTC GLBA Rule Changes

Nearly every dealership should be aware by this point that the Federal Trade Commission (FTC) recently revised the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. This was the first time in twenty years that the rule was updated, and the new regulations are scheduled to go into effect on December 9, 2022. In conjunction with the implementation of these new regulations, the FTC has issued a publication that is 145 pages long and contains comments and clarifications to certain aspects of the new Rule. Additionally, dealers have been inundated with seminars, webinars, articles, and sales pitches from a variety of sources about the interpretation of this regulation. Regrettably, with all of that knowledge has come a certain amount of false information. Let's begin by dispelling some of the most widespread rumors and false beliefs around the rewritten Safeguards Rule.

Myth number one:

“Dealers don't need to conduct penetration testing or vulnerability scanning if they have a good reputation. They are employing an EDR, MDR, or SIEM technology to carry out threat detection monitoring around the clock.”

However, many IT companies and Managed Service Providers (MSPs) have gotten into the habit of loosely throwing around the term "continuous monitoring" to describe their EDR, MDR, and SIEM tools. This is because the regulations create an exception to annual penetration testing and biannual vulnerability scans if the dealer is performing "continuous monitoring." Our team is of the opinion that a significant number of such technologies might not be able to fulfill the "continuous monitoring" criteria in the sense that it is specified by the FTC's standards. It is not that such tools are not helpful; in fact, they are quite valuable, and we strongly urge that you use them. However, it is doubtful that this will absolve you from doing the necessary penetration tests and vulnerability assessments. According to the rules, "continuous monitoring" refers to a system that carries out the following activities in a way that is both real-time and ongoing:

• Keeping an eye out for any dangers;
• Detection of systems that have been set up incorrectly; and
• Evaluations of sensitivity to risk.

While the majority of security solutions fulfill the first task (monitoring for potential vulnerabilities), the vast majority of products do not do tasks two and three (real-time, ongoing configuration scanning and vulnerability assessments). There are software applications available on the market that provide users with a selection of packages that are capable of real-time continuous monitoring (for example, Splunk, DataDog, and Qualys, to name a few), but the costs associated with these applications are rather high. During a workshop hosted by the FTC, it was mentioned that the kind of continuous monitoring that is mentioned in the Safeguards Rule may cost a small to medium-sized business somewhere in the neighborhood of $600,000 per year. The FTC goes so far as to imply that you would want a crew of experienced professionals who are fully committed to monitoring the logs and activities generated by a system around the clock, 24/7/365. As a matter of fact, the excessively high cost is exactly why the FTC enables organizations to conduct a yearly penetration test and biannual vulnerability assessment as an alternative to continuous monitoring. These tests and assessments are carried out at regular intervals. In a nutshell, the majority of dealers will not engage in "continuous monitoring," as the new standards require, and as a result, they will be required to carry out an annual penetration test and a biannual vulnerability assessment.

Myth number two: 

“Dealers are required to employ a Chief Information Security Officer (CISO) or equivalent on a full-time basis…”

In the initial set of rules that were being considered for adoption, there was some consideration given to mandating the appointment of a Chief Information Security Officer (CISO) to oversee your information security program. However, this was ultimately scrapped in favor of mandating the appointment of a single "qualified individual" at the dealership. The Safeguards Rule does not stipulate any particular requirements with regard to education, experience, or certification. According to the Federal Trade Commission, dealers have the ability to nominate any competent employee who is suitable for their company depending on the scale and complexity of their operations. The need of designating a single coordinator is being implemented with the intention of enhancing accountability, minimizing lapses in duty for the management of data security, and enhancing communication. Note that even though the "qualified individual" must have ultimate responsibility for overseeing and managing the information security program, dealers may still delegate particular duties, decision-making, and responsibilities to other staff members. This is because the "qualified individual" must have ultimate responsibility for these tasks. In addition, the Safeguard Rule does not mandate that this function be the exclusive responsibility of the individual; rather, the person may be responsible for other things as well.

Dealers who store all of their client information on the cloud (for example, in their DMS and CRM) are exempt from the new criteria and do not need to be concerned about them since the information security of the system is the responsibility of the vendor. In point of fact, the reverse is true in this case. Not only is it naive to believe that all of your customers' nonpublic personal information (NPI) is stored in the cloud (consider every time a sales or finance person downloads a bank "stip" from their email onto their PC), but the regulations make it specifically the dealer's responsibility to verify the security of the service providers. For instance, dealers are required to (1) require their service providers by contract to implement and maintain reasonable safeguards and (2) periodically assess their service providers based on the risk they present and the continued adequacy of their safeguards. This is because dealers are responsible for ensuring that their customer's financial information is protected. In any case, dealers are the ones who are responsible for their own network security and the implementation of the new Rule (such as encryption, multi-factor authentication, penetration testing, and so on), regardless of the extent of engagement that their service providers have.

If you’re not entirely sure where to go from here, We can assist in keeping you compliant and your data up to par with current regulations and rule changes we’ll be seeing implemented over the course of the coming months. 

From the outset, Drivonic has led the way in compliance and technology. We’re trusted by over 1000+ dealers and clients, needless to say, our results speak for themselves. As our CEO and Founder, Matt Mead likes to say “We’re the backend backbone”. All client data lives in our Zero-Knowledge Data Repository which ensures all data is encrypted, secure and compliant with all state and federal laws. Our clients come to us knowing that we provide the tools necessary for mission success.  Take us for a spin and know that your dealership or agency will be moving forward on the right track. If you have any questions, make sure to reach out! We’re always happy to help!

Questions about how to make sure you're compliant with the FTC GLBA Rule changes, and how this could affect you? Reach out to us below! Also, make sure to subscribe to our newsletter here!