I look at Safeguards Rule compliance from a particular perspective. Let me explain. Boniface Bernhardt Günther was born in 1866 in Baden-Baden, Grand Duchy of Baden (the German states wouldn’t coalesce into a single country until 1872). He studied the building trades in Bern, Switzerland, returning to his hometown in 1888, where he became subject to conscription into the army of the nascent German Empire.
At that time, the German Army could keep draftees until they were 50 years old. This did not appeal to young Bernhardt, so he fled the country and never returned to his homeland until he was fifty – just in case. Like many German draft dodgers of his day, he wound up in Wisconsin. But instead of settling in Milwaukee, he stayed on the north-bound train for another 90 miles. When he got off the train, it was at a town named Oshkosh. The Fraulein waiting for him was named Anna.
Like so many fugitives, Boniface changed his name. He changed Anna’s name, too, when she married him and became Mrs. Ben B. Ganther and my great-grandmother. In 1900 – the year my grandfather was born – Ben founded a construction company bearing his anglicized name. My grandfather eventually ran it, then my father. Today, 123 years later, my big brother (named Ben, of course) runs it.
I guess you could say building is in my blood.
The Ganther Company is a general contractor. Rare is the building firm that can perform all of the varied trades necessary to erect a modern building. You need sitework, foundations, utilities, carpentry, concrete forming and finishing, electrical, HVAC, plumbing, painting, structural steel, roofing, and the list goes on.
The Safeguards Rule is like that: there are many necessary elements to compliance, and it is unlikely that any one company does all those functions with its own forces. Safeguards compliance requires policy drafting, vulnerability assessments, overall risk assessments, a written information security program, end-point detection and response, and the list goes on.
What is needed is a general contractor – an entity that can perform some of the functions with its own forces, and engage subcontractors to perform the services it does not. Part of the general contractor role is to negotiate those subcontractor’s prices and manage the overall project. Done right, the client accepts one bid, signs one contract, gets one monthly invoice, cuts one monthly check and lets the general contractor worry about the details.
Using that analogy, let’s examine the trades necessary to build a Safeguards Rule compliance program.
The first essential element of a building project is a set of plans. A roll of construction blueprints shows every layer of the necessary work. Want to know where the lighting fixtures go? Go to the reflected ceiling plan page. Wastewater pipes? See the plumbing page. It’s all there, logically laid out for a skilled contractor to follow.
Fortunately, your Safeguards project already has a blueprint, should you choose to use it. NADA’s Dealer Guide to the FTC Safeguards Rule acts like such a blueprint. It is detailed, thorough, and discusses all of the necessary elements. Let’s review its structure – you’re going to be following its guidance soon enough.
Designate a Qualified Individual
Notice that the Rule requires a Qualified Individual, not individuals. There must be one person in the dealership, or dealership group, whose name is on the blame line. The buck needs to stop somewhere.
What qualifies a person to be the Qualified Individual, or QI? The primary qualification is the ability to oversee the organization’s Information Security Program. The QI does not need to be a computer science major or IT professional. You don’t need to know how to conduct a network vulnerability assessment to ensure that one has occurred.
In fact, many of the necessary tasks can be performed by dealership employees or outside vendors, such as Managed Service Providers. But the ultimate responsibility cannot be outsourced – it has to remain within the dealership or group in the person of the QI. That person needs to report to senior dealership management or the board of directors if such a board exists. It is a significant role and needs to be treated as such.
Conduct a Risk Assessment
Once a QI has been designated, that person’s first task should be to conduct a risk assessment (it will be one of many). A risk assessment is an evaluation of the internal and external risks to the security and integrity of data on a network. The Rule refers to the security of customer data, but in the real world businesses protect their entire network, not just the slices that might hold customer data. Dealers need to protect their own data, too.
Risk assessments can involve software-driven questionnaires that walk you through common potential risks, and can be supported by vulnerability scans. Note that vulnerability scans are not the same as risk assessments, though they be part of the risk assessment process. Vulnerability scans should be conducted at least quarterly (some solutions can run vulnerability assessments continuously); risk assessments need to be conducted “regularly,” which should mean at least annually. If certain events occur (switching DMS providers, for example), a new risk assessment should be conducted before the anniversary rolls around.
The Rule requires dealers to inventory their networks. Even though that system inventory is itself a mandatory safeguard (discussed below), the logical time to perform this particular task would be during the risk assessment process.
The risk assessment must be recorded in writing. That written document should evaluate and categorize identified risks, and assess the sufficiency of any safeguards already in place. It should also designate additional safeguards to implement that would address any unmitigated risks the assessment uncovered.
The risk assessment should tell you what needs to be done. Implementing safeguards is the doing. Some safeguards are mandatory:
- Access controls. Access to customer data must only be permitted to authorized users. Examples of access controls include password protection for electronic databases and locked doors securing physical files.
- System inventory. This should already have been performed as part of the risk assessment process. It is broader than you might think, and requires the dealership to consider all locations of customer data, not just the DMS and CRM environments. Websites, appointment scheduling software, personal computers and cell phones of dealership employees may all contain customer data and should be included in the system inventory.
- Encryption. Customer data needs to be encrypted, both in transit and at rest. Fortunately, many software applications have system settings that can be configured to accomplish this at no cost. Review of the systems inventory should shed some light on where the data resides that requires encryption.
- Secure development practices. This requirement reminds me that the Safeguards Rule was not written with the average dealership in mind. That’s because the average dealership does not develop its own software. But some do, and even those that do not need to ensure that the sources of the software they use that involves the transmission, processing and storage of customer data was developed using secure practices.
- Multi-factor authentication. This is a big one. The factors include knowledge (such as knowing a password), possession (such as a one-time code sent to your smart phone), and inherence (such as a fingerprint, facial or retina scan). Access to customer data requires use of more than one type of factor, say a knowledge factor (password) and an inherence factor (fingerprint). Two knowledge factors won’t do.
- Disposal procedures. When you no longer need customer data, it must be disposed of in a secure manner. Paper records should be shredded; electronic records deleted. Used computers that contain customer data must be scrubbed. And data must be kept no longer than necessary. The Rule would like to see customer data disposed of within two years, but recognizes that it may be retained for longer if required by law or there are legitimate business reasons to do so. This is a good topic to discuss with your local counsel.
- Change management procedures. Changes to a dealership’s IT infrastructure can introduce new risks. Those risks need to be recognized and addressed. Change management procedures are how that’s done. NADA included a sample Change Management Policy in its Dealer Guide to the FTC Safeguards Rule.
- Monitoring and logging of authorized user activity. All system use must be logged; that is, authorized users’ activity must be recorded and unauthorized use must be detected. The Rule doesn’t specify how dealerships must accomplish this requirement, but one way is to engage a Security Operations Center (“SOC”) to handle the task. Machine learning over time can allow the SOC to distinguish authorized from unauthorized behavior. For example, the SOC my company employs sent an alert when someone logged into our network at 11:00 p.m., long after normal business hours. Turns out it was our COO doing some late night work, but now our SOC recognizes that off-hours access from his home computer is “authorized.”
Regularly Test Program Effectiveness
You cannot expect what you cannot inspect, so regular testing and evaluation of your Information Security Program is a must. Of all the safeguards the Rule mandates, this one may do the most to actually protect customer data – if it’s done right. This requirement can be satisfied by employing either continuous monitoring (often called “EDR” – endpoint detection and response) or semi-annual vulnerability assessments and an annual penetration test.
Implement Policies and Procedures for Personnel to Implement your ISP
The greatest threat to customer data security is located between the monitor and the chair – in other words, your own employees. Therefore, all your employees must receive security awareness training. This can include basic Safeguards training, as well as phishing simulations and testing. Such training should occur at initial hiring and repeated at least annually thereafter.
In addition to this standard employee training, your QI and IT personnel (including appropriate service providers) need ongoing training to remain current on evolving threats and security developments. Because the occurrence and effectiveness of this training must be verified, archived testing should be a part of the process.
Oversee Service Providers
There are four subparts to this requirement. First, you must take reasonable steps to select service providers that are capable of adequately protecting customer data. Second, you must obligate your service providers by written contract to implement the safeguards necessary to protect customer data. Third, you must “periodically assess” your service providers with respect to this obligation. Fourth – and this is new – you must monitor your service providers on an ongoing basis to verify they are maintaining adequate safeguards. This does not mean “continuous” oversight, but it must be regular. This last obligation is potentially overwhelming. Fortunately, there is software that can accomplish the task relatively inexpensively. Whether you must actually audit service provider compliance is not yet clear.
Draft Incident Response Plan
What do you do in the aftermath of a “security event” – anything that results in unauthorized access to or misuse of an IT system and its contents? The answer to that question must be set forth in a written Incident Response Plan, and it must be accomplished before the security event occurs (and certainly before December 9, 2022). Again, NADA has a sample Incident Response Plan in its Guide. It’s an excellent starting point.
Draft Annual Report
As if the foregoing is not enough, there remains one more annual task: the written annual report. The QI must prepare this for the dealership’s board of directors (if there is one) or senior management (if there isn’t). The annual report should memorialize the effectiveness of the Information Security Program, any security events and the dealership’s response, the status of service provider performance, the status of service provider agreements, the results of any testing, and any recommended changes to improve the Program.
That’s a lot, and that’s just the blueprint. But blueprints aren’t completed projects – they’re just the instructions. Once you understand the blueprint, you understand the scope of the project. Now you just need to put it out to bid!
James S. Ganther, Esq. is the founder of Mosaic Compliance Services.
Originally posted on F&I and Showroom