The new FTC MFA requirement: Here’s what auto dealers need to know

After the FTC’s latest update to the Gramm-Leach-Billey Act (GLBA), any organization, including auto dealerships, that processes and stores customers’ personal financial data must meet several compliance requirements as of June 9, 2023. A key part of those requirements: a data security program with identity and access management support, including MFA.

The new FTC MFA requirements put a heavy burden on U.S. auto dealership executives and IT teams. According to a recent dealer-focused webinar poll, 36% of respondents said they’re just getting started with their compliance plans, and only 25% were close to done.

Is your auto dealership ready? Here’s everything you need to know to comply with the FTC MFA mandate.

Who does the FTC Safeguards Rule apply to?

The FTC guidelines state that the Safeguards Rule applies to any financial institution. However, the FTC’s classification of a financial institution is surprisingly broad, including organizations that engage even incidentally in financial activities.

Basically, if your organization maintains and stores customer financial data for Americans, you need to comply with at least some elements of the Safeguards Rule. In some cases, even international organizations with American customers must demonstrate compliance.

Beyond the obvious financial institutions like banks and credit unions, the FTC considers organizations like these as financial institutions:

• Retailers that issue store credit cards

• Car dealerships that lease vehicles

• Property and real estate appraisers

• Career counselors that support individuals working in finance

• Collections agencies

• Credit counselors, financial advisors, and investment bankers

• Businesses that consistently wire money to, from, or for consumers

• Accountants and tax preparers

• Check cashing services

• Travel agencies that work with financial service organizations to provide financing

• Mortgage brokers and lenders

• “Finder” companies that connect buyers with sellers for any transaction

• Educational institutions that accept financial aid funds

Regardless of organization size or number of customer data records, every organization that manages consumer financial data is required to implement MFA capabilities as of June 9, 2023.

What auto dealerships need to know about the revised FTC Safeguards Rule

The revised FTC Safeguards Rule put an emphasis on data protection and robust security measures. To comply, auto dealerships must strengthen access controls and implement MFA on accounts with access to customer financial data.

If your car dealership is still navigating what you need to put in place to get FTC compliant, you’re not alone. That said, the FTC can enforce steep fines of up to $100,000 per violation now that the June 9^th deadline has passed, so it’s critical to put in place your compliance plan now.

Compliance requirements in the latest FTC Safeguards Rule update

The spirit of the Safeguards Rule is to help organizations address the root causes of risk within complex IT systems. To accomplish that, your car dealership’s IT and data security strategy must embody three objectives:

1. Securing customers’ nonpublic, personally identifiable information (PII)

2. Designing and implementing security controls to prevent and mitigate cyber threats

3. Limiting and monitoring access to systems that store PII

With these objectives in mind, the Safeguards Rule contains multiple components organizations must include in their information security program to comply with GLBA.

Assign a qualified individual to manage your security program

First, every organization needs an experienced cybersecurity professional who “owns” its security program. This person can be in-house or outsourced. Broadly-speaking, this person is responsible for implementing, maintaining, and championing the security program. A primary part of their job is providing at least one annual report to a Board of Directors or senior leadership that assesses compliance success and risks within the security program.

Assess risks within your organization

Next, organizations must conduct a comprehensive risk assessment before they create their information security program. This formal written assessment will detail all potential internal or external risks and threats to consumer data, as well as the criteria used to assess those risks.

Over time, risks and threats will change. So, under the Safeguards Rule, organizations need to periodically reassess their security posture. The goal is to continuously amend your security program, controls, and incident response plan to mitigate threats.

Develop and implement security controls

Furthermore, putting solid security controls in place helps organizations reduce the likelihood of a data compromise. The Safeguards Rule requires organizations to have controls that support multiple security functions, including:

• Data management and storage, where organizations need a detailed inventory of data collected, stored, and transmitted across the entire IT infrastructure

• Access management, where organizations define which users are authorized to access which resources and maintain an ongoing activity log to monitor access behavior

• Data encryption, where organizations maintain confidentiality for data at rest and in transit

• Data retention and disposal, where organizations design policies and timelines to securely store and automatically destroy customer data

• Third-party application management, where organizations regularly evaluate what information they’re sharing with vendors and whether it’s necessary to share that data

• Identity verification, where organizations maintain granular MFA capabilities to validate user identities and verify access to organization resources using at least two authentication factors

Monitor and test controls

Naturally, controls are only useful if they successfully mitigate threats. With today’s rapidly evolving threat environment, organizations need to continuously stress test and fine-tune their controls to keep their organization secure and compliant.

Alongside continuous monitoring, you should introduce regular vulnerability scanning and penetration testing to confirm that your controls are effective.

Create an incident response strategy

Now, compliance with the Safeguards Rule means your auto dealership needs to maintain a written plan detailing how you will respond to and recover from a security incident. This document must address:

• The goals of your response plan

• Defined roles, responsibilities, and a chain of command for decision-making

• Internal processes to activate during an incident, including processes around how to address security gaps and how to communicate or share information with stakeholders

• Procedures dictating how to document and report security incidents

• Updates following each security incident, including a post-mortem assessment of each incident and the organization’s response

Train and monitor staff and vendors

Moreover, everyone who handles your organization’s sensitive data must be adequately trained to recognize risks, mitigate the impacts of security incidents, and respond appropriately. To that end, regular training helps keep both internal teams and external vendors aware of risks and prepared to respond to emergencies.

For example, monitoring behavior and consistently assessing the ability to prevent or mitigate risk can also help teams see where additional training is needed.

How to meet the new FTC MFA requirement

For most auto dealerships, the biggest change to the Safeguards Rule is the new mandate to implement MFA. This amendment demonstrates how zero trust architecture — which follows the guiding principle of “never trust, always verify” — is becoming essential for effective data security.

Unauthorized access to sensitive data — whether through stolen credentials, insider threats, or other security gaps — poses a significant threat to customer PII. Enacting and enforcing the principle of least privilege is one step in limiting access to sensitive data. But now, organizations must go a step further. By introducing MFA, companies can verify and validate user identities for every user and every access attempt, ensuring that only authorized users can access certain systems.

Naturally, how organizations set up their MFA solution makes a big difference when it comes to mitigating risk. The FTC suggests leveraging phishing-resistant MFA methods to maximize security. For example, risk-based contextual controls, authentication apps, and hardware keys are often more secure than SMS codes or push notifications.