The new FTC MFA requirement: Here’s what auto dealers need to know
The FTC's multi-factor authentication (MFA) requirement impacts auto dealers. Here's what auto dealerships need to know.
Published September 5, 2023After the FTC’s latest update to the Gramm-Leach-Billey Act (GLBA), any organization, including auto dealerships, that processes and stores customers’ personal financial data must meet several compliance requirements as of June 9, 2023. A key part of those requirements: a data security program with identity and access management support, including MFA.
The new FTC MFA requirements put a heavy burden on U.S. auto dealership executives and IT teams. According to a recent dealer-focused webinar poll, 36% of respondents said they’re just getting started with their compliance plans, and only 25% were close to done.
Is your auto dealership ready? Here’s everything you need to know to comply with the FTC MFA mandate.
The FTC guidelines state that the Safeguards Rule applies to any financial institution. However, the FTC’s classification of a financial institution is surprisingly broad, including organizations that engage even incidentally in financial activities.
Basically, if your organization maintains and stores customer financial data for Americans, you need to comply with at least some elements of the Safeguards Rule. In some cases, even international organizations with American customers must demonstrate compliance.
Beyond the obvious financial institutions like banks and credit unions, the FTC considers organizations like these as financial institutions:
Retailers that issue store credit cards
Car dealerships that lease vehicles
Property and real estate appraisers
Career counselors that support individuals working in finance
Collections agencies
Credit counselors, financial advisors, and investment bankers
Businesses that consistently wire money to, from, or for consumers
Accountants and tax preparers
Check cashing services
Travel agencies that work with financial service organizations to provide financing
Mortgage brokers and lenders
“Finder” companies that connect buyers with sellers for any transaction
Educational institutions that accept financial aid funds
Regardless of organization size or number of customer data records, every organization that manages consumer financial data is required to implement MFA capabilities as of June 9, 2023.
The revised FTC Safeguards Rule put an emphasis on data protection and robust security measures. To comply, auto dealerships must strengthen access controls and implement MFA on accounts with access to customer financial data.
If your car dealership is still navigating what you need to put in place to get FTC compliant, you’re not alone. That said, the FTC can enforce steep fines of up to $100,000 per violation now that the June 9th deadline has passed, so it’s critical to put in place your compliance plan now.
The spirit of the Safeguards Rule is to help organizations address the root causes of risk within complex IT systems. To accomplish that, your car dealership’s IT and data security strategy must embody three objectives:
Securing customers’ nonpublic, personally identifiable information (PII)
Designing and implementing security controls to prevent and mitigate cyber threats
Limiting and monitoring access to systems that store PII
With these objectives in mind, the Safeguards Rule contains multiple components organizations must include in their information security program to comply with GLBA.
First, every organization needs an experienced cybersecurity professional who “owns” its security program. This person can be in-house or outsourced. Broadly-speaking, this person is responsible for implementing, maintaining, and championing the security program. A primary part of their job is providing at least one annual report to a Board of Directors or senior leadership that assesses compliance success and risks within the security program.
Next, organizations must conduct a comprehensive risk assessment before they create their information security program. This formal written assessment will detail all potential internal or external risks and threats to consumer data, as well as the criteria used to assess those risks.
Over time, risks and threats will change. So, under the Safeguards Rule, organizations need to periodically reassess their security posture. The goal is to continuously amend your security program, controls, and incident response plan to mitigate threats.
Furthermore, putting solid security controls in place helps organizations reduce the likelihood of a data compromise. The Safeguards Rule requires organizations to have controls that support multiple security functions, including:
Data management and storage, where organizations need a detailed inventory of data collected, stored, and transmitted across the entire IT infrastructure
Access management, where organizations define which users are authorized to access which resources and maintain an ongoing activity log to monitor access behavior
Data encryption, where organizations maintain confidentiality for data at rest and in transit
Data retention and disposal, where organizations design policies and timelines to securely store and automatically destroy customer data
Third-party application management, where organizations regularly evaluate what information they’re sharing with vendors and whether it’s necessary to share that data
Identity verification, where organizations maintain granular MFA capabilities to validate user identities and verify access to organization resources using at least two authentication factors
Naturally, controls are only useful if they successfully mitigate threats. With today’s rapidly evolving threat environment, organizations need to continuously stress test and fine-tune their controls to keep their organization secure and compliant.
Alongside continuous monitoring, you should introduce regular vulnerability scanning and penetration testing to confirm that your controls are effective.
Now, compliance with the Safeguards Rule means your auto dealership needs to maintain a written plan detailing how you will respond to and recover from a security incident. This document must address:
The goals of your response plan
Defined roles, responsibilities, and a chain of command for decision-making
Internal processes to activate during an incident, including processes around how to address security gaps and how to communicate or share information with stakeholders
Procedures dictating how to document and report security incidents
Updates following each security incident, including a post-mortem assessment of each incident and the organization’s response
Moreover, everyone who handles your organization’s sensitive data must be adequately trained to recognize risks, mitigate the impacts of security incidents, and respond appropriately. To that end, regular training helps keep both internal teams and external vendors aware of risks and prepared to respond to emergencies.
For example, monitoring behavior and consistently assessing the ability to prevent or mitigate risk can also help teams see where additional training is needed.
For most auto dealerships, the biggest change to the Safeguards Rule is the new mandate to implement MFA. This amendment demonstrates how zero trust architecture — which follows the guiding principle of “never trust, always verify” — is becoming essential for effective data security.
Unauthorized access to sensitive data — whether through stolen credentials, insider threats, or other security gaps — poses a significant threat to customer PII. Enacting and enforcing the principle of least privilege is one step in limiting access to sensitive data. But now, organizations must go a step further. By introducing MFA, companies can verify and validate user identities for every user and every access attempt, ensuring that only authorized users can access certain systems.
Naturally, how organizations set up their MFA solution makes a big difference when it comes to mitigating risk. The FTC suggests leveraging phishing-resistant MFA methods to maximize security. For example, risk-based contextual controls, authentication apps, and hardware keys are often more secure than SMS codes or push notifications.
IS Decisions supports FTC Safeguards Rule compliance through both of our software solutions, FileAudit and UserLock. Organizations responding to the FTC’s MFA requirement need an MFA solution that’s fast and easy to implement, without cutting corners. That’s where our granular MFA solution, UserLock, comes in. UserLock helps your organization meet the new FTC requirements without bogging down your user workflows with unnecessary interruptions.
UserLock makes it easy to scale MFA capabilities to support all users and identities – privileged or not – through seamless integration with Active Directory. In minutes, your team can implement user verification with secure, phishing-resistant MFA methods. That makes UserLock the ideal solution to help you get FTC-compliant MFA, fast.