Yes, for certain requirements, there is a size exception. All other requirements are necessary, regardless of size.
The following DO NOT APPLY if you retain information for fewer than 5000 consumers that have sought credit:
The following STILL APPLY if you retain information for fewer than 5000 consumers that have sought credit:
The 5000 referenced above is the total number of consumers you have retained personal information for. For example: If you have done 83.33 credit reports per month (x12), for the past 5 years (a minimum time frame which dealers are required to keep this information) then your dealership would not have any exceptions. However Credit Reports is only one system where you are receiving consumer information. You have to look at your service lane, DMS, CRM and your financing platforms.
First step regardless if you qualify for the under 5,000 or not is to inventory your systems. Record your findings and if you believe you are under 5,000, add your findings to your policy.
Yes, unless you retain information on less than 5000 consumers. If that exception is met, you are still required to comply with the Safeguards Rule, but will not need a written risk assessment, continuous monitoring, annual penetration testing, vulnerability scans, a written incident response plan, or a written annual report to the Board of Directors.
They would not be excluded. “Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” Name, address, etc.
According to the FTC, the qualified individual must oversee and implement the information security program. The person designated to coordinate the information security program need only be “qualified.” No particular level of education, experience, or certification is prescribed by the Rule. Accordingly, financial institutions may designate any qualified individual who is appropriate for their business. Only if the complexity or size of their information systems require the services of an expert will the financial institution need to hire such an individual.
All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses to notify individuals of security breaches of information involving personally identifiable information. The requirements will vary by state.
Your reporting to your Board of Directors should be a risk assessment. At a minimum it should list any results and remediation steps taken as a result of your penetration testing. It should also list any vendors who have gaps in their responses to your questionnaire.
Yes, you can download a copy of the NADA’s “Dealer Guide to the FTC Safeguards Rule” here. This document includes best practices and sample documents.
Yes, Physical and electronic information and documents from out-of-state consumers must be safeguarded. The information and documents must be protected via the physical, administrative, and technical safeguards outlined in the Safeguards Rule.
The Safeguards Rule states you must: Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Please consult your attorney for record retention requirements for specific documents and data. The systems that are retaining those scan documents must also pass your vendor surveys.
The Safeguards Rule states you must: implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. The Safeguards Rules also states you must: Oversee service providers by (1) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) requiring your service providers by contract to implement and maintain such safeguards; and (3) periodically assessing your service provider based on the risk they present and the continued adequacy of their safeguards.
Implement your own documented training programs or look for a third party provider. IN addition you must record when your employees last took the training and they will need to be trained annually. This report of employees and training will need to be part of your Board of Directors reporting. Please contact firstname.lastname@example.org to learn more about the 700Credit LMS.
To further our efforts in providing the best compliance and risk mitigation services to our clients, we are pleased to provide a web-based, self-paced Compliance platform which will provide the required training your dealership needs to remain compliant with every transaction and avoid costly fines. Our learning management system will cover all of the necessary content to help your dealership comply with the new FTC Safeguard Rules.