GLBA Safeguards Rule: What It Really Means For Your Dealership’s Leadership

If your dealership arranges or extends credit, you are treated as a “financial institution” under the FTC’s GLBA Safeguards Rule. That means you are required to develop, implement, and maintain a written information security program to protect customer information.

This is no longer an “IT thing.” It is a leadership and governance obligation that directly touches the CEO / Dealer Principal, CFO, and General Manager.

In this post, we will translate the rule from legalese into dealership reality and spell out what each role is on the hook for.

Quick note: This is general educational content, not legal advice. Always work with your counsel to interpret how GLBA and the Safeguards Rule apply to your group.

First, a quick reset: What is the GLBA Safeguards Rule?

The Safeguards Rule is an FTC regulation under the Gramm Leach Bliley Act (GLBA). It requires covered financial institutions, including many auto dealers that provide or arrange financing, to:

  • Maintain a written information security program
  • With administrative, technical, and physical safeguards
  • Appropriate to the size and complexity of the business and sensitivity of customer data – Federal Trade Commission

Recent updates made the rule much more specific. At a high level, your program must now include 9 elements, including:

  • A Qualified Individual in charge
  • A written risk assessment
  • Specific safeguards like access controls, MFA, encryption, monitoring, testing, training, vendor management, and an incident response plan
  • An annual written report to your Board or equivalent, often the Dealer Principal or ownership group – Federal Trade Commission

So what does that actually mean for each seat in the tower?

For the CEO / Dealer Principal: This is now board level risk, not back office noise

As Dealer Principal or CEO, you are effectively the “Board” in the Safeguards Rule. The FTC expects your dealership to:

  • Designate a Qualified Individual to oversee the program
  • Fund and support that program
  • Receive and review at least annual written reports on its status- Federal Trade Commission

What this looks like in real life

For a CEO in a multi rooftop group, GLBA Safeguards shows up as:

  • Strategic risk management
    Data breaches now impact blue sky value, OEM relationships, floorplan timing, and lender trust. This sits next to brand, CSI, and fixed absorption as a board level risk.
  • Appointment of the right “Qualified Individual”
    That may be an internal IT/security leader or a third party provider, but the responsibility still rolls up to you. The rule is clear that you can outsource execution but not accountability. Federal Trade Commission
  • Reviewing an annual security report just like your financials
    You should see a concise, business friendly report that covers:
    • Top information security risks to the group
    • What has been done about them
    • Any incidents and lessons learned
    • Roadmap and budget requests
  • Culture and tone at the top
    If sales managers treat security training as optional, your program fails in practice, even if the paperwork looks good. The CEO sets expectations that “we protect customer data the same way we protect our cash and inventory.”

Key CEO questions to ask this quarter

  • Who is formally designated as our Qualified Individual under the Safeguards Rule?
  • When will I receive our first (or next) written annual report on the information security program?
  • Have we completed a written risk assessment that includes every rooftop, DMS, CRM, and critical vendor?
  • If we had a “CDK sized” outage at a key provider, what is our plan to operate and communicate?

For the CFO / Controller: Safeguards is a control and audit story

For the CFO or Controller, the GLBA Safeguards Rule looks a lot like a new internal control framework wrapped around your IT and vendor stack.

The FTC expects you to have controls that:

How it lands on your desk

  • Budget owner for the information security program
    Cybersecurity tools, monitoring, penetration testing, staff training, vendor assessments, and incident response planning all need budget. Your job is to tie spend to risk reduction and operational continuity, not treat it as a discretionary IT “nice to have”.
  • Controls over money movers
    F&I, accounting, and title work all rely on systems that store nonpublic personal information. You are the natural owner for:
    • User provisioning and deprovisioning controls
    • Segregation of duties in DMS and accounting systems
    • Backup and recovery testing for financial data
  • Vendor management and contract language
    Safeguards requires you to select service providers that can maintain appropriate safeguards and to build that into contracts.Federal Trade Commission
    For the CFO, that means:
    • Pushing for data security clauses in DMS, CRM, and IT contracts
    • Requiring evidence of controls (SOC 2, independent audits, or equivalent)
    • Understanding termination and data return / destruction terms
  • Insurance and incident cost modeling
    Cyber incidents now come with:
    • Downtime in sales and F&I
    • Overtime for re keying deals
    • Forensics, legal, notification, potential regulators
      Mapping these against cyber insurance coverage and retentions is straight in the CFO wheelhouse.

Key CFO questions to ask

  • Do we have a documented vendor inventory that shows which providers touch customer information?
  • Are our user access controls in DMS, CRM, and accounting aligned with our financial control standards?
  • If a vendor suffers a breach, do our contracts clearly define responsibilities and notification timelines?
  • Have we mapped our Safeguards program to our cyber insurance requirements so we are not out of compliance at claim time?

For the General Manager: Safeguards is now part of running the store

The GM feels GLBA Safeguards where the rubber meets the road:

  • Desking deals
  • F&I menus
  • BDC operations
  • Service write ups
  • Customer pay and warranty work

Your teams are the ones constantly touching driver’s licenses, income proofs, account numbers, credit apps, and service histories. That is exactly the data the Safeguards Rule is trying to protect. Federal Trade Commission

What this really means for a GM

  • Enforcing secure workflows, not just secure tech
    You can have encryption and MFA, but if:
    • Sales leaves paper credit apps on desks
    • F&I saves deal jackets to personal USB drives
    • Service writers use shared logins
      you are not compliant in practice.
  • Supporting training and accountability
    The rule requires ongoing security training, but the GM ensures:
    • New hires complete training before accessing systems with customer data
    • Managers reinforce phishing awareness, password hygiene, and clean desk policies
    • Repeat offenders who ignore procedures are coached or disciplined
  • Operational resilience during incidents
    If a system goes down or there is a suspected breach, the GM is on point for:
    • Executing the incident response playbook in the store
    • Communicating to sales, F&I, and service on what they can and cannot do
    • Coordinating with the Qualified Individual and leadership on status
  • Balancing sales speed with data protection
    Safeguards should not slow the deal. You can still:
    • Use digital retailing and e signature
    • Desk quickly
    • Move customers through F&I efficiently
      The difference is that every process is mapped, risks are understood, and data handling is intentional.

Key GM questions to ask

  • Where in my store do we physically or digitally handle customer financial data, and what are our current weak spots?
  • Are we using shared logins anywhere in sales, F&I, or service?
  • Is there a simple, clear procedure for “what to do” if someone clicks a suspicious link or notices something strange in a system?
  • How am I being measured on compliance and security in addition to volume, gross, and CSI?

Turning GLBA Safeguards into a leadership advantage

Handled well, your Safeguards program becomes more than a compliance exercise. It can:

  • Reduce downtime from cyber incidents
  • Make OEM and lender audits smoother
  • Improve data hygiene for cleaner reporting and desking
  • Strengthen your story with buyers, investors, and bankers who are increasingly focused on cyber maturity

The rule already requires you to have:

  • A written program
  • A Qualified Individual
  • Documented risk assessments and safeguards
  • Ongoing monitoring and an annual board level report – Federal Trade Commission

If you approach this as CEO, CFO, and GM working in sync, you turn those requirements into a competitive edge instead of a scramble every time there is an incident or regulator headline.

How Safer Dealer can help

At Safer Dealer, we help dealership leadership teams translate the GLBA Safeguards Rule into a practical, right sized program with clear ownership, documentation, and monitoring.

Share

Disclaimer

Dealerships should consult their own legal counsel, compliance specialists, or cybersecurity professionals before taking any action based on this website.
Explore
Get FTC Safeguards help today!
Subscribe