If your dealership group arranges or extends credit, the FTC treats you as a financial institution under the GLBA Safeguards Rule. That means you’re expected to have a “reasonable information security program” in place.
For a CEO, CFO, or GM, that phrase can sound vague and legalistic. In reality, the FTC spells out nine specific building blocks that make up a reasonable program. When you put them together, you get a clear, practical blueprint for how your stores should protect customer data across sales, F&I, service, and accounting.
Let’s break those nine elements down in plain English and in dealership terms.
Note: This is general education, not legal advice. Work with your counsel to interpret how the Rule applies to your stores, state laws, and OEM/lender requirements.
1. Start by putting someone in charge: the Qualified Individual
Every reasonable program starts with clear ownership.
The Safeguards Rule requires you to designate a “Qualified Individual” (QI) to implement and oversee your information security program. That person can be:
- An internal leader (IT/InfoSec, Controller, Compliance Officer)
- Someone at an affiliate
- A trusted service provider
The FTC doesn’t care about the job title. What matters is that this person has the real-world expertise and authority to make security decisions that fit your dealership’s size and complexity.
For a dealer group, that typically looks like:
- The CEO / Dealer Principal formally designates a QI
- A senior leader internally is assigned to oversee that relationship
- The QI has a direct line to ownership when decisions, budget, or policy changes are needed
You can outsource the function, but you cannot outsource the responsibility. The buck still stops with your organization.
2. Know what you have: conduct a written risk assessment
You can’t protect what you don’t know you have.
A reasonable program starts with a written risk assessment that answers three basic questions:
- What customer information do we collect?
- Where does it live and travel? (DMS, CRM, desking tools, OEM portals, email, file shares, paper, backup systems)
- What could go wrong?
For a dealership, this means:
- Inventorying systems: DMS, CRM, digital retailing, F&I menus, service scheduling, phone/BDC tools, accounting, HR/payroll
- Mapping data flows: credit apps, driver’s licenses, income proofs, payoff information, service histories
- Identifying risks: internal (employee mistakes, weak passwords, shared logins) and external (phishing, ransomware, vendor breaches)
The Rule expects this risk assessment to be written and to include criteria for how you evaluate risks. It’s also not a one-and-done project. As your group adds rooftops, vendors, and tools, or as new threats emerge, you’re expected to revisit and update it.
3. Design and implement safeguards that actually control those risks
Once you know your risks, the question becomes: So what are we doing about them?
A reasonable program includes safeguards tailored to those risks. The Safeguards Rule highlights several that are table stakes today:
Access control: who can see what
- Limit access to customer information to people who truly need it for their job
- Review access regularly: does that former F&I manager still have DMS access?
- Eliminate shared logins in sales, F&I, and service
Data inventory: know your ecosystem
- Maintain an accurate list of systems, devices, platforms, and people that touch customer data
- Update it when you add new software, new stores, or a new integration
Encryption: lock it down in transit and at rest
- Encrypt customer data where it’s stored and when it’s sent over networks
- If you can’t encrypt in a particular scenario, use alternative controls that your QI formally approves
Application security: don’t trust every app
- Vet any in-house or third-party apps that store, access, or transmit customer data
- Confirm that vendor apps meet your security expectations before you roll them out at the store
Multi-factor authentication (MFA): more than just a password
- Require at least two factors for anyone accessing systems with customer data:
- Something they know (password)
- Something they have (token, app prompt)
- Something they are (biometrics)
- Avoid “MFA fatigue” by training staff on why approvals matter
Secure disposal: don’t hoard data you don’t need
- Dispose of customer information securely when you no longer need it for business or legal reasons
- As a baseline, the Rule expects disposal no later than two years after last use, unless there’s a legitimate business or legal need to keep it longer
- That applies to paper deal jackets, digital copies, reports, and backups
Change management: security can’t be static
- Evaluate the security impact before you:
- Add a new server or major system
- Open a new rooftop
- Plug in a new integration or vendor
- Make sure someone asks: “What new risks does this introduce, and how are we addressing them?”
Logging and monitoring: watch what users are doing
- Keep logs of authorized user activity in key systems
- Watch for suspicious behavior: logins at odd hours, abnormal data exports, failed login attempts
- Use those logs during investigations or after an incident
These safeguards should be practical and right-sized. A 4-store group doesn’t need the same stack as a national group, but the concepts apply to everyone.
4. Prove it works: regularly monitor and test safeguards
A reasonable program doesn’t just trust that safeguards work; it checks.
For information systems, the Rule expects:
- Either continuous monitoring,
- Or a structured testing program that includes:
- Annual penetration testing
- Vulnerability assessments with system-wide scans at least every six months
- Additional testing when:
- You make major changes to systems or vendors
- You experience an incident that could impact your security posture
For dealerships, this usually looks like:
- External and internal vulnerability scans scheduled on a regular cadence
- Periodic pen tests to simulate how an attacker might try to get in
- Documented results, with remediation plans and follow-up
This is where CEOs and CFOs often see the biggest gap: tools may be in place, but no one is regularly testing, tracking findings, and closing the loop.
5. Train your people like they’re part of the security team (because they are)
Your program is only as strong as the least careful team member.
The Rule expects ongoing security awareness training for employees, plus specialized training for those with hands-on security responsibilities.
In a dealership context:
- Everyone:
- Recognizing phishing emails and malicious links
- Handling driver’s licenses, credit apps, and PII securely
- Clean desk practices and secure printing
- Sales & F&I:
- How to use DMS/CRM/F&I tools without bypassing security
- Rules around saving documents locally, emailing customer info, or using personal devices
- Service & Parts:
- Secure handling of repair orders and warranty data
- Access to customer info in service systems
- Admin, IT, and Accounting:
- Deeper training on system configuration, user provisioning, backups, and incident response
The key is consistency: a short annual video alone is no longer enough. You need ongoing refreshers, updates when threats change, and a way to track who has completed what.
6. Treat your vendors like part of your security perimeter
Modern dealerships rely heavily on third parties. The Safeguards Rule explicitly requires you to monitor your service providers.
A reasonable program includes:
- Selecting providers with proven security maturity
- Contracts that:
- Spell out your security expectations
- Require them to safeguard customer information
- Define how and when they must notify you of incidents
- Allow for monitoring and periodic reassessment
- Periodically reviewing:
- Whether they’re still the right fit
- Whether their controls have kept up with the threat landscape
For a Dealer Principal or CFO, this means vendor security is no longer “nice to have.” It’s a compliance expectation and a major piece of your real-world risk.
7. Keep your program current
The only constant in dealership IT is change. New software, new staff, new processes, new rooftops.
A reasonable information security program is:
- Reviewed and updated when:
- You change operations or structure
- Risk assessments surface new issues
- New threats and vulnerabilities emerge
- Key personnel move in or out of critical roles
- Flexible enough to adjust:
- Policies and procedures
- Technical controls
- Training content
- Vendor relationships
If your documentation still describes the way you operated three years ago, it’s not “reasonable” anymore, even if it was at the time.
8. Have a written incident response plan before something goes wrong
Hope is not a strategy.
The Rule requires a written incident response plan (IRP) that outlines what your organization will do when you experience a “security event” (unauthorized access to or misuse of customer information, whether digital or physical).
A reasonable IRP covers:
- Goals of the plan
- Contain the incident
- Limit damage and downtime
- Protect customers and the business
- Internal processes
- How incidents are identified, escalated, investigated, and resolved
- Roles and responsibilities
- Who leads the response at the group level
- Who owns communication at each rooftop
- Who talks to vendors, insurers, legal counsel, and (if needed) regulators
- Communication and information sharing
- Inside the company: leadership, managers, staff
- Outside: vendors, insurers, affected customers, possibly OEMs and lenders
- Fixing weaknesses
- Document the root cause
- Strengthen controls to prevent recurrence
- Documentation and reporting
- What happened, what you did, timelines, who was affected
- Post-incident review
- Lessons learned
- Updates to the IRP and security program based on those lessons
For a GM, this means there is a clear playbook for “what to do in the store” if systems are compromised or suspicious behavior is detected.
9. Close the loop with leadership: written reporting to the Board / ownership
Finally, a reasonable program always circles back to leadership.
The Safeguards Rule requires your Qualified Individual to report in writing, at least annually, to your Board of Directors or equivalent. If you don’t have a Board, that report goes to a senior officer responsible for the program (often the Dealer Principal, CEO, or CFO).
That report should include:
- An overall assessment of how well your information security program is working
- Risk assessment findings and trends
- Key risk management and control decisions
- Updates on service provider arrangements and any security concerns
- Testing and monitoring results
- Security events and how they were handled
- Recommendations for changes, investments, or priorities going forward
For leadership, this turns security from a fuzzy IT topic into something you can review, question, and steer, just like financial statements or CSI metrics.
Pulling it all together
When you put these nine elements together, a “reasonable information security program” for a dealership looks like:
- A named leader (Qualified Individual) with authority
- A written understanding of your risks and data flows
- Practical safeguards mapped to how your stores really operate
- Evidence that those safeguards are monitored, tested, and improved
- Trained people, accountable vendors, and a living incident response plan
- Regular, structured reporting back to the people who ultimately own the risk
That’s what the FTC is looking for. More importantly, it’s what protects your customers, your brand, and your ability to keep selling and servicing cars when something goes wrong.