Start By Putting Someone In Charge: The Qualified Individual

If your dealership handles financing, the FTC’s Safeguards Rule is very clear about where you start with “reasonable” security. Before tools, before training, before policies, you must put one accountable person in charge of your information security program.

That person is your Qualified Individual.

This is not a paperwork formality. It is the foundation of your whole Safeguards strategy. When something goes wrong with customer data, regulators and plaintiff attorneys will eventually ask a simple question:

“Who was responsible for this program, and were they actually qualified to run it?”

If you cannot answer that clearly, you are already on your back foot.

Quick note: This article is general education, not legal advice. Work with your counsel to interpret how the Safeguards Rule applies to your specific group and state laws.

What the Qualified Individual actually is

Under the amended Safeguards Rule, every covered “financial institution” must designate a Qualified Individual (QI) who is responsible for implementing and supervising its information security program. For auto dealers, that often means:

  • You are a financial institution if you arrange or extend credit or leasing at your stores.
  • You must have a documented security program.
  • A named person must oversee that program and report to your governing body.

The FTC does not tell you the QI must be a CISO, CIO, attorney, or any particular title. What matters is:

  • They have the knowledge and experience to manage information security at your scale.
  • They have the authority to influence systems, vendors, and people.
  • They have a direct line to senior leadership when decisions or funding are needed.

For small to mid sized groups, this may be a seasoned IT director working with a security focused service provider. For larger groups, it could be a true CISO or security leader backed by internal staff and external specialists.

What the Qualified Individual is not

Most dealerships get into trouble by treating the QI as a box to check:

  • Slapping the title onto a generic MSP who mainly does help desk and backups
  • Assigning a junior “IT person” with no security background
  • Naming someone without giving them time, budget, or authority to act

We see this constantly in dealership assessments. One of the most common problem patterns:

“Designate a Qualified Individual – assigned to a general IT vendor with no cyber credentials.”

On paper it looks done. In reality, nobody is actively owning risk, driving remediation, or reporting to leadership. That is exactly the kind of gap regulators and class action attorneys will highlight after a breach.

Where the QI can sit in a dealership organization

The Rule gives you flexibility in how you staff the QI role, as long as you do it intentionally.

Option 1: Internal leader

Examples:

  • Director of IT / Information Security
  • VP of Operations with strong tech and compliance support
  • Controller or Compliance Officer with a dedicated security partner behind them

Works best when:

  • You have 3+ rooftops and a meaningful IT footprint
  • You already employ technical leaders who understand your stack
  • You want direct day to day visibility into security decisions

What you must add:

  • Formal Safeguards responsibility in their job description
  • Training and ongoing education on security and compliance
  • Support staff or vendors so they are not “a one person army”

Option 2: Qualified Individual at an affiliate

Some dealer groups centralize the QI at a parent or affiliated entity that handles IT and security for multiple businesses.

This can work well if:

  • The affiliate maintains its own mature security program
  • That program covers the dealership environment and data
  • There are clear agreements about responsibilities and reporting

Make sure you still:

  • Document how the affiliate’s program protects your stores
  • Define who, inside the dealership entity, supervises that relationship

Option 3: Trusted service provider

A Safeguards focused MSSP or virtual CISO can act as your QI, so long as:

  • They have real security expertise and credentials
  • They understand dealership systems, not just generic office IT
  • You designate a senior internal owner to supervise them

That last point is critical. The FTC allows you to outsource implementation, but the Rule is very clear that the dealer remains responsible for the program and must designate a senior employee to oversee the service provider.

What a strong QI actually does week to week

It helps to move past theory and picture how a real QI operates inside a dealership group. Here is what “good” typically looks like:

1. Owns the risk assessment

  • Leads or coordinates a written risk assessment that covers all rooftops, systems, and vendors
  • Keeps an up to date inventory of:
    • DMS, CRM, F&I, desking, digital retailing, service, accounting, HR, and cloud tools
    • Where customer information is collected, stored, and transmitted
  • Identifies realistic threats: phishing, credential theft, vendor compromise, human error, ransomware, and more

Given that roughly 68 percent of breaches involve the human element, the QI focuses heavily on where people, process, and tech intersect.

2. Designs and drives safeguards

The QI is not just writing policies. They are making sure safeguards actually exist and work in the real store environment, including:

  • Access controls and least privilege in DMS, CRM, and file systems
  • MFA rollout across key systems
  • Encryption for customer data at rest and in transit
  • Vendor vetting and contract language that reflect Safeguards expectations
  • Logging, monitoring, and alerting so incidents do not go undetected

The QI may not personally configure the firewall or M365 tenant, but they are accountable for making sure those tasks are done correctly and documented.

3. Coordinates monitoring and testing

The Rule expects continuous monitoring or a defined testing cadence with vulnerability scans and penetration tests.

The QI:

  • Schedules and reviews vulnerability scans
  • Coordinates annual penetration testing, or validates continuous monitoring solutions
  • Tracks findings and drives remediation with IT teams and vendors
  • Reports patterns and stubborn issues up to leadership

4. Leads training and culture, not just check the box videos

Because the majority of breaches still start with a human action or error, the QI treats training as a core control, not a compliance chore.

That means:

  • Role based training for sales, F&I, service, accounting, and leadership
  • Phishing simulations with coaching, not shaming
  • Reinforcing policies around shared logins, password reuse, and data handling
  • Working with GMs so security expectations are enforced on the floor

5. Owns the incident response playbook

When something happens:

  • QI leads incident triage, investigation, and coordination with vendors
  • Executes the written incident response plan the Rule requires
  • Keeps leadership informed in real time
  • Coordinates with cyber insurance, legal counsel, and forensics as needed

Afterward, the QI runs the post mortem and updates controls so you do not repeat the same mistake.

6. Reports to the Board or ownership

At least annually, the QI must deliver a written report to the Board or equivalent. In a dealership group, that is often:

  • Dealer Principal or CEO
  • Ownership group or executive committee
  • Sometimes a formal Board if one exists

The report should cover:

  • Overall status of the information security program
  • Risk assessment results and major changes
  • Key safeguards and control decisions
  • Vendor risk and any service provider issues
  • Testing results and unresolved findings
  • Security events and how they were handled
  • Recommendations and budget priorities for the next period

This is what turns your Safeguards effort into ongoing governance instead of a one time project.

Common mistakes dealers make with the QI role

From working with dealers and from our own internal Safeguards assessments, we see the same patterns again and again.

1. “We gave it to our MSP”

Many groups simply name their IT provider as the QI, even when:

  • The provider has no dedicated cybersecurity practice
  • There is no documented security program behind them
  • There is no internal senior leader actually supervising their work

This is exactly the kind of scenario the FTC tried to address with the updated Rule and the new auto dealer FAQs. You can absolutely use a provider, but only if the arrangement is structured, documented, and overseen by a senior internal owner.

2. “We named someone too junior”

Another pattern is giving the QI title to:

  • A help desk tech
  • A mid level admin
  • A manager who has “extra capacity”

If they cannot tell a GM “no” on a risky request, or they cannot influence vendor selection and budget, they are not positioned to be truly qualified no matter how smart they are.

3. “We never gave them time or budget”

On paper, you have a QI. In reality:

  • They are 120 percent allocated already
  • Security tasks are always “phase two”
  • There is no dedicated budget for testing, tools, or training

In that scenario, even a highly competent QI will struggle to move the needle, and you will struggle to show regulators that you implemented a “reasonable” program.

How to set your Qualified Individual up for success

Here is a practical checklist for CEOs, CFOs, and GMs.

1. Formal appointment

  • Issue a short written designation naming the QI
  • Describe their scope: all rooftops, all systems that touch customer info
  • Identify the senior leader who supervises them

2. Clear responsibilities

At minimum, your QI should be responsible for:

  • Maintaining the written information security program
  • Leading risk assessments and Safeguards design
  • Overseeing monitoring, testing, and incident response
  • Coordinating vendor security
  • Delivering the annual report to leadership

3. Defined authority

Make it clear that the QI can:

  • Escalate risk concerns directly to senior leadership
  • Recommend spend on necessary controls and testing
  • Stop or modify risky practices that put customer data at risk

4. Right sized support

Depending on your size, that could include:

  • An internal IT/security team
  • A Safeguards focused MSP or MSSP
  • Compliance and legal support
  • Cyber insurance and forensics partners on standby

Bottom line

You cannot have a serious Safeguards program without a serious Qualified Individual.

For auto dealers, this does not mean building a Wall Street style security department. It means:

  • Naming the right person
  • Equipping them with the authority and support they need
  • Holding them accountable through structured reporting

Get that right, and the rest of your information security program has a fighting chance to actually work in the real world of busy showrooms, F&I offices, and service drives. Get it wrong, and you are left with a stack of policies and tools with no one truly responsible for outcomes.

Share

Disclaimer

Dealerships should consult their own legal counsel, compliance specialists, or cybersecurity professionals before taking any action based on this website.
Explore
Get FTC Safeguards help today!
Subscribe