From Risk List To Real Protection: Designing Safeguards That Actually Work In Your Dealership

Once you’ve gone through the work of a Safeguards Rule risk assessment, you’re left staring at a list that can feel… intimidating.

  • Shared logins in the CRM
  • Old deal jackets sitting in an unlocked back room
  • No MFA on email
  • Vendors plugged into your DMS that nobody remembers approving

Sooner or later, leadership asks the only question that really matters:

“We know the risks. So what are we doing about them?”

Section 314.4(c) of the FTC Safeguards Rule answers that in plain terms: you must design and implement safeguards that actually control the risks you identified.

This is where a reasonable information security program stops being theory and starts changing real behavior in your showroom, F&I offices, service drive, and accounting office.

Below, we’ll walk through the major safeguard areas the Rule highlights and translate them into dealership reality.

Quick note: This is general education, not legal advice. Always work with your counsel to interpret how the Safeguards Rule applies to your specific group and state laws.

Start With The Big Picture: Safeguards Are Not “IT Projects”

Before we get tactical, it helps to reset expectations at the leadership level.

Safeguards are not:

  • A stack of tools your MSP buys on your behalf
  • A binder of policies that sits on a shelf
  • A one-time “GLBA project” you check off and forget

Safeguards are:

  • Operational rules of the road for how your people, systems, and vendors handle customer information
  • Concrete controls that match the risks you documented in your written risk assessment
  • Ongoing practices that are monitored, tested, and adjusted as your stores change

You don’t need to look like a Wall Street bank. But you do need to show a clear line from “here’s our risk” to “here’s how we’re controlling it.”

Let’s walk through the core safeguard categories and what “good” looks like for a dealership.

1. Access Control: Who Can See What, And Why

If everyone can see everything in your systems, you do not have Safeguards. You have convenience.

Access control is about limiting access to customer information to people who truly need it for their job, and then regularly checking that still makes sense.

In practice, that means:

Role-based access in your core systems

  • Salespeople should not have the same permissions as F&I managers.
  • F&I managers should not have full system admin rights “just because they’re F&I.”
  • Accounting, HR, service, and BDC should each have access tailored to their functions.

Think of it like a key box in service: not everybody gets keys to everything.

Clean offboarding and job changes

  • When a GSM, F&I manager, or Controller leaves, their accounts are disabled the same day, not “whenever someone remembers.”
  • When someone changes roles, their access changes too. A promoted sales manager should not keep their old BDC access forever.

No more shared logins

This one hits a nerve in almost every store:

  • Generic “F&I01,” “SalesDesk,” or “ServiceWriter” logins might be convenient, but they destroy accountability.
  • If something goes wrong, you cannot prove who did what.

A reasonable program does the hard work of unwinding shared accounts so every user has a unique identity.

Leadership’s job here is simple: back the Qualified Individual when they say “we have to break old habits.”

2. Data Inventory: Know Your Ecosystem So You Can Protect It

You can’t protect “the network” as an abstract concept. You protect specific systems, devices, and connections.

The Safeguards Rule expects you to maintain an up-to-date inventory of:

  • Systems: DMS, CRM, F&I menu, desking, digital retailing, service tools, BDC platforms, accounting, HR/payroll
  • Devices: PCs in the tower, F&I laptops, GSM’s MacBook, service tablets, advisor workstations, printers and scanners
  • Platforms: Microsoft 365 or Google Workspace, phone system, cloud storage, remote access tools, backup systems
  • People and roles: who actually uses what

This inventory is what lets your Qualified Individual answer questions like:

  • “Which systems would be impacted if this vendor is breached?”
  • “Where do we have to prioritize MFA and logging?”
  • “What absolutely has to be in scope for vulnerability scanning?”

For multi-rooftop groups, this is also what keeps you from discovering “shadow IT” at one store: a GM bought a cheap cloud tool with a company card that quietly started handling credit app PDFs.

3. Encryption: Lock Customer Data In Transit And At Rest

Encryption is your last line of defense when something goes wrong.

Done right, if a laptop gets stolen from an F&I office or a backup drive walks out the back door, the data on it is unreadable without the keys.

A practical encryption strategy for a dealership usually includes:

In transit

  • All connections to email, cloud apps, online credit apps, OEM portals, and remote access tools use strong encryption by default.
  • Customer data moving between your environment and vendors travels over secure channels.

Your users shouldn’t have to think about this. It should be baked into how systems are configured.

At rest

  • Laptops and portable devices that hold customer or employee data use full-disk encryption.
  • Servers and storage that host sensitive data use encryption where feasible.
  • Backups that include nonpublic personal information are encrypted so losing a backup copy doesn’t automatically become a reportable event.

If there are legacy systems where you truly can’t encrypt data, your Qualified Individual should formally document:

  • Why encryption isn’t feasible
  • What compensating controls you’re using instead (segmentation, monitoring, very tight access control)
  • How long that exception will exist before you replace or redesign the system

The key point: in 2025, “we just don’t encrypt” is not a reasonable position for a dealership that handles financing.

4. Application Security: Every New App Is A Security Decision

Your stores live in an ecosystem of apps and integrations:

  • Digital retailing platforms
  • Desking tools
  • Vendor plug-ins to your DMS
  • Call recording and chat tools
  • Third-party F&I products and portals

Every time you approve one of these, you are expanding your attack surface, not just your marketing stack.

Reasonable safeguards here look like:

A simple, repeatable vetting process

Before you roll out a new app that touches customer data, your QI or IT/security lead should ask:

  • How does it authenticate users? Does it support MFA?
  • Where is data stored? In what country? For how long?
  • How does it connect to our DMS, CRM, or OEM systems?
  • What happens to our data if we leave the vendor?

This doesn’t have to be a 40-page questionnaire. Even a one-page, consistent intake process is a big step up from “the vendor said it was secure.”

Controlled rollouts and documented approvals

  • No more turning on DMS integrations without telling IT/security.
  • No more pilot tools with full production access on day one.
  • Approvals are documented so you can show later that you made informed decisions.

GMs and GSMs still drive sales and marketing innovation. The difference is that security is now a seat at the table, not an afterthought.

5. Multi-Factor Authentication (MFA): Cheap Insurance Against Stolen Passwords

If you only fix one thing after your risk assessment, fix this.

Most real-world breaches still start with something simple:

  • Someone clicks a phishing link.
  • Someone reuses a password that was already stolen somewhere else.
  • Someone’s credentials are guessed or brute-forced.

MFA is one of the most effective ways to blunt that entire class of attacks.

For a dealership, MFA should be turned on for:

  • Email accounts
  • Remote access and VPNs
  • Cloud apps that touch customer or employee data
  • Admin portals for your major systems

And it should use at least two of:

  • Something they know: password
  • Something they have: authenticator app, hardware token, SMS code
  • Something they are: biometric (on a phone or laptop)

Yes, there is always pushback at the store level: “It’s slowing me down,” “It’s annoying,” “I’m in front of a customer.”

That’s where leadership sets the tone:

  • “We’re not doing this to make your day harder. We’re doing this so one bad click doesn’t shut down the entire group or put our customers at risk.”

Training matters here too. People need to understand MFA fatigue and why blindly accepting prompts is dangerous.

6. Secure Disposal: Stop Hoarding Data You Don’t Need

Dealerships are fantastic at keeping things “just in case.”

The Safeguards Rule takes the opposite view: if you don’t need it, get rid of it safely.

A reasonable data disposal approach includes:

Clear retention rules

  • How long you keep deal jackets, RO histories, and related paperwork to meet legal and business requirements.
  • How long you keep digital copies: scans, PDFs, exports, reports.
  • How long backups keep historical data.

The Rule’s baseline expectation is that you don’t retain customer information more than two years after last use unless you have a legitimate business or legal reason. That reason should be documented, not assumed.

Secure destruction

  • Paper: locked storage until it’s shredded; no boxes of old deals in open hallways or unlocked offices.
  • Digital: secure deletion methods, not just dragging to recycle bin.
  • Hardware: wiping or physically destroying drives when systems are decommissioned.

This is one of those areas where small, consistent habits make a huge difference. You don’t want to be the dealership explaining to regulators why seven years of old, unused data that should have been shredded ended up in the wrong hands.

7. Change Management: Security Has To Move With The Business

Your business moves fast:

  • New rooftop acquisition
  • New OEM digital initiative
  • New DMS or CRM
  • New remote sales model or BDC structure

If your security doesn’t move with it, the gap between “what we think we have” and “what we actually have” grows quickly.

Change management as a safeguard means you:

  • Treat major technology and process changes as security events, not just ops projects.
  • Involve your QI or IT/security lead in decisions early, not after contracts are signed.
  • Ask, in writing, before go-live:
    • What new risks does this introduce?
    • How are we controlling them?
    • Do we need to update our risk assessment, policies, or training?

Practical examples:

  • Opening a new rooftop? There’s a standard security checklist baked into the launch plan.
  • Switching DMS providers? Security and privacy requirements are part of the RFP and implementation plan.
  • Adding a new remote access tool? It doesn’t get deployed until MFA and logging are configured.

You’re not trying to slow the business down. You’re just keeping security in the same conversation as sales, CSI, and fixed absorption.

8. Logging & Monitoring: If You Can’t See It, You Can’t Stop It

Last piece: you have to be able to see what’s happening in your environment.

Without logging and monitoring, you only find out about problems when:

  • A lender calls about fraud.
  • A customer complains their identity was stolen.
  • A vendor or the FTC notifies you of suspicious activity.

Reasonable safeguards here look like:

Logging the important stuff

  • Logins and logouts in DMS, CRM, and other critical systems
  • Failed login attempts, especially repeated ones
  • Privilege changes (who gets admin rights, who loses them)
  • Large exports or unusual data access patterns

Actually watching the logs

  • Someone (internal or a service provider) is responsible for reviewing alerts.
  • There are thresholds and rules: “If X happens, we investigate.”
  • Alerts aren’t just going to an unmonitored inbox.

Using logs when things go wrong

  • If there’s a suspected incident, you can reconstruct what happened:
    • Who logged in, from where, using what device
    • What data was accessed, changed, or exported
  • Logs become part of how you communicate with insurers, legal counsel, OEMs, and (if necessary) regulators.

For many dealers, this is where partnering with a security-focused provider makes sense. You don’t need 24/7 analysts in-house, but you do need to prove that someone is paying attention.

Pulling It Together For Leadership

Designing and implementing safeguards is not about buying every security tool on the market. It’s about:

  • Taking the risks you documented
  • Picking specific, practical controls that match those risks
  • Implementing them in the messy, real world of your stores
  • Monitoring and improving them over time

For Dealer Principals, CFOs, and GMs, the key questions are:

  • Can our Qualified Individual show us how each major risk in our assessment is being controlled?
  • Are our safeguards actually in place in the stores, or just in policy documents?
  • Are we testing and adjusting them as we add rooftops, vendors, and tools?

If you can answer “yes” to those questions with evidence, you’re on your way to a Safeguards program that is more than a binder. It’s part of how you run a modern, digital dealership.

Share

Disclaimer

Dealerships should consult their own legal counsel, compliance specialists, or cybersecurity professionals before taking any action based on this website.
Explore
Get FTC Safeguards help today!
Subscribe