FTC Safeguards for Auto Dealers: The 9 Areas, Real Risks, and How to Comply
If your dealership arranges financing or leases, the FTC Safeguards Rule applies. The Rule requires a written information security program with nine elements that protect customer information such as Social Security numbers and bank details. See 16 C.F.R. §314.4 and the FTC’s small-entity guide What Your Business Needs to Know. For dealer specifics, use the Automobile Dealer FAQs.
What changed in 2024
The FTC added a breach notification requirement that is now in effect. Covered institutions must notify the FTC within 30 days of discovering certain breaches that affect 500 or more consumers. See the press release and this FTC blog reminder. The full Rule is at 16 C.F.R. Part 314.
Why this matters to operations and revenue
Vendor outages and cyber incidents can stop sales, F&I, and service. During the 2024 CDK incident, dealerships across the country reverted to manual workarounds and lost productivity. Anderson Economic Group estimated about 1.02 billion dollars in dealer losses over three weeks source, and multiple retailers reported financial impacts Reuters with a public outage timeline Reuters update.
The 9 Areas in plain English
Below are the nine required elements, what they mean inside a dealership, and fast actions that move you forward. Citations point to the Rule and the FTC’s official guidance.
1) Appoint a Qualified Individual
Problem: Security tasks are spread across IT, F&I, and vendors, so nothing is owned end to end.
Requirement: Name a Qualified Individual with authority to run the program and report to leadership. Outsourcing is allowed, but the dealership remains accountable. §314.4(a)
Fast actions: Give written authority, set monthly reporting to the GM or owners, and define a 90 day roadmap.
2) Create a written risk assessment
Problem: No single map of where PII lives across DMS, CRM, email, lender portals, and paper files.
Requirement: A documented risk assessment with criteria, identified risks, and planned mitigations, updated as conditions change. FTC guide
Fast actions: Inventory systems and data flows for credit applications and scanned IDs. Rank risks and tie each risk to a control.
3) Implement safeguards to control risks
Problem: Shared logins, ex employee access, and broad vendor permissions create easy openings.
Requirement: Access controls, asset and data inventory, encryption in transit and at rest, secure development, multi factor authentication, secure disposal, change management, and logging or monitoring. §314.4(c)
Fast actions: Turn on MFA for DMS, CRM, and email. Remove shared accounts. Encrypt endpoints. Reduce vendor permissions to minimum necessary. Set a retention and destruction schedule for digital and paper records.
4) Monitor and test your controls
Problem: You learn about problems from customers or lenders after damage is done.
Requirement: Continuous monitoring or annual penetration testing plus semiannual vulnerability scans, and testing after material changes. FTC guide
Fast actions: Centralize security alerts for admin logins and bulk data exports. Schedule a third party pen test and twice yearly scans.
5) Train your staff
Problem: Phishing, wire fraud, and sending PII by email are common failure points.
Requirement: Role appropriate training for all staff, plus deeper training for the people who operate the program. FTC guide
Fast actions: Quarterly micro training and phishing simulations. Use a secure file exchange for lenders. Add a basic DLP rule that flags unencrypted PII in email.
6) Oversee service providers
Problem: DMS, CRM, marketing platforms, shredding services, and remote IT handle customer information, but contracts do not address security.
Requirement: Vet providers, include security requirements in contracts, and reassess periodically. §314.4(f) and Dealer FAQs
Fast actions: Add MFA, encryption, breach notification, and audit rights to contracts. Keep a vendor register with risk tiers and annual reviews.
7) Keep the program current
Problem: New tools and integrations arrive, but policies and controls are not updated.
Requirement: Update safeguards as operations, threats, personnel, or systems change. FTC guide
Fast actions: Add a security impact step to software purchasing. Review the risk assessment quarterly and document changes.
8) Maintain a written incident response plan
Problem: During an incident, everyone calls the GM and no one knows the first five steps.
Requirement: A written plan that defines goals, roles, communications, investigation, remediation, and lessons learned. §314.4(h)
Fast actions: Build a one page contact sheet. Run a tabletop drill. Pre draft lender and customer notifications.
9) Report to owners or the Board
Problem: Security only comes up during outages or audits.
Requirement: At least annual written reports to owners or the Board on risk status, test results, incidents, service provider oversight, and program updates. §314.4(i)
Fast actions: Put security metrics on the monthly agenda. Assign remediation tasks with due dates and owners.
What counts as customer information in a dealership
The FTC explains that customer information covers nonpublic personal information collected during financing or leasing. Names and addresses may be covered when they indicate financing status or are combined with other financial data. See Automobile Dealer FAQs and the Safeguards Rule page.
Common dealership scenarios and how the Rule applies
Vendor outage: Your DMS provider experiences a cyber incident. Sales and F&I slow, and you need a clear path to verify what happened and who was affected. With logging, an incident plan, and strong vendor contracts, you can protect customers, meet timelines, and support insurance claims. See the impact analysis AEG and public coverage Reuters.
F&I email mistake: A finance manager emails a PDF pack that includes a customer’s SSN. Security awareness training, a secure file exchange, and basic email DLP would prevent or encrypt that message. See expectations in the FTC guide.
Offboarding gap: A salesperson leaves but their CRM login remains active. Access controls, automated offboarding, and quarterly user audits align with §314.4(c).
A 30 day starter plan for Safer Dealer clients
- Appoint the Qualified Individual and define reporting. §314.4(a)
- Complete a written risk assessment and current system inventory. FTC guide
- Enforce MFA, remove shared logins, and encrypt endpoints. §314.4(c)
- Stand up logging and monitoring, and schedule a pen test with semiannual vulnerability scans. FTC guide
- Build a one page incident plan and run a tabletop exercise. §314.4(h)
- Update service provider contracts with safeguards, MFA, breach notice, and audit rights. §314.4(f)
Frequently asked questions
Are most franchised dealers covered
If your store arranges financing or leases for more than 90 days, you are a financial institution under the Rule. See Automobile Dealer FAQs.
Do we have to encrypt everything
The FTC expects encryption in transit and at rest for customer information or a documented alternative control approved by your Qualified Individual. See §314.4(c) and the FTC guide.
What if a vendor has the breach
You must oversee service providers, and you may have to notify the FTC if the event meets the threshold. See §314.4(f) and the notification rule.
If your dealership helps customers with vehicle financing or long-term leases, you are considered a financial institution under federal law.
That means you must protect customer information under the FTC Safeguards Rule.
Here are the same 9 but with a little different angle, in case the above didn’t work for you.
1. Designate a Qualified Individual
What it means:
You must name one person who is responsible for managing your dealership’s information security program. This person oversees cybersecurity, documentation, and communication between staff, vendors, and leadership.
They do not have to be an IT specialist. Many dealerships assign this role to their IT manager, controller, or a trusted Managed Security Service Provider (MSSP).
Why it matters:
The FTC wants clear accountability. When an issue arises, regulators expect one person to be able to explain what safeguards were in place and how your dealership responded.
Example:
A controller serves as the Qualified Individual and works with an outside IT partner to handle security reports, staff training, and vendor reviews. When management asks for updates, they receive clear, written reports.
2. Conduct a Written Risk Assessment
What it means:
You must perform a written review that identifies where your dealership collects, stores, and shares customer information. This includes your CRM, DMS, lender portals, email, and paper files. The assessment must describe potential risks and how you plan to reduce them.
Why it matters:
Without knowing your risks, you cannot manage them. The FTC expects dealerships to understand where data is most vulnerable and to show written proof that steps have been taken to address those risks.
Example:
A risk assessment shows that customer credit applications are saved on an open office computer. The dealership updates its policy to store these files on a secured drive and limits access to finance staff only.
3. Design and Implement Safeguards
What it means:
You must create and apply safeguards that protect customer information based on your risk assessment. Safeguards are simply protective tools and processes that keep data secure.
Common safeguards include multi-factor authentication, encryption, limited access to sensitive systems, and secure disposal of old records or devices.
Why it matters:
Safeguards are the foundation of compliance. They show the FTC that your dealership has taken measurable steps to protect customer data from theft, misuse, or loss.
Example:
The dealership requires employees to use multi-factor authentication when logging into the DMS. Even if a password is stolen, unauthorized users cannot access customer data.
4. Regularly Monitor and Test Safeguards
What it means:
Your security program must be checked regularly to make sure it continues to work. Dealerships should schedule penetration testing, vulnerability scans, and reviews of access logs to find problems before criminals do.
Why it matters:
Technology and threats change quickly. Regular testing prevents surprises and helps you find issues while they are still small.
Example:
A vulnerability scan shows that an old Wi-Fi network used for service tablets is still active. The dealership disables it and updates its wireless settings to block unauthorized access.
5. Train Employees
What it means:
Every employee who handles customer information must receive training on how to protect it. Training should cover topics such as phishing emails, password management, and how to report suspicious activity.
Why it matters:
Employees are your first line of defense. Most data breaches start with human error, and training greatly reduces that risk.
Example:
An employee receives an email that looks like a message from a bank, asking for customer account numbers. Because of training, they recognize it as fake and report it instead of clicking the link.
6. Oversee Service Providers
What it means:
You must confirm that your third-party vendors who handle customer data also follow strong security practices. This includes your CRM provider, DMS company, website vendor, and others.
Before sharing data, review each vendor’s security measures and include protective language in your contracts.
Why it matters:
Even if a vendor’s system is hacked, your dealership can still be held responsible for customer data that you shared. Vendor oversight proves that you took reasonable steps to choose secure partners.
Example:
A dealership updates its vendor contracts to require immediate notification of any data breach. It also reviews each vendor’s cybersecurity certifications once a year.
7. Keep Your Program Current
What it means:
Your information security program must be reviewed and updated regularly. Any change in technology, staffing, or process can create new risks that need to be addressed.
Why it matters:
Cyber threats and business operations evolve over time. Regular updates keep your safeguards effective and prevent outdated procedures from creating new vulnerabilities.
Example:
After switching to a new CRM system, the dealership updates its policies, adjusts employee permissions, and retrains staff on how to handle customer data in the new platform.
8. Create a Written Incident Response Plan
What it means:
Your dealership must have a written plan that explains how to handle a data breach or cybersecurity event.
The plan should define roles, outline how to contain the issue, describe who to notify, and explain how to prevent the same problem in the future.
Why it matters:
When an incident happens, a written plan prevents confusion and delay. It ensures a coordinated and legal response that limits damage to your dealership and customers.
Example:
When a phishing attack hits a dealership’s email system, the team follows the incident response plan by disconnecting affected computers, contacting their IT partner, and beginning documentation for the FTC.
9. Report to Your Board or Ownership Annually
What it means:
Your Qualified Individual must prepare a written report at least once a year for ownership or the board of directors. The report must summarize your risk assessments, results of testing, any incidents, and recommendations for improvement.
Why it matters:
The FTC expects dealership leadership to stay involved and informed. Compliance is a management responsibility, not just an IT task.
Example:
The annual report outlines all employee training completed, new safeguards added, and any issues resolved. The owner signs the report and keeps it with compliance records.
Bonus: Breach Notification Requirement
What it means:
If a data breach exposes unencrypted information belonging to 500 or more consumers, your dealership must report the incident to the FTC within 30 days of discovering it.
Why it matters:
This rule gives the FTC visibility into serious breaches and helps protect consumers more quickly. Failure to report can lead to penalties and additional investigations.
Example:
A laptop containing unencrypted customer credit files is stolen from a salesperson’s vehicle. The Qualified Individual submits a report through the FTC’s online notification form within the 30-day window.
The Bottom Line
The FTC Safeguards Rule focuses on accountability, documentation, and protection. Every dealership, regardless of size, must be able to show written proof that customer information is being handled safely and that safeguards are actively managed.
A complete, well-documented program protects your customers, your reputation, and your business.