New Updates To the GLB Safeguards Rule You Need To Know

Protecting consumer information has always been very important for auto dealers. However, an ever-rising uptick in data breaches has forced the Federal Trade Commission (FTC) to get involved. In an effort to further improve cybersecurity throughout the industry, the FTC adjusted the Gramm-Leach-Bliley (GLB) safeguards rule to include car dealerships in addition to traditional finance institutions. Recently, some new updates were also made to the GLB safeguards rule, here’s what you need to know.

What Does the GLB Safeguards Rule Have To Do With Dealerships?

Enacted on November 12, 1999, the GLB was created to address concerns related to consumer financial privacy in the financial industry. The rule requires the FTC and other government regulators to implement and enforce cybersecurity standards financial institutions must adhere to. The GLB was later amended to expand the definition of “financial institution” to include businesses that offer financial services like loans, financial advice, and more.

With this new change, auto dealerships became classified as financial institutions. As a result, if you are an auto dealer, you must meet safeguard compliance requirements. This includes assessing risk to consumer data security, implementing a plan to follow car dealership privacy laws, regularly monitoring and updating the plan, and designating an individual responsible for the plan.

While automotive dealership compliance has been around for decades, it’s important to stay on top of your compliance efforts. Especially now that the FTC has made final updates to the GLB safeguards rule. If you don’t meet the new requirements, your business could become noncompliant and be subject to lawsuits and enforcement actions.

What’s New in the GLB Safeguards Rule?

Announced on October 27, 2021, the latest adjustments to the GLB impose new specific criteria you must follow. Previously, the requirements were more general and up for interpretation. Expected to go into full effect in October 2022, here are the updates:

Specific Topics

Your dealership is still expected to perform risk assessments to ensure the security of consumer information. However, now you’re going to have to address specific topics in your risk assessment. In addition to the assessment, you’re going to have to produce a written report to document your evaluation’s results.

Specific Issues

Another important update focuses on the issues you address in your safeguarding plan. You must now address specific issues such as:

Access controls
Data inventory and classification
Encryption
Secure development practices
Authentication
Information disposal procedures
Change in management
Testing
Incident response

Effectiveness of Your Plan

The best way to ensure your plan works is to put it to the test, and your cybersecurity plan is no exception. This update is based on this philosophy. To be compliant with this change, you must adopt measures to oversee your GLB safeguards rule plan’s effectiveness. You are also expected to manage employee training and any third party services you receive.

Accountability

Before the rule adjustments, it was acceptable to nominate two or more employees to be responsible for your company’s safeguards program. The new rule requires you to choose only one qualified person to oversee the program.

Annual Reports

As you assess your cybersecurity measures, you’re going to have to also create reports. These reports must be provided to your board of directors or governing bodies. This is meant to raise the stakes for managers and owners as it demands direct involvement to protect consumer data.

Compromises

While there are a number of changes that lead to new requirements, one of the updates makes a few compromises. If your auto dealership collects information from less than 5,000 consumers, you are exempt from providing written risk assessments and incident response plans. You are also exempt from having to report annually to your board of directors.

Achieve GLB Compliance Before Time’s Up

Computer Technology Management Services is a managed service provider that specializes in auto dealership compliance. We stick with you every step of the way to make GLB compliance easy. Let our consultants help you achieve compliance so you’re ready before the deadline hits.