Submit Ticket

Fullpath: FTC Compliance and the Gramm-Leach-Bliley Act

Chaya David
  • Updated
Follow

What is the Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act requires financial institutions - which auto dealers are now considered -  that offer consumers financial products or services like loans, financial or investment advice, or insurance - to explain their information-sharing practices to their customers and to safeguard sensitive data.

To be GLBA compliant, dealerships must communicate to their customers how they share the customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.

 
The primary data protection implications of the GLBA are outlined in its Safeguards Rule, with additional privacy and security requirements issued by the FTC’s Financial Privacy Rule, created under the GLBA to drive implementation of GLBA requirements. The FTC on Nov. 15 extends the deadline to comply with its Safeguards Rule. If no further extensions are granted, the rule had been scheduled to take effect June. 9, 2023.

 

Dealer Impact

In 2003, the FTC left it to institutions to decide what sufficed for security measures. In 2022, the Safeguards Rule amendment provides a set of specific practices to Dealerships required for protecting consumer data, based on today’s privacy standards. The FTC lists them as:
 
  • Each auto dealership must designate a ‘qualified individual’ who will serve as the overseer of their cybersecurity program and provide written reports to a governing board.

  • They will need to conduct regular risk assessments of both their own security systems and the security systems of their vendors to ensure that all customer and client data is kept encrypted.

  • They must implement safeguards to control the risks identified, such as identity and access management, encryption, and multi-factor authentication.

  • They must test and monitor effectiveness of key controls, through practices such as continuous monitoring and vulnerability assessments.

  • They must ensure that all employees are provided with security awareness training, updated as necessary to reflect risks.

  • They must require their own service providers to maintain appropriate safeguards, through selection, contract requirements, and assessments.

  • They must continue to adjust their security program based on the results of their monitoring and any changes to the business.

  • They must establish a written incident response plan, outlining roles, responsibilities, and remediation actions taken in the event of an incident.

  • Finally, the qualified individual must report, in writing, on the overall status of the security program.

 

You can see the full outline of FTC Safeguards Rule requirements here.

And here you can find FTC's Privacy Rules and Auto Dealer FAQs

 


What is Fullpath Doing?

Fullpath is proud to be one of the very few companies in the automotive space that is ISO 27001 certified (for 3 years now!) this is top international standard of information security. Learn more about our certification and  Data Security and Privacy at Fullpath.

 

With regards to the FTC compliance and GLBA, Fullpath can ensure the following:

  • Fullpath has a designated Chief Information Security Officer (CISO) to ensure thorough and consistent compliance with ISO data security standards.

  • All our customer data is encrypted and siloed in separate databases.

  • In accordance with our ISO certification, we conduct ongoing risk assessment on all our data services.

  • We maintain separate permission levels for different dealership employees and different products and data sets those employees may/ may not have access to

  • Fullpath complies with the top standards and protocols for incident response as outlined in our ISO Certification (above and beyond this, we are committed to keeping the Dealership informed of any potential or actual security breach)

  • Fullpath conducts quarterly internal data security audits along with yearly external data audits conducted by local ISO reps.