top of page

FTC Safeguard Rules FAQ

These FAQ are based on our experience and the experiences of our customers. They are not legally binding. Read the original FTC rules document for further information.

1. What is MFA?

MFA simply means multi factor authentication. It is verifying through multiple ways that you are who you say you are digitally.

2. How do I implement MFA?

This can be done multiple ways.  If you are using a third party to store your data, they will need to have this in place for you to stay compliant.  This can look like a text message with a code, an IP address restricting access, a security question, or a smartcard. The qualified individual at your dealership should assess the ways in which your people access the data and which MFA works best for your workflow.

3. The phrase ‘qualified individual’ appears throughout the safeguarding rules. What is a
qualified individual?

This is one person at your dealership or a third party that manages the protocol of safeguarding information. They understand the rules and regulations, and to their best abilities has the system in place that protects the customer’s information.

4. Does the qualified individual need to go through a training process?

They do not. As long as they understand your dealership and the workflow of customer documents throughout the dealership, along with having an understanding of the regulations, anyone can be designated the qualified individual.

5The safeguarding act requires us to reduce risk by eliminating paper, which is different than the laws required by other entities, who should I follow? 

This is something you will have to refer to your contacts at those other entities, but we recommend keeping paper work in alignment with the longer time frame.  This will keep you in compliance with all parties.

6. How do I log who is touching documents with non-public information?

This can only be done if your documents are digital.  If your documents are being stored only hard copy, you can manage who has access to the storage areas, but not what they are looking at and when. If you are storing the documents digitally, your provider should be able to pull you a list of who accessed what documents at what time.  This list should be updated frequently to ensure only people who need access to the information are the only ones with access. 

7. Do I have to hire additional IT staff to manage this?

You should not need to. This may be an additional project that your staff takes on to ensure the right processes are in place, and there may be changes in process that need to happen, but this should not be a big tax on your IT department outside of what they are already doing.  There are third party companies, such as Complyauto, that can come in and assess where you are and any changes you may need to make. 

8. How often do I need to check on my process?

This is up to the discretion of your qualified individual.  Whether it is once a month, once a quarter, or biannually, creating checkpoints to make sure that the process is working is the important part. 

9. What happens in the event of a breach?

Your designated individual should create a process around the breach.  This should include:

  1. A documented internal processes your company will activate in response to a security event

  2. Clear roles, responsibilities, and levels of decision-making authority;

  3. Communications and information sharing both inside and outside your company. Who needs to be informed of the event and in what timeframe.

  4. A process to fix any identified weaknesses in your systems and controls

  5. Procedures for documenting and reporting the security event and your company’s response as well as a post mortem of what happened and a revision of your incident response plan and information security program based on what you learned

10. Where am I at risk? Where should I be putting safeguarding measures?

Think through the life cycle of any of the customer’s information. From the time the customer enters the dealership to the time the deal or repair is closed and stored, how secure are each of these processes. Is digital information encrypted? Is paper containing NP information shredded? Are a paper jackets stored in a secure area? What apps are your people using?

bottom of page