FTC Extends Safeguard Rule Compliance by Six Months

On November 15, 2022, the Federal Trade Commission announced it will be extending the deadline for dealerships to comply with changes implemented to strengthen the data security safeguards by six months.

The amended deadline to comply with some of the requirements is now June 9, 2023.

The Safeguards Rule requires dealerships to develop a comprehensive security program to protect their customers’ personal information. The rule had an original deadline of December 9, 2022.

The decision to extend the deadline is based on reports that upgrading security systems may be delayed due to supply chain issues as well as a lack of a qualified labor force equipped to implement information security programs. Dealerships, particularly small ones, may find it difficult to be in compliance by the original deadline. Earlier this year, the NADA sought to extend the deadline by submitting comments to the FTC.

The provisions of the updated rule specifically affected by the six-month extension include requirements that covered financial institutions:

• designate a qualified individual to oversee their information security program,
• develop a written risk assessment,
• limit and monitor who can access sensitive customer information,
• encrypt all sensitive information,
• train security personnel,
• develop an incident response plan,
• periodically assess the security practices of service providers, and
• implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

Dealers should discuss the deadline extension with their trusted advisors to ensure that their efforts to comply with the requirements of the Safeguard Rule are in line with the amended deadline.