Auto dealers face a host of changes under the Federal Trade Commission’s updated Safeguards Rule going into effect June 9. The rule requires dealers to design an information security program that is appropriate to the size and complexity of the dealership, the nature and scope of its activities and the sensitivity of its customer information.

Requirements include:

• designate a qualified individual to oversee their information security program
• develop a written risk assessment
• limit and monitor who can access sensitive customer information
• encrypt all sensitive information
• train security personnel
• develop an incident response plan
• periodically assess the security practices of service providers
• implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

Originally, it was supposed to go into effect at the end of 2022, but the deadline was extended until next month. Earlier this year, Eric Johnson, a partner with the Hudson Cook law firm, said he expected a more aggressive FTC.

“I can see the FTC holding a dealer, or two or three, accountable for not complying with that new rule,” he said. “I just see the FTC be a lot more active than ever before under the new FTC Chair Linda Khan.”