FTC Safeguards Rule, answered for dealers.
Running a dealership is demanding enough without decoding a federal cybersecurity rule. Here are straight answers to the questions we hear most from dealer principals and their teams.
-
Because you hold what criminals want: customer financial data. Dealerships collect loan information, credit applications, and IDs, yet many still run outdated systems or weak passwords. A single stolen login can open the door to everything, and attackers know it.
-
Yes. If your dealership helps customers with financing or leases, federal law treats you as a financial institution. The FTC Safeguards Rule applies to every dealership that collects personal financial information, regardless of size.
-
The FTC can investigate, issue fines, and require proof of compliance. Civil penalties can exceed $50,000 per violation. Beyond the fine, a data breach can bring customer lawsuits, insurance problems, and reputational damage that takes years to repair.
-
Less than a single data breach. Compliance scales to your size. With the right MSSP or IT partner, smaller dealerships can put the required safeguards in place at a reasonable monthly cost. The investment protects your data, your reputation, and your legal standing.
-
Not necessarily. You must designate a Qualified Individual, but that can be your controller, operations manager, or a trusted MSSP partner. What matters is that someone is clearly responsible for managing your information security program.
-
Ask them how they protect your customer data. Every vendor that touches financial information (CRM providers, website companies, DMS vendors) should have documented security policies and certifications. Build data-protection requirements into your contracts.
-
Start with a written risk assessment. You cannot protect what you have not identified. A proper assessment shows where your dealership stores customer information, how it moves, and where it is vulnerable. From there you can begin closing gaps.
-
Phishing. Most breaches start with an employee clicking a fake email link. The most cost-effective fix is training. When staff know what to look for, they become your first and strongest line of defense.
-
At least once a year, and after any major system change. Technology, vendors, and threats move quickly. Regular testing confirms your protections still work and lets leadership prove ongoing oversight if regulators ask.
-
Because panic does not solve problems. When a cyber event hits, a written plan tells everyone what to do, who to call, and how to contain it. It keeps your team calm, reduces mistakes, and helps you recover faster.
-
They provide monitoring, advanced security tools, and compliance documentation most dealerships cannot maintain alone. An MSSP acts as your technology safety net, watching your systems day and night so you can focus on customers.
-
With documentation: your written program, risk assessment, training records, vendor contracts, and your annual report to leadership. When everything is written, dated, and stored properly, you can show compliance at any time.
Still have a question about your dealership?
Ask it directly. A free gap assessment answers the biggest one: exactly where your store stands against all nine requirements.