New Gramm-Leach-Bliley Act cybersecurity rules: How car dealers can prepare

Implementing IT security measures to protect the data privacy of businesses and customers can be a daunting proposition for automobile dealerships, particularly smaller stores. The increased demand on resources and staff can be enough to make owners and managers balk at the effort and cost.

The Gramm-Leach-Bliley Act was originally put in place by the Federal Trade Commission to ensure that banks and other financial institutions would have technology and procedures to protect their customers' financial data from cyberattacks and breaches. The FTC then extended this safeguards rule to nonbank financial institutions including automobile dealerships. The new rule took effect on Jan. 10, 2022, and the FTC gave dealers one year to update processes and comply.

Fortunately, dealerships can take steps to establish or improve their IT and cybersecurity programs, both to meet new regulations and to support their businesses. These steps include developing a security strategy, implementing new procedures and working with staff to make sure new policies are understood and functional. Key to both compliance with the act and overall IT security is planning combined with clear, practical and strategic policies for preventing and addressing cyberthreats and other issues.

The first step in Gramm-Leach-Bliley Act compliance is developing an information security program, or ISP, to identify and prioritize cyberrisks in the dealership and lay out a program and timeline for fixing problem areas. A critical section of an ISP is the IT asset inventory, which identifies the entire range of computers, servers, mobile devices, cloud services and other resources that hold customer data and could be a target for hackers.

An equally important planning step is the development of an incident response plan that lays out how each member of the dealership team will react when there is a breach. In the chaotic first moments after a hack is discovered, the team can turn to the incident response plan which lists actions needed from each person on the team to mitigate damage and begin the recovery process. For most dealerships, the technical aspects of incident response will be handled by an outside vendor — either their managed discovery and response partner or a specialized forensic response consultant who has the experience and tools needed to locate and eliminate malware.

The act also mandates periodic risk assessments that identify changes to the threat landscape, whether those come from new assets or new vulnerabilities. With this information both the ISP and the incident response plan can be updated.

There are many IT security technologies that can be included in these plans. Encryption of a customer's personally identifiable information data is important, whether it's on a hard drive, attached to email or on a backup drive. Multifactor authentication, which confirms a user's identity by verification codes delivered via text message or email, frustrates hackers who have stolen credentials and allows the dealership to better secure its information at scale.

In addition to protecting data, it's important to have a plan to get rid of unneeded information. On example is to implement a data retention policy that mandates disposing of customer information within two years after the end of a customer relationship except data that must be kept because of state or federal laws.

Policies and procedures are only as effective as the team using them. Security awareness training is required to enable the dealership team to avoid phishing attacks or fake websites or other actions that can result in malware entering the system.

The Gramm-Leach-Bliley Act requires designating one person as a security officer who understands the entire security program and is tasked with maintaining it and coordinating the response to security incidents. For dealerships without an IT staff, the act requires training a person to be the security officer. This person would need to be familiar with the regulations and have enough IT and cybersecurity training to implement the incident response plan. If no such person is available in-house, then a dealership could designate a person from its IT/cybersecurity service provider.

Access to dealership computer systems sees a dramatic amount of change with employees, vendors and other third parties coming and going. Each of these events means changes to access rights for people on existing systems or on systems added to the network.

Change management programs track these changes and make sure that the right people have the right access and that if someone leaves their access is revoked. It's also important that partners who have access to a dealership's systems have their own security in place so your dealership is protected from hackers who have broken into their systems.

The cost to implement compliance program for the Gramm-Leach-Bliley Act is dependent on the network size and cybersecurity maturity level of each dealership. For the smaller "do it yourself" dealerships, investment costs will be more substantial.

In general, to become compliant, dealerships will need to budget for a security officer, security network/technology, ongoing penetration testing, ongoing risk assessments, employee training and ongoing act audit/compliance reporting. As with any compliance program, building compliance capability internally can be a very expensive endeavor. Most dealerships would benefit from outsourcing this service to a company that specializes in compliance with the act.

While these changes might seem expensive they pale in comparison with the size of the fines potential violators could incur — up to $100,000 per violation, with potential additional fines for responsible management. New cybersecurity technologies also have the potential to benefit dealership management and staff every day, beyond just meeting federal regulations — business data will be more secure and a connected, protected system will enable work to be more efficient.

While all auto dealers have their customers' best interest at heart, the Gramm-Leach-Bliley Act is throwing a spotlight on cybersecurity issues that many dealership owners are not aware of nor in a position to address. What's more, the act is providing a deadline to make changes. The good news is that the data protection techniques described here can help dealers to both meet the requirements of the act and offer dramatically better protection of their customers' data.