Dealers are feverishly working on a mandate from the Federal Trade Commission (FTC) to comply with new standards to keep their customers’ information safe. Many of the new standards are set to go into effect on December 9, 2022. The Small Business Administration’s Office of Advocacy recently wrote a letter to the FTC requesting an extension of the deadline, arguing that it was necessary due to a shortage of professionals to help financial institutions, including dealers, implement security programs. The extended deadline is now June 9, 2023. This is great news for dealers; however, they should “keep their foot on the gas” since June 9, 2023, will be here before we know it. The provisions of the rule that were specifically extended to June 9, 2023, include:
- designate a qualified individual to oversee and implement your information security program;
- develop a written risk assessment;
- limit and monitor who can access sensitive customer information;
- design and implement a program that identifies and manages data, personnel, devices, systems and facilities;
- encrypt all sensitive information;
- adopt practices to ensure in-house developed applications used to transmit, store or access sensitive information are secure and test externally developed applications for security;
- implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information;
- develop procedures that address securely disposing of sensitive information;
- adopt procedures for change management;
- train security personnel;
- implement policies and procedures designed to log activity of authorized users and detect unauthorized access to information;
- implement policies and procedures designed to log activity of authorized users and detect unauthorized access to information;
- develop an incident response plan; and
- periodically assess the security practices of service providers.
Provisions of the rule that were not extended and are still due December 9, 2022, include:
- periodically reexamine whether or not customer information is secure;
- regularly test or otherwise monitor the effectiveness of your safeguards’ key controls;
- take reasonable steps to only work with service providers that are capable of securing customer information;
- require service providers to maintain safeguards over customer information to which they have access; and
- evaluate and update your program based on the results of your testing and monitoring.
Again, June 9, 2023, will be here before we know it. We highly recommend that you keep your momentum and continue working on this program.
by Barton D. Haag, CPA 
Barton D. Haag joined ARB in 1996 and has been a principal with the firm since 2005. As the Practice Leader for ARB’s Auto Dealership Team, Bart provides financial accounting, income tax planning, and business advisory services for clients in the automotive and motorcycle dealership industries. He also works with closely-held businesses, many of which are family-owned.
