The FTC Safeguards2s2 Rule requires financial services companies, including National Automobile Dealers Association (NADA) members, to comply with this ruling. The Safeguards2s2 Rule governs the transmitting and storing of sensitive consumer data collected during various financial activities. The new deadline is now June 9, 2023.
“The Safeguards Rule applies to financial institutions that fall under the FTC’s jurisdiction and are not under the enforcement authority of another regulator as per section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805.”
The article discusses the email security compliance requirements for automotive dealerships need to have in place by June 9th, 2023, to comply with the FTC Safeguards Rule.
Trustifi, with its fully integrated email security solution, delivers every adaptive technology control, including email encryption, archiving, and data loss prevention, along with reporting capabilities for auto dealerships to meet the FTC Safeguards Rule requirements.
What are the Penalties for Failing to Comply with the FTC Safeguards Rule?
Auto dealerships that violate the Safeguards Rule may face the consequences such as fines, injunctions, or compliance program mandates at the discretion of the FTC. The FTC is the enforcement authority for the Safeguards2s2 Rule. Enforcement actions, including fines and suspension of commerce, are within their jurisdiction.
Other regulatory agencies, including the Consumer Financial Protection Bureau(CFPB) and state banking regulators, may also take action and impose penalties for noncompliance in failing to protect sensitive customer data with proper security practices.
What are the Email Attachment Encryption Requirements under the Safeguards Rule?
The FTC Safeguards Rules mandate that all personal consumer information, including credit applications for automobile purchase contracts, credit applications, and warranty information attachments, be encrypted within the email channel. “Customer information includes any record containing nonpublic personal information about a financial institution’s customer, whether in paper, electronic, or another form, that is handled or maintained by or on behalf of the institution or its affiliates.”
Is TLS-Encryption Enough to Comply with the Safeguards Rule?
TLS is the standard primary email encryption method. It encrypts connections to TLS-enabled email. Google claims 80% of their email messages are encrypted using TLS. Unfortunately, TLS encryption is ineffective and leaves emails vulnerable to unauthorized access.
- The TLS encryption used in emails doesn’t offer comprehensive end-to-end security, leaving emails and attachments susceptible to risks during transmission and storage.
The more significant concern from the FTC is sensitive information, including documents containing personally identifiable information (PII) and personally identifiable financial information (PIFI), are still being emailed without encryption; this poses a considerable risk to the consumer.
Compliance Requirements for NADA Members.
Automobile dealerships need to meet the following requirements for the FTC Safeguards Rule.
- Ensuring the company’s information security program stays current, complete with periodic reports to the board of directors, risk management teams, and the person responsible for compliance with the rule.
- Ensure NADA members dispose of all customer financial information after two years by enabling a retention policy to avoid potential risks.
- Keep your information security program updated each quarter with new policies and adaptive controls to reduce the impact of critical vulnerabilities.
-
Encrypt all personal information through the email channel.
- Monitor and test your email security platform to validate the adaptive controls are functioning.
- Conduct security awareness training for personal handling of consumer information.
- Enable adaptive security controls and validate through your risk assessment process.
- Conduct a risk assessment and periodic penetration testing, documenting all foreseeable risks and security threats.
- Create a written security incident response procedure for all events that violate the security of customer information.
Vulnerability assessments help validate that auto dealerships follow compliance standards dictated by the FTC.
NADA members must protect access to customer information, report any failure to enable a proper level of security and follow all core data security principles required after the June 9th, 2023, deadline.
What are the MFA Requirements?
This rule requires multi-factor authentication by enabling two of three authentication factors.
Trustifi’s AI-Powered Email Security Platform – Enable, Comply, and Monitor for the Auto Industry
Trustifi’s cloud-based email security platform delivered to their automotive clients several fully integrated capabilities to help with the FTC Safeguards2s2 Rule. All of the needed security controls become enabled through a single management console. Emails administrators and security engineers use the Trustifi console to allow the following protection layers:
- Full email encryption with Trustifi’s one-click-to-encrypt capability.
- Trustifi’s advanced artificial intelligence engines help identify malicious behavior and possible email compromises.
- Enable Multi-Factor authentication to ensure secure delivery to the correct receiver.
- Trustifi’s easy-to-use automated email encryption rules for all outbound messages, including email attachments.
- Critical controls, including Trustifi data loss prevention (DLP), protected sensitive data from sending through the email channel by encrypting all messages to comply with the FTC Safeguards Rule.
- Trustifi provides detailed reporting of all email security protection for compliance monitoring.
- Enablement rules-based-access-console(RBAC) into the management console to ensure only administrator and designed security personnel can access.
- Support full email retention and legal hold with the Trustifi e-discovery and archive solution.
- Trustifi’s managed EMDR services are available for all NADA members to assist in 24×7 monitoring and managing all email security policies and controls.
Why Trustifi?
Trustifi is a cyber security firm featuring solutions delivered on software as a service platform for NADA members. Trustifi leads the market with the easiest-to-use and deploys email security products, providing both inbound and outbound email security from a single vendor.
As a global cybersecurity provider of both inbound and outbound email protection, Trustifi currently supports customers from countries including the USA, Canada, Brazil, the Dominican Republic, the UK, the Netherlands, India, the UAE, China, and Japan, Cyprus, the Philippines, and more. The company has also developed “One-Click Compliance” capabilities that cater to world security regulations, including PDPO for Hong Kong, POPI for South Africa, GDPR for Europe, and LGPD for Brazil.
