Pub. 3 2022 Issue 3

FTC Safeguards Rule Compliance: What You Need To Know

This story appears in the
Virginia Auto Dealer Pub 3 2022 Issue 3

Note: In November, the Federal Trade Commission announced a six-month extension, to June 9, on the deadline for companies to comply with some of the amendments to the FTC’s Safeguards Rule. This article was written prior to that announcement but still offers good insights about the changes. Please consult with your attorneys and IT teams for more on the rules.

As we get closer to wrapping up 2022, it should come as no surprise by now that the Federal Trade Commission (FTC) remains active in directing its attention toward dealerships across the country. Aside from the Motor Vehicles Trade Regulation Rule that is taking up most of dealer attorneys’ attention as of late (as well as the National Automobile Dealers Association), another looming, and arguably just as important, regulation will come knocking at your showroom door come December 9 called the Gramm-Leach-Bliley Act’s revised Safeguards Rule.

Oh yes, the Safeguards Rule. Dressed up as a set of consumer protection regulations (and for all intents and purposes, they are), the Safeguards Rule represents another arrow in the FTC’s quiver as it goes hunting for violating dealers. Having provided Safeguards Rule compliance services to over 6,000 dealerships of all sizes for over a year now, I can tell you now that the FTC should drop the bow and pick up a rifle because the concept of data protection in the automotive retail space likens dealerships to fish in a barrel more than deer in the great outdoors.

Your IT or MSP company is not enough – ComplyAuto works with them

A quick read of the regulations suggests that the Safeguards Rule is a set of data protection and cybersecurity requirements that all dealerships must follow by December 9. It is tempting to think that your IT company or Managed Service Provider (MSP) can provide you with all of the tools necessary for compliance, but contrary to popular belief, they are just one piece to the equation.

The Safeguards Rule consists of both technical and non-technical requirements. Some of the non-technical requirements that IT companies and MSPs may not be equipped to help you with are:

  1. Creating an Information Security Program (and designating a “Qualified Individual”)
  2. Creating required policies in the Incident Response Plan, IT Change Management Plan, and Data Retention Plan
  3. Training all employees in security awareness that complies with applicable state and federal rules
  4. Create written physical/administrative and technical risk assessments
  5. Overseeing and monitoring Service Providers in fulfilling their obligations
  6. Annual reporting to the Board of Directors (or equivalent)

ComplyAuto can help you in all of these areas and more. Some dealers are happy with their existing providers and ComplyAuto will work closely with them to help get your dealership in full compliance with the federal regulations.

ComplyAuto is a turnkey solution for Safeguards Rule compliance

From the written policies for the organization to the multi-factor authentication on all of the dealership’s devices, ComplyAuto also has the tools to resolve the technical requirements of the Safeguards Rule. By also doing it all ourselves in-house, ComplyAuto is now able to provide a more harmonious integration for the dealership so that it can view all of its services for Safeguards Rule compliance from a single dashboard. No multiple log-ins. No subcontractors giving you the runaround. The buck starts, and stops, with ComplyAuto.

The Virginia Automobile Dealers Association has partnered with ComplyAuto to be able to offer our suite of tools to VADA dealer members for compliance with the Virginia Consumer Data Protection Act and the Safeguards Rule. In addition, you will have access to the following trainings at no additional cost:

  1. Adverse Action Notices
  2. Cash Reporting & Anti-Money Laundering (Form 8300)
  3. Credit Score Disclosure (Risk Based Pricing)
  4. Identity Theft Prevention (Red Flags)
  5. OFAC Sanctions Compliance
  6. Unfair and Deceptive Acts and Practices (UDAAP)

VADA dealer members interested in learning more about their data privacy and GLBA Safeguards Rule compliance tools can contact us at or (661) 214-9760. Visit us at