Cyber One Solutions logo.
Get Support

FTC Safeguards for Auto Dealerships

Compliance / FTC Safeguards

FTC Safeguards Rule Compliance for Auto Dealerships.

Automobile dealerships that extend credit or arrange financing for their customers are a named example of a non-bank financial institution under 16 CFR Part 314. That covers nearly every franchise and buy-here, pay-here dealer. So the FTC Safeguards Rule applies to your store directly, not by analogy. Every credit application your F&I office runs carries Social Security numbers, driver license data, income, and bank and lender details. That is exactly the nonpublic personal information the rule was written to protect.

Cyber One Solutions builds and manages the full compliance program. That covers the written information security program, the technical controls, the testing, and the documentation an examiner or lender expects to see. We do the work, write the evidence, and keep the program current across your sales, F&I, and service systems.

What You Get
A written information security program (WISP) that satisfies 16 CFR Part 314.
A designated Qualified Individual overseeing the program.
MFA for anyone accessing your information systems, with encryption applied to customer financial information.
Penetration testing, vulnerability assessments, or continuous monitoring on the required schedule.
An incident response plan and the annual report your governing body needs.
An evidence trail ready for an FTC inquiry or a lender and captive-finance review.
What the Rule Requires

The Safeguards Rule, Mapped to Your Dealership.

The 2021 amendments to 16 CFR Part 314 made the rule far more prescriptive than its original version. A 2023 amendment then added the breach-notification requirement that took effect in May 2024. These are the core elements every covered dealership must put in place. Each one is paired with the work we deliver against it, mapped to your showroom, F&I office, and service drive.

Written Information Security Program (WISP)

A documented, comprehensive program that addresses each element the Safeguards Rule requires. It is tailored to how your dealership actually handles nonpublic personal information across the sales, F&I, and service departments.

Designated Qualified Individual

The rule requires a single accountable person to oversee the security program. We can serve as, or support, your Qualified Individual and produce the documentation that role is responsible for.

Written Risk Assessment

A documented assessment of the foreseeable internal and external risks to the customer information in your DMS, credit-application, and lender-portal systems. It pairs each risk with the safeguard that addresses it.

Access Controls, MFA & Encryption

Role-based access to customer financial data, so a service advisor cannot reach F&I credit files. Multi-factor authentication for anyone accessing your information systems, unless a documented equivalent is approved. Encryption of that information in transit and at rest.

Testing & Continuous Monitoring

Annual penetration testing and vulnerability assessments at least every six months, or continuous monitoring in their place. This element also includes audit logging of access to customer information in the DMS and F&I systems.

Incident Response & Board Reporting

A written incident response plan and notification to the FTC within 30 days of a notification event. A notification event is the unauthorized acquisition of unencrypted customer information involving at least 500 consumers. The rule also requires an annual written report to your dealer principal or governing body on the state of the program.

Why It Applies to Auto Dealerships

Arranging financing is exactly what puts you in scope.

The FTC Safeguards Rule protects nonpublic personal information held by non-bank financial institutions. A dealership that extends credit or arranges financing meets that definition directly. The rule text names automobile dealers as an example of a covered financial institution. The moment your F&I office takes a credit application, you are handling the customer financial information the rule protects.

The F&I office is the center of gravity for your data.

Every deal jacket contains Social Security numbers, driver license data, income and employment details, and bank or lender account information. That is precisely the customer financial information the Safeguards Rule is written to protect.

Credit applications, deal structures, and lender approvals all flow through the F&I office and out to captive and third-party finance sources. The controls the rule requires, which are MFA, access controls, and encryption, are the same controls that protect that flow from theft and fraud.

A written program is the baseline, not the ceiling.

The rule requires a written information security program, a Qualified Individual, a documented risk assessment, and an incident response plan. These exist whether or not you have ever had an incident.

We produce these documents to reflect what is actually running in your store, so the program survives an FTC inquiry or a lender and captive-finance security questionnaire rather than reading as boilerplate.

DMS and lender-portal vendor oversight is part of compliance.

Dealerships run on a Dealer Management System and connect to credit-aggregation and lender portals to submit applications and desk deals. The rule requires you to oversee the service providers that handle your customer information.

We inventory those vendors, from the DMS platform to the credit-application and lender portals, document the security expectations, and fold vendor oversight into your written program so the requirement is met and evidenced.

The breach-notification duty reaches every covered dealership.

A 2023 amendment to the rule added a federal notification requirement that took effect in May 2024. A notification event is the unauthorized acquisition of unencrypted customer information involving at least 500 consumers. If you discover one, you must report it to the FTC through the FTC reporting portal. Report as soon as possible and within 30 days of discovery.

The under-5,000-consumer exemption eases certain other elements, but it does not relax this obligation, and most franchise stores maintain information on far more than 5,000 consumers. The trigger is unencrypted information. So encrypting customer data in transit and at rest is both a core safeguard and a direct way to reduce notification exposure. We build the incident response plan, define what a notification event means for your DMS and F&I systems, and prepare the reporting workflow. A real event is then handled inside the window.

Frequently asked questions.

Does the under-5,000-consumer exemption apply to us?

For most franchise dealers, no. The exemption applies only to a dealership that maintains customer information concerning fewer than 5,000 consumers, which in practice means a small independent lot rather than a franchise store with years of sales and service history. Where it does apply, it exempts four elements: the written risk assessment, penetration testing and the twice-yearly vulnerability assessment, the written incident response plan, and the annual board report. The dealership must still maintain a written information security program and the other safeguards, including access controls and MFA, encryption, audit logging of access to customer information, secure disposal, and training. The FTC 30-day breach-notification duty still applies. We confirm your consumer count during onboarding and scope the program to what actually applies to you.

How long does it take to get a dealership compliant?

It depends on your current posture, but a program built from scratch typically takes 60 to 120 days to establish. Work starts with the gap analysis and risk assessment, then moves through control implementation and documentation across your DMS, F&I, and service systems. We scope every engagement to what your environment actually needs rather than to a fixed package.

Does the Safeguards Rule cover a cash sale where we do not arrange financing?

The rule attaches to your dealership because you are a financial institution that arranges credit, not to each individual transaction. Once you are a covered dealership, your written program and safeguards protect the customer information across your systems, including records from customers who paid cash but whose data still lives in your DMS. In practice most stores run credit on the majority of deals, so the program covers the whole operation rather than being switched on and off per deal. We scope the program to your full environment so there is no gap between financed and cash customers.

Common Questions

FTC Safeguards for Auto Dealerships, Answered.

Common questions from franchise and independent dealerships working out whether the Safeguards Rule applies to them and what compliance actually involves.

Don't see your question?
Our team answers questions like these every day, no sales pitch attached.
Ask a Question