FTC Safeguards Rule for Auto Dealers — What Your Dealership Must Do Now

In June 2024, a cyberattack against CDK Global — the dominant dealership management software provider in North America — took approximately 15,000 auto dealerships offline simultaneously. Dealers couldn't process deals, print contracts, look up vehicle history, or access customer records. The outage stretched up to three weeks for many locations. Estimated losses across the industry topped $1 billion, with individual dealers reporting hundreds of thousands of dollars in lost sales during peak summer selling season.

That attack was a stress test the industry didn't ask for — and most dealerships failed it. But here's what the CDK incident doesn't change: the FTC Safeguards Rule compliance deadline already passed in June 2023. Every auto dealer subject to that rule was required to have a fully operational written information security program in place before the CDK attack ever happened.

Most dealers still aren't ready. And the consequences of that gap are now measured in federal fines, state attorney general enforcement actions, and — as CDK demonstrated — catastrophic operational shutdowns.

Does the FTC Safeguards Rule Apply to Your Dealership?

Short answer: if you sell vehicles and do anything resembling finance-related activity, yes — almost certainly.

The Safeguards Rule was issued under the Gramm-Leach-Bliley Act (GLB Act), which defines "financial institution" far more broadly than most business owners assume. Under the GLB Act, a financial institution is any entity that is significantly engaged in financial activities. The FTC has made clear — and has defended this position against industry challenges — that auto dealers who offer financing, arrange financing through third parties, take credit applications, pull credit reports, or collect any financial information from customers in connection with a vehicle sale qualify as financial institutions under this definition.

That covers virtually every franchise dealer. It covers most independent dealers. It covers buy-here-pay-here operations, dealerships that use captive finance arms, and dealers who simply route customers to outside lenders. If a customer has ever handed you an income verification document, a pay stub, or a bank statement — or if you have ever submitted a credit application to a lender on a customer's behalf — the Safeguards Rule applies to you.

The only dealers likely outside the rule's reach are those who do zero financing of any kind, take zero credit applications, and collect zero financial information from customers. In today's market, that describes almost no one.

The 9 Required Elements of a Compliant Program

The Safeguards Rule doesn't just require you to "have security." It requires a written information security program with nine specific documented elements. Checking most of the boxes isn't enough — enforcement actions have been brought against organizations with mature security programs that were missing individual required components.

• 1
  Designate a Qualified Individual. You must appoint a single person — internal employee or contracted service provider — who is responsible for overseeing, implementing, and enforcing your information security program. This person must be qualified by training or experience. "Qualified" is not defined to require a specific certification, but the designation must be documented in writing and the individual must actually have authority over the program.
• 2
  Conduct a written Risk Assessment. You must identify the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer financial information, and assess the sufficiency of your safeguards. This assessment must be written, documented, and updated regularly as your environment changes. A verbal understanding of your risks does not satisfy this requirement.
• 3
  Implement safeguards to address identified risks. Based on your risk assessment, you must design and implement controls that actually reduce those risks. These safeguards must cover access controls, data inventory, encryption, secure development practices for any in-house systems, and authentication. Multi-factor authentication (MFA) is now required for any individual accessing any information system containing customer financial information.
• 4
  Test and monitor your safeguards regularly. Your security controls must be tested and monitored on an ongoing basis. Continuous monitoring systems or periodic testing must be implemented and results documented. Security controls that are deployed but never verified are not compliant — the rule requires demonstrated, ongoing assurance that controls are working.
• 5
  Train staff on security awareness. All employees who handle customer financial information must receive security awareness training. The training must be ongoing — not a one-time onboarding session — and must be updated as threats evolve. Simulated phishing tests, policy acknowledgments, and documented training records are the standard approach to demonstrating compliance with this element.
• 6
  Select and oversee service providers with written agreements. Every service provider that accesses, maintains, processes, or transmits customer financial information on your behalf must be selected through a process that evaluates their security capabilities, and your relationship must be governed by a written contract that requires them to implement appropriate safeguards. CDK Global, Reynolds & Reynolds, DealerSocket, and any other DMS or F&I vendor you use falls under this requirement. The CDK incident is precisely the scenario this element was designed to address.
• 7
  Establish an Incident Response Plan. You must have a written incident response plan that specifies the goals of the plan, internal processes for responding to a security event, clear definitions of what constitutes a security event, roles and responsibilities, communication and decision-making procedures, remediation steps, and a post-incident review process. A plan that exists only in someone's head is not compliant.
• 8
  Conduct annual penetration testing and biennial vulnerability assessments. The rule requires annual penetration testing — actual attempted exploitation of your systems by qualified security professionals — and vulnerability assessments at least every two years, or more frequently following significant changes to your environment. This is one of the most commonly missing elements in dealer compliance programs, because many dealers confuse it with running a vulnerability scanner. Penetration testing requires human expertise attempting to breach your defenses under controlled conditions.
• 9
  Report to your board of directors annually on the program's status. The Qualified Individual must report in writing to the board of directors — or equivalent governing body — at least annually. This report must cover the overall status of the information security program and material matters relating to the program, including risk assessment results, risk management decisions, service provider arrangements, test results, security events, and recommendations for changes to the program. Board-level accountability is explicit and required.

What Counts as "Customer Financial Information"?

Dealers sometimes underestimate the scope of what the Safeguards Rule protects because they think narrowly about "financial data." The rule covers nonpublic personal information — any personally identifiable financial information that a customer provides to you, that you obtain in connection with providing a financial product or service, or that is otherwise associated with a customer of a financial product or service you provide.

In the dealership context, that includes:

• Social Security Numbers collected on credit applications — a standard field on every 8821 and dealer credit app
• OFAC screening results and the data used to generate them, including name, date of birth, and government ID numbers
• Income verification documents — pay stubs, tax returns, bank statements, and employer verification letters submitted in support of a credit application
• Deal jacket contents — the full package of documents assembled during the F&I process, which typically contains credit reports, bank approval conditions, proof of insurance, and financing terms
• F&I office data generally — financing rates, approval conditions, lender identities, payment schedules, and any other transaction-specific financial details connected to a named customer

This data lives in your DMS, your F&I software, your deal jackets (physical and digital), your email system, and potentially in printed documents stored in filing cabinets. All of it is in scope. All of it must be protected under your written information security program.

DMS Vendor Risk and the CDK Lesson

The CDK Global cyberattack in June 2024 was a concentrated demonstration of what third-party dependency risk looks like when it materializes at scale. CDK is the DMS provider for a significant portion of franchise dealerships in North America. When attackers compromised CDK's systems, they didn't just breach one company — they effectively breached thousands of dealerships simultaneously by attacking their shared technology infrastructure.

Dealers who had written agreements with CDK that included security requirements, who had evaluated CDK's security posture as part of their vendor oversight process, and who had incident response plans that accounted for DMS outages were better positioned to respond — not because they could stop the attack, but because they had planned for the contingency.

Under the Safeguards Rule, your written service provider agreements with CDK, Reynolds & Reynolds, DealerSocket, or any other DMS or F&I platform vendor must include explicit contractual provisions requiring those vendors to:

• Implement and maintain appropriate safeguards for the customer financial information they access or process on your behalf
• Notify you promptly in the event of a security incident involving your customer data
• Cooperate with your incident response efforts
• Permit your oversight and evaluation of their security practices

Many dealers' existing vendor agreements predate the June 2023 compliance deadline and do not include these provisions. Reviewing and updating those contracts is a required element of a compliant program — not a best practice, but a requirement.

Penalties for Non-Compliance

The FTC Safeguards Rule is enforced by the Federal Trade Commission under Section 5 of the FTC Act and, for financial institutions, under the GLB Act. The penalty structure is significant and not subject to a single-incident cap.

The FTC can impose civil penalties of up to $50,120 per violation per day. In the context of a data breach involving customer financial information, the FTC has interpreted "violation" to mean each affected customer record — meaning a breach affecting 10,000 customers could theoretically generate 10,000 separate violations. Even at conservative enforcement postures, the penalty exposure in a non-compliant dealership that experiences a breach is in the millions.

State attorneys general have independent authority to bring enforcement actions under the GLB Act on behalf of state residents. California, New York, and Texas have been among the most active in pursuing data privacy and security enforcement actions against businesses in their jurisdictions. A dealer operating in California who experiences a breach affecting California residents faces potential exposure from both the FTC and the California Attorney General's office simultaneously.

The rule also creates private liability exposure. While there is no explicit private right of action under the GLB Act, plaintiffs' attorneys have successfully argued breach of contract and negligence claims against businesses whose failure to maintain adequate security contributed to a data breach. The Safeguards Rule's detailed requirements make it straightforward for plaintiffs to establish the standard of care that was owed and demonstrate how it was breached.

What Dealers Should Do Right Now

If your dealership does not have a written information security program that covers all nine required elements, the priority sequence is straightforward: designate your Qualified Individual first, because every other element of the program flows from that appointment. That person — whether internal or contracted through a qualified IT or compliance partner — then conducts or commissions your written risk assessment, which drives the rest of the program design.

The elements that dealers most commonly lack and that represent the highest enforcement risk are the written risk assessment (because it is the foundation of the entire program), the vendor oversight documentation (because most dealer agreements predate the rule), and the annual penetration testing requirement (because it is commonly confused with less rigorous vulnerability scanning).

IT Center works with auto dealerships to build and maintain compliant written information security programs — including conducting penetration tests, drafting and updating vendor agreements, providing the Qualified Individual function as a contracted service, and delivering the annual board-level compliance report. Our approach is built around what the rule actually requires, not a generic cybersecurity framework that may or may not map to your specific compliance obligations.