FTC Safeguards Rule Compliance for Automotive Dealerships
Build and Maintain a Compliant Cybersecurity Program
Last updated: May 22, 2026
What is the FTC Safeguards Rule?
The FTC Safeguards Rule is a federal regulation under the Gramm-Leach-Bliley Act that requires financial institutions to protect customer information. The rule was significantly updated in 2021, with full enforcement of the new requirements beginning in June 2023. The updated rule transformed vague guidelines into specific, measurable security requirements.
Automotive dealerships are classified as financial institutions under this rule because they handle customer financing, leasing, and collect sensitive personal information including Social Security numbers, credit reports, and bank account details. Every dealership β regardless of size β must comply.
Non-compliance carries serious consequences. The FTC can impose fines of up to $100,000 per violation, with additional penalties of $10,000 per day for ongoing non-compliance. Beyond fines, dealerships face potential lawsuits, mandatory consent orders, and devastating reputational damage. In 2024 alone, the FTC brought enforcement actions against multiple dealerships for failing to implement adequate security programs.
The 9 Key Requirements of the FTC Safeguards Rule
The updated rule outlines nine specific elements your information security program must include. COMNEXIA addresses every one.
Designate a Qualified Individual
Appoint someone to oversee and implement your information security program.
How COMNEXIA Helps:
COMNEXIA serves as your designated Qualified Individual, providing expert oversight of your entire security program without the cost of a full-time CISO.
Written Information Security Program
Develop and maintain a written security program tailored to your dealership's size and complexity.
How COMNEXIA Helps:
We create comprehensive, dealership-specific security policies and procedures that satisfy FTC requirements and are practical for your team to follow.
Risk Assessment
Conduct periodic risk assessments to identify threats to customer information.
How COMNEXIA Helps:
Our team performs thorough risk assessments of your DMS, F&I systems, network infrastructure, and third-party integrations β with documented findings and remediation plans.
Access Controls
Implement and maintain controls to limit who can access customer information.
How COMNEXIA Helps:
We configure role-based access controls across your DMS (CDK, Reynolds, DealerTrack), network systems, and cloud applications β ensuring employees only access what they need.
Data Encryption
Encrypt all customer information both at rest and in transit.
How COMNEXIA Helps:
We deploy encryption across your entire infrastructure β from email and file storage to database encryption and secure VPN connections between locations.
Multi-Factor Authentication
Require MFA for anyone accessing customer information systems.
How COMNEXIA Helps:
We implement MFA across all critical systems including DMS platforms, email, VPN, and cloud applications β with user-friendly solutions that don't slow down your team.
Secure Application Development
Ensure secure development practices for any in-house applications.
How COMNEXIA Helps:
We evaluate and secure all dealership applications, custom integrations, and third-party tools connecting to your systems to prevent vulnerabilities.
Continuous Monitoring & Testing
Continuously monitor and test the effectiveness of your security controls.
How COMNEXIA Helps:
Our 24/7 security operations center monitors your network for threats, conducts regular vulnerability scans, and performs annual penetration testing.
Incident Response Plan
Develop and maintain a written incident response plan.
How COMNEXIA Helps:
We create and maintain a dealership-specific incident response plan, conduct tabletop exercises with your team, and provide rapid response when incidents occur.
Common Compliance Gaps We Find in Dealerships
After assessing dozens of dealerships, we see the same security gaps over and over. These are the issues the FTC is specifically looking for β and the ones most likely to result in enforcement action or a data breach.
No MFA on DMS Systems
CDK, Reynolds, and DealerTrack all support multi-factor authentication, but most dealerships never enable it β leaving customer financial data one stolen password away from exposure.
Unencrypted Customer Data in F&I
Finance and insurance departments often store deal jackets, credit applications, and customer documents in unencrypted shared drives or email β a direct violation of the encryption requirement.
No Written Security Policy
Many dealerships have never documented their information security program. Without a written policy, you cannot demonstrate compliance during an FTC audit or investigation.
Uncontrolled Third-Party Vendor Access
DMS vendors, marketing platforms, and service providers often have broad access to dealership networks with no monitoring, no access reviews, and no documented agreements about data protection.
No Incident Response Plan
When a breach occurs, most dealerships have no documented plan for containment, investigation, notification, or recovery β turning a manageable incident into a crisis.
Employees Sharing Passwords
Shared logins for DMS workstations, CRM systems, and email accounts make it impossible to track who accessed customer data β and violate access control requirements.
Is Your Dealership at Risk?
If any of these sound familiar, your dealership may be out of compliance with the FTC Safeguards Rule. Our free assessment identifies every gap and gives you a clear path to compliance.
COMNEXIA's FTC Safeguards Compliance Process
FTC compliance is not a one-time project β it's an ongoing program. Our six-phase approach builds compliance into your dealership's daily operations.
Assessment
We evaluate your current security posture, document all systems that handle customer information, and identify every area where your dealership falls short of FTC requirements.
Gap Analysis
We map your current controls against all nine FTC Safeguards requirements, prioritize risks by severity and likelihood, and create a detailed remediation roadmap with timelines.
Implementation
We deploy the technical controls β MFA, encryption, access controls, monitoring systems, and network segmentation β with minimal disruption to your daily operations.
Documentation
We create your Written Information Security Program, risk assessments, security policies, incident response plan, and all supporting documentation required by the FTC.
Ongoing Monitoring
Our 24/7 security operations center continuously monitors your network for threats, conducts regular vulnerability scans, and ensures all security controls remain effective.
Annual Review
We conduct annual risk assessments, update your security program to address new threats and regulatory changes, and provide compliance reports to your Qualified Individual and board.
Why Dealerships Choose COMNEXIA for FTC Compliance
We're not a generic cybersecurity firm learning your industry on your dime. We've been serving automotive dealerships for over three decades.
35 Years Serving Automotive
Since 1991, COMNEXIA has been the trusted IT partner for automotive dealerships across Georgia and the Southeast. We understand dealership operations, workflows, and the unique security challenges you face.
Deep DMS Platform Expertise
We work with every major DMS platform β CDK Global, Reynolds and Reynolds, DealerTrack, and more. We know how to secure these systems without breaking integrations or slowing down your team.
Local to Georgia
Based in Roswell, GA, we provide hands-on support with rapid on-site response when needed. We already serve major dealer groups throughout the Atlanta metro and across the state.
End-to-End Managed Service
From initial assessment through ongoing compliance management, we handle everything β so you don't need to hire a CISO, build an internal security team, or manage multiple vendors.
Related Services
FTC Safeguards Rule Compliance FAQ
Get answers to common questions about our services and approach.
What is the FTC Safeguards Rule and does it apply to my dealership?
The FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act and requires financial institutions β including automotive dealerships β to develop, implement, and maintain a comprehensive information security program. If your dealership handles customer financing, leasing, or collects personal financial information, the rule applies to you. The updated requirements took full effect in June 2023.
What are the penalties for non-compliance with the FTC Safeguards Rule?
The FTC can impose fines of up to $100,000 per violation, with additional penalties of up to $10,000 per day for ongoing non-compliance. Beyond fines, dealerships face potential lawsuits from affected customers, mandatory FTC consent orders with ongoing reporting requirements, and significant reputational damage that can impact sales and customer trust.
How long does it take to become FTC Safeguards compliant?
For most dealerships, initial compliance implementation takes 60β90 days depending on the current state of your security infrastructure. This includes the risk assessment, gap analysis, technology implementation, policy documentation, and employee training. However, FTC compliance is not a one-time project β it requires ongoing monitoring, annual reviews, and continuous improvement.
Do I need to hire a Qualified Individual to manage our security program?
The FTC Safeguards Rule requires you to designate a Qualified Individual to oversee your information security program, but that person does not need to be an employee. Many dealerships outsource this role to a managed security provider like COMNEXIA. We serve as your Qualified Individual, bringing deep cybersecurity expertise and automotive industry knowledge without the cost of a full-time hire.
What happens during a compliance assessment?
Our compliance assessment evaluates your dealership's current security posture against all nine FTC Safeguards Rule requirements. We review your network infrastructure, DMS security, access controls, encryption practices, employee training programs, vendor management, and incident response capabilities. You receive a detailed report with findings, risk ratings, and a prioritized remediation roadmap.
Can COMNEXIA help with compliance for multiple dealership locations?
Absolutely. We manage compliance programs for multi-location dealer groups across Georgia and the Southeast. Our approach standardizes security policies and controls across all locations while accounting for site-specific differences in network architecture, DMS platforms, and staffing. Centralized monitoring and reporting gives ownership visibility across the entire organization.
Protect Your Dealership β Schedule a Free Compliance Assessment
Don't wait for an FTC investigation to discover your compliance gaps. Our comprehensive assessment identifies every issue and gives you a clear path to full compliance β at no cost and no obligation.