COMNEXIA
Automotive Dealership IT & FTC Compliance

What Are the FTC Safeguards Rule Requirements for Auto Dealers in 2026?

Learn what the FTC Safeguards Rule requires from auto dealerships in 2026, including IT controls, compliance gaps, and how to avoid costly enforcement actions.

By COMNEXIA
#FTC Safeguards Rule#auto dealer compliance#dealership cybersecurity#FTC 2026#data security#automotive IT

The FTC Safeguards Rule isn’t new — but the enforcement landscape in 2026 is dramatically different from even two years ago. Auto dealerships handle enormous volumes of customer financial data every day: credit applications, Social Security numbers, bank account details, and insurance records. That makes them prime targets for both cyberattacks and regulatory scrutiny.

If you run a dealership and aren’t confident your IT infrastructure meets every requirement of the revised Safeguards Rule, this guide breaks down exactly what you need to know — and what gaps the FTC is actually catching dealers on.

What Is the FTC Safeguards Rule and Why Does It Apply to Dealerships?

The FTC Safeguards Rule is a regulation under the Gramm-Leach-Bliley Act (GLBA) that requires financial institutions to develop, implement, and maintain a comprehensive information security program. Auto dealerships qualify as financial institutions under the FTC’s definition because they extend credit, arrange financing, and handle consumer financial data as part of vehicle sales and leasing.

The rule was originally enacted in 2003, but the FTC finalized major revisions in October 2021, with most provisions taking effect on June 9, 2023. These revisions transformed the Safeguards Rule from a set of general guidelines into a prescriptive technical standard with specific IT controls that every covered business must implement.

In 2024 and 2025, the FTC ramped up enforcement significantly, pursuing consent orders against dealership groups that failed to implement required safeguards. That enforcement momentum has only accelerated in 2026.

What Specific IT Controls Does the FTC Safeguards Rule Require?

The revised Safeguards Rule (16 CFR Part 314) requires nine specific elements in every dealership’s information security program. These aren’t suggestions — they’re mandatory:

  1. A designated Qualified Individual responsible for overseeing the security program. This person doesn’t need to be an employee — many dealerships designate their managed IT provider — but someone must be accountable.

  2. A written risk assessment that identifies internal and external risks to customer information, assesses the sufficiency of existing safeguards, and documents how those risks are addressed.

  3. Access controls that limit who can view customer financial data to only those employees who need it for their job function.

  4. Encryption of customer data both in transit and at rest. This means every system that stores or transmits customer financial information — DMS platforms, CRM tools, email, file shares — must use encryption.

  5. Multi-factor authentication (MFA) for any individual accessing customer information on your systems. Single-password logins are no longer compliant.

  6. Secure development practices for any in-house applications, plus procedures for evaluating third-party software security.

  7. Continuous monitoring or annual penetration testing combined with vulnerability assessments at least every six months.

  8. An incident response plan that covers how the dealership will detect, respond to, and recover from security events.

  9. Regular reporting to the board or senior management — the Qualified Individual must provide a written report at least annually on the security program’s status and any material findings.

Dealerships with customer information on fewer than 5,000 consumers are exempt from the written risk assessment, incident response plan, and annual reporting requirements. However, most dealerships with any meaningful sales volume exceed this threshold quickly.

How Is the FTC Enforcing the Safeguards Rule Against Dealerships in 2026?

The FTC has shifted from an education-first approach to active enforcement. In 2024, the Commission brought enforcement actions against multiple auto dealer groups, resulting in consent orders that required 20 years of compliance monitoring, mandatory third-party security assessments, and significant operational changes.

The FTC’s enforcement strategy in 2026 focuses on several patterns:

  • Complaint-driven investigations triggered by data breaches or consumer complaints about identity theft linked to dealership transactions
  • Sweep audits targeting dealership groups across multiple states
  • CDK Global and similar vendor breaches prompting the FTC to examine whether affected dealerships had adequate vendor management controls

The penalties are substantial. While the FTC typically pursues consent orders rather than direct fines for first-time violations, the cost of compliance under a consent order — mandatory third-party audits, system overhauls, and 20-year monitoring — routinely exceeds $500,000 for mid-size dealership groups.

What Are the Most Common Compliance Gaps at Auto Dealerships?

After more than 35 years working with automotive dealerships on their IT infrastructure, we’ve seen the same gaps come up repeatedly. These are the areas where dealerships are most likely to fail an audit or suffer a breach:

Is Your DMS Environment Properly Segmented?

Many dealerships run their Dealer Management System on the same network as general office computers, guest Wi-Fi, and even showroom kiosks. The Safeguards Rule requires access controls that limit data exposure — and a flat network where every device can reach the DMS server is a compliance failure.

Proper network segmentation means your DMS, F&I systems, and any database containing customer financial records should sit on isolated VLANs with firewall rules controlling what traffic can reach them. Service department tablets, guest networks, and general office PCs should never have direct access to these systems.

Are All Your Systems Using MFA?

Multi-factor authentication is one of the clearest requirements in the revised rule, yet it remains one of the most common gaps. The issue isn’t usually the DMS itself — most modern DMS platforms support MFA. The gaps are in the surrounding systems:

  • Email accounts used by F&I managers
  • Remote desktop connections for off-site access
  • Cloud CRM and lead management tools
  • Vendor portals and third-party integrations

Every system that touches customer financial data needs MFA. Every one.

Do You Have Encryption Everywhere It’s Required?

Encryption “in transit” usually gets handled — most web-based tools use HTTPS by default. But encryption “at rest” is where dealerships stumble. Consider:

  • Are the hard drives on F&I workstations encrypted?
  • Is the DMS database encrypted at the storage level?
  • Are backups encrypted?
  • What about USB drives, portable devices, or printed credit applications that get scanned?

If customer Social Security numbers or financial data exist anywhere in unencrypted form — on a laptop, a shared drive, an email attachment — that’s a compliance gap.

Who Is Your Qualified Individual?

The Safeguards Rule requires one person to own the security program. Many dealerships either haven’t formally designated anyone, or they’ve named a general manager who has no cybersecurity background and no bandwidth to actually oversee the program.

This role can be outsourced. Many dealerships designate their managed cybersecurity provider as the Qualified Individual, which provides both the expertise and the documentation trail the FTC expects.

How Should Dealerships Prepare for an FTC Safeguards Rule Audit?

Preparation isn’t a one-time project — it’s an ongoing program. Here’s a practical roadmap:

Conduct a formal risk assessment. Document every system that stores or processes customer financial information. Map data flows from the moment a customer fills out a credit application through funding, filing, and archiving. Identify where data is most vulnerable and what controls exist at each point.

Implement technical controls systematically. Don’t try to fix everything at once. Prioritize based on risk: MFA and encryption first, then network segmentation, then monitoring and testing. Each control should be documented with evidence of implementation.

Establish vendor management procedures. The CDK Global breach in 2024 demonstrated that dealership data security is only as strong as your vendors’ security. The Safeguards Rule requires you to evaluate and monitor service providers that access customer information. This includes DMS providers, CRM platforms, payment processors, and any cloud service that touches financial data.

Test your incident response plan. Having a plan on paper isn’t enough. Run a tabletop exercise at least annually. Walk through a realistic scenario — ransomware encrypts your DMS server on a Saturday morning — and document what each person would do, who they’d contact, and how you’d notify affected customers.

Create a documentation habit. The FTC doesn’t just want you to be compliant — they want proof. Maintain logs of access reviews, security training records, vulnerability scan results, and policy acknowledgment forms. If it’s not documented, it didn’t happen.

What Does the FTC Safeguards Rule Mean for Dealership IT Budgets?

Compliance isn’t free, but it’s substantially cheaper than the alternative. A realistic IT security budget for a single-rooftop dealership to meet Safeguards Rule requirements typically includes:

  • Managed firewall with network segmentation — essential for access controls and monitoring
  • Endpoint protection and encryption on all workstations handling financial data
  • MFA deployment across all relevant systems
  • Vulnerability scanning and penetration testing — semi-annual scans, annual pen tests
  • Security awareness training for all staff — the FTC specifically expects employee training
  • Incident response planning and testing — often handled by your managed IT provider
  • Backup and disaster recovery — encrypted backups with tested restoration procedures

The cost of a breach or FTC enforcement action dwarfs any of these investments. The average cost of a data breach in the automotive sector exceeded $4 million in 2025, according to industry analyses. A 20-year consent order with mandatory third-party auditing adds hundreds of thousands more.

How Can COMNEXIA Help with FTC Safeguards Rule Compliance?

COMNEXIA has worked with auto dealerships across the Southeast for over 35 years, and our Atlanta-based team understands the specific challenges dealerships face with DMS integration, multi-location networks, and the intersection of operational technology and customer data security.

We serve as the designated Qualified Individual for dealership clients, manage network segmentation and encryption deployments, implement and monitor MFA across all systems, and provide the ongoing vulnerability management and reporting that the FTC expects. Our automotive dealership IT services are built specifically for this industry, and our cybersecurity practice addresses every technical requirement in the Safeguards Rule.

Frequently Asked Questions

Does the FTC Safeguards Rule apply to independent used car dealers? Yes. Any dealership that arranges financing or leasing for consumers is classified as a financial institution under the Gramm-Leach-Bliley Act. This applies to both franchise and independent dealerships, regardless of size. The only partial exemption is for businesses maintaining information on fewer than 5,000 consumers, which still must implement most of the rule’s requirements.

What happens if my dealership fails an FTC Safeguards Rule audit? The FTC typically pursues consent orders rather than immediate fines. A consent order requires your dealership to implement a comprehensive security program under FTC oversight, submit to third-party assessments for up to 20 years, and report any future security incidents directly to the Commission. The operational cost of a consent order routinely exceeds $500,000.

Can I use my DMS provider’s security features to satisfy the Safeguards Rule? Your DMS provider’s built-in security features are part of the solution, but they don’t cover everything. The Safeguards Rule requires controls across your entire IT environment — not just the DMS. Email, file storage, network infrastructure, endpoints, and third-party integrations all need independent security controls.

How often do I need to update my risk assessment? The Safeguards Rule requires that your risk assessment be updated whenever there are material changes to your operations, technology, or threat landscape. In practice, this means at minimum annually, and also after any significant system change, vendor switch, or security incident.

Do I need a dedicated cybersecurity person on staff? No. The Safeguards Rule requires a Qualified Individual, but that person can be an employee or a service provider. Many dealerships designate their managed IT and cybersecurity provider as the Qualified Individual, which provides both the expertise and the documentation the FTC requires.

Back to Insights

Need Expert Technology Guidance?

Don't navigate complex technology decisions alone. Our consulting team provides the strategic guidance you need to make informed technology investments.

Schedule Consultation
Call (877) 600-6550