FTC Safeguards Rule Compliance Guide for Georgia Dealerships (2026)

The FTC Safeguards Rule isn’t new, but the updated requirements that took full effect in June 2023 transformed it from a vague set of guidelines into a detailed, enforceable cybersecurity mandate. For Georgia auto dealerships, this means specific technical and administrative controls are now legally required — and the FTC has shown it’s willing to pursue enforcement actions against dealers who don’t comply.

This guide walks through exactly what the Safeguards Rule requires, where Georgia dealerships most commonly fall short, and how to build a compliance roadmap that protects your business, your customers, and your dealer license.

What Is the FTC Safeguards Rule?

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect consumer financial information. Because auto dealerships routinely handle financing, they’re classified as financial institutions under GLBA — and the FTC Safeguards Rule defines exactly how that protection must work.

The original Safeguards Rule (2003) was intentionally flexible, allowing businesses to design their own information security programs with minimal specific requirements. The updated rule, finalized in 2021 and enforced since June 2023, eliminates that flexibility. It now mandates specific technical controls, documented processes, and ongoing monitoring.

The bottom line: If your dealership handles customer financing — and virtually all do — you must comply with the updated FTC Safeguards Rule. There is no size exemption. A single-point used car dealer and a multi-rooftop new car group are held to the same standard.

Why Georgia Dealerships Should Take This Seriously

Several factors make FTC Safeguards compliance particularly important for Georgia auto dealers in 2026:

Active Enforcement

The FTC has increased its enforcement activity against auto dealers nationwide. Recent consent orders have resulted in fines, mandatory security programs, and years of third-party auditing. Georgia dealerships are not exempt from federal enforcement simply because the state hasn’t added its own dealer-specific data security law.

Customer Data Volume

A typical Georgia dealership collects and stores an extraordinary amount of sensitive customer data: Social Security numbers, driver’s license numbers, bank account information, credit applications, income documentation, and insurance details. A single data breach can expose thousands of customers and trigger notification requirements under Georgia’s data breach law (O.C.G.A. § 10-1-912).

Manufacturer Requirements

Many OEMs are building cybersecurity requirements into their dealer agreements, and some are beginning to audit dealers for compliance. Falling short of FTC Safeguards requirements could create issues with your franchise agreement in addition to federal regulatory exposure.

Insurance Implications

Cyber insurance carriers are increasingly asking about Safeguards Rule compliance during the underwriting process. Dealerships that can’t demonstrate compliance may face higher premiums, coverage exclusions, or outright denial of claims following a breach.

The 9 Key Requirements of the Updated Safeguards Rule

The updated rule establishes nine specific elements that your dealership’s information security program must include:

1. Designate a Qualified Individual

Your dealership must designate a single person responsible for overseeing your information security program. This doesn’t mean they need to be a cybersecurity expert — they can be a general manager, compliance officer, or operations director — but they must have the authority and resources to implement the program.

Importantly, the Qualified Individual can be an employee or a third-party service provider. Many dealerships designate their IT provider as the Qualified Individual or co-designate alongside an internal staff member.

What the FTC expects: A named individual with documented authority and responsibility for the security program. They must report to the board of directors (or equivalent) at least annually.

2. Conduct a Risk Assessment

You must perform a written risk assessment that identifies reasonably foreseeable internal and external risks to customer information. This assessment must evaluate the sufficiency of your existing safeguards and be updated regularly.

What the FTC expects: A documented assessment that identifies specific threats (phishing, ransomware, insider theft, vendor access, physical theft), evaluates existing controls, and identifies gaps. This can’t be a generic template — it must reflect your dealership’s actual environment.

3. Implement Access Controls

Access to customer financial information must be limited to employees who need it for their job functions. This includes both digital access (system permissions, database access, application roles) and physical access (locked filing cabinets, restricted server rooms).

What the FTC expects: Role-based access controls on all systems containing customer data. Regular access reviews to remove permissions when employees change roles or leave the dealership. Principle of least privilege applied consistently.

4. Encrypt Customer Information

Customer data must be encrypted both in transit (when being sent over a network) and at rest (when stored on servers, workstations, or backup media). This applies to your DMS, CRM, document management systems, email, and any other system that stores or transmits customer financial information.

What the FTC expects: Industry-standard encryption (AES-256 for data at rest, TLS 1.2+ for data in transit) applied to all systems containing customer information. If encryption isn’t feasible for a specific system, you must document the alternative controls.

5. Implement Multi-Factor Authentication (MFA)

MFA is required for any individual accessing customer information on your systems. This is one of the most commonly cited deficiencies in FTC enforcement actions against auto dealers.

What the FTC expects: MFA on all systems containing customer data — including your DMS, CRM, email, VPN, remote access tools, and cloud applications. SMS-based MFA meets the minimum requirement, but app-based (TOTP) or hardware tokens are stronger.

6. Secure Development Practices

If your dealership develops or contracts custom software (websites, customer portals, mobile apps), you must follow secure development practices including security testing before deployment.

What the FTC expects: Most dealerships don’t develop custom software, but if you have a custom website with customer-facing forms, lead submission portals, or credit application integrations, those systems must be developed and tested with security in mind.

7. Implement Continuous Monitoring

Your security program must include continuous monitoring or periodic penetration testing and vulnerability assessments to detect unauthorized access, data breaches, and system vulnerabilities.

What the FTC expects: Either continuous monitoring (SIEM, EDR, log analysis) OR annual penetration testing combined with semi-annual vulnerability assessments. Most dealerships benefit from continuous monitoring because it catches threats in real time rather than during periodic snapshots.

8. Develop an Incident Response Plan

You must have a documented plan for responding to security events. This plan must cover detection, containment, investigation, remediation, notification, and recovery.

What the FTC expects: A written incident response plan that names specific roles and responsibilities, includes contact information for key personnel (legal, IT, insurance, law enforcement), defines classification criteria for security events, and outlines notification procedures for affected customers and regulatory bodies.

9. Manage Vendor and Service Provider Security

If third-party vendors have access to your customer data (which they almost certainly do — your DMS provider, CRM vendor, payment processor, and IT provider all qualify), you must oversee their security practices.

What the FTC expects: Written vendor agreements that require appropriate security measures. Periodic assessment of vendor security practices. Documentation of what customer data each vendor can access and how that access is controlled.

Common Compliance Gaps at Georgia Dealerships

After working with automotive dealerships across Georgia for over three decades, these are the compliance gaps we see most frequently:

No MFA on the DMS

This is the single most common deficiency. Dealership employees log into CDK, Reynolds and Reynolds, or Dealertrack with a username and password — no second factor. Given that the DMS contains virtually every piece of customer financial data the dealership collects, this is a critical gap.

Weak or Shared Passwords

Multiple employees sharing login credentials for the DMS, accounting software, or network resources. Generic accounts like “ServiceDept” or “Finance1” with passwords that haven’t been changed in years. Password policies that don’t enforce complexity or rotation.

Unencrypted Customer Data

Credit applications stored as unencrypted PDFs on shared drives. Customer documents scanned and saved to desktop folders without encryption. Backup drives or tapes stored without encryption in unlocked areas.

No Incident Response Plan

Many dealerships have never written an incident response plan. When a ransomware attack or data breach occurs, the response is improvised — leading to longer recovery times, greater data exposure, and potential regulatory violations for failing to notify affected customers within required timeframes.

Uncontrolled Third-Party Vendor Access

DMS providers, software vendors, payment processors, and IT contractors often have broad access to dealership systems with no formal security agreements, no access logging, and no periodic review of what they can reach.

No Designated Qualified Individual

The rule requires a named person responsible for the security program. Many dealerships haven’t formally designated anyone — which means no one is accountable for compliance status, no one is reporting to ownership, and no one is tracking whether controls are actually working.

Step-by-Step Compliance Roadmap for Georgia Dealerships

If your dealership needs to build or improve its Safeguards Rule compliance program, here’s a practical sequence:

Phase 1: Foundation (Weeks 1–4)

1. Designate your Qualified Individual — Name the person (internal or third-party) who owns the program
2. Inventory your data — Document every system, application, and physical location where customer financial data is stored, processed, or transmitted
3. Conduct your risk assessment — Identify threats, evaluate existing controls, and document gaps
4. Establish your security policies — Create or update written policies covering acceptable use, password requirements, data handling, and incident reporting

Phase 2: Technical Controls (Weeks 5–12)

5. Deploy MFA everywhere — Start with the DMS and email, then extend to all systems containing customer data
6. Implement encryption — Enable drive encryption on all workstations and servers, verify TLS on all web applications and email, encrypt backup media
7. Enforce access controls — Implement role-based access on the DMS and all critical systems, remove unnecessary permissions, eliminate shared accounts
8. Deploy monitoring tools — Implement EDR on all endpoints, configure log collection, establish alerting for suspicious activity

Phase 3: Process and Documentation (Weeks 9–16)

9. Write your incident response plan — Define roles, procedures, contact lists, and notification requirements
10. Document vendor management — Inventory all third-party vendors with data access, review their security practices, update agreements
11. Train your staff — Security awareness training for all employees, with specific modules for F&I, accounting, and management
12. Establish reporting — Set up the Qualified Individual’s annual report to ownership/board

Phase 4: Ongoing Operations

13. Conduct periodic testing — Vulnerability scans (quarterly), penetration testing (annually), risk assessment updates (annually or after significant changes)
14. Maintain documentation — Keep all compliance documentation current and accessible for audit
15. Continue training — Annual refresher training for all employees, plus new-hire onboarding
16. Monitor and adapt — Review security events, update controls based on new threats, and track regulatory changes

How COMNEXIA Helps Georgia Dealerships Achieve Compliance

COMNEXIA has supported automotive dealerships across Georgia for over 35 years — long before the FTC Safeguards Rule existed. Our dealership compliance services cover the complete lifecycle:

• Gap assessments — We evaluate your current security posture against every Safeguards Rule requirement and deliver a prioritized remediation roadmap
• Technical implementation — MFA deployment, encryption configuration, access control setup, monitoring tools, and network segmentation — all configured for dealership environments and DMS compatibility
• Documentation — Written information security programs, risk assessments, incident response plans, and vendor management documentation that satisfy FTC requirements
• Ongoing monitoring — 24/7 security monitoring, vulnerability management, and continuous compliance validation
• Qualified Individual services — We can serve as your designated Qualified Individual or support your internal designee with technical expertise and reporting
• Staff training — Security awareness programs tailored to dealership roles, from the service drive to the F&I office

We understand the unique challenges of dealership IT: DMS integrations that resist standard security controls, multi-location networks that need segmentation without disrupting operations, and vendor ecosystems that require careful access management.

If your Georgia dealership needs help building or strengthening its FTC Safeguards compliance program, contact our Atlanta dealership IT team or reach out directly for a compliance assessment.