Automobile Dealers and the FTC’s Safeguards Rule Frequently Asked Questions

The Federal Trade Commission (FTC) has developed these FAQs to help automobile dealers comply with the Gramm-Leach-Bliley Act and the FTC’s Safeguards Rule. The following questions and answers discuss the requirements of the Safeguards Rule and apply it to specific situations that automobile dealers may face. These FAQs are meant to supplement the compliance materials available on the FTC website, including the FTC’s business explainer: FTC Safeguards Rule: What Your Business Needs to Know | Federal Trade Commission. You might also want to familiarize yourself with the FTC’s Privacy Rule FAQs for automobile dealers: The FTC’s Privacy Rule and Auto Dealers: Frequently Asked Questions (“Privacy Rule FAQs”). Please note that this document represents the views of FTC staff and is not binding on the Commission.

Safeguards Rule 101

1. What is the FTC’s Safeguards Rule?

The FTC’s Safeguards Rule, which dates to 2003, requires financial institutions to maintain safeguards to protect customer information. The FTC issued the Rule to implement the requirements of the Gramm-Leach-Bliley Act, and it applies to financial institutions subject to the FTC’s authority. That includes most automobile dealers who finance or lease automobiles.

In 2021, the FTC amended the Safeguards Rule to provide more specific guidelines for financial institutions and to ensure that the Rule keeps pace with current technology. The amended Safeguards Rule requires financial institutions to have written information security programs to protect the customer information they have and certain safeguards, which are listed below.

A further amendment in 2023 requires financial institutions to report to the FTC certain data breaches and security incidents involving their customer information. That requirement took effect in May 2024.

2. What does the Safeguards Rule require for automobile dealers to do?

The Safeguards Rule requires automobile dealers who are financial institutions to develop, implement, and maintain a comprehensive written information security program that is sufficient to protect customer information. We discuss all of that in more detail below, but the bottom line is that you should determine what customer information you have, and then plan and implement your information security program around that – so if you are a large company with significant amounts of customer information that many employees need to access, your written information security program will probably be more robust than it would be if you only keep a little bit of customer information in one place. You also need to maintain your program, meaning you should monitor its effectiveness and update it if necessary.

3. What automobile dealers qualify as “financial institutions”?

“Financial institutions” are businesses that are significantly engaged in financial activities or activities incidental to such financial activities. That covers more entities than you might imagine, because it focuses on the kinds of activities a business engages in rather than on how the business might describe itself. In addition, businesses that engage in both financial activities and non- financial activities are still financial institutions if they significantly engage in financial activities.

Automobile dealers who finance (or facilitate the financing of) automobiles for consumers are financial institutions for purposes of the Safeguards Rule, since lending money is considered a financial activity under the relevant federal law. 12 U.S.C. § 1843(k). Automobile dealers also qualify as financial institutions if they lease automobiles for longer than 90 days, since leasing is considered financial activity as well. 13 C.F.R. § 314.2(h)(2)(ii).

4. What is “customer information”?

Generally, under the FTC’s Safeguards Rule, customer information is any record containing nonpublic personal information about a customer of a financial institution that is handled or maintained on or on behalf of the financial institution or its affiliates. Let’s unpack that definition.

Under the Safeguards Rule, a “consumer” is anyone who seeks a financial product or service from you that is primarily for their own personal, family, or household use.
That includes anyone who applies to you for credit or who gives you nonpublic personal information, so you can determine whether they qualify for financing – for example, to finance or lease an automobile.
If you provide financing to or arrange financing for the consumer, then you are entering into a continuing relationship with the consumer.
Once there is a “continuing relationship,” the consumer becomes your “customer.
Any non-public personally identifiable information the customer provided to obtain the financing is “customer information” that you have to protect under the FTC’s Safeguards Rule.
“Customer information” also includes any information that is derived from personally identifiable financial information, such as a list identifying all the customers who financed their automobiles with you. See 16 C.F.R. § 314.2(l)(1) (definition of “nonpublic personal information”); § 314.2(d) (defining “customer information” as “any record containing nonpublic personal information about a customer of a financial institution. ”).

Given those definitions, certain types of records are always going to be customer information and covered by the Safeguards Rule:

Applications you approved for financing or leasing (that include information like the customer’s name, address, Social Security number, and financial account information).
Spreadsheets of the names and addresses of customers who financed or leased automobiles from you.
Financial information related to individual consumers who financed or leased automobiles from you.

Other types of records do not qualify as “customer information,” and the Safeguards Rule will not apply to them unless they are combined with customer information:

Names and addresses that you collect from everyone (so long as the information doesn’t indicate whether they financed or leased their automobiles) – for example, to share with an Original Equipment Manufacturer (OEM) for the purpose of sending recall notices.
General sales data reports or other aggregate information about your automobile sales that isn’t derived from how the automobiles were financed or leased.

Service or maintenance records for automobiles that you sold, leased, or generally serviced.

5. What is an “information security program”?

The Safeguards Rule defines an “information security program” as the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.

In other words, your information security program is all of the processes and procedures you follow to protect your customer information. That includes the ways you collect and store customer information, as well as how you share it with other companies and how you get rid of it when you no longer need it.

6. How do I know if my information security program is “sufficient to protect” my customer information?

The Safeguards Rule says that your written information security program must be reasonably designed to achieve the following goals:

Ensure the security and confidentiality of customer information;
Protect against any anticipated threats or hazards to the security or integrity of the customer information; and
Protect against unauthorized access to or use of the customer information that could result in substantial harm or inconvenience to the customer.
In particular, your written program should contain administrative, technical, and physical safeguards that are appropriate for your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.
The Safeguards Rule also spells out ten different elements that you should include in your program to meet those goals (which are each explained in more detail at 16 C.F.R. § 314.4), including:
Designate a qualified individual to oversee and implement the program. The individual can be one of your employees or someone who works for an affiliate or service provider.
Base the program on a written risk assessment that identifies reasonably foreseeable internal and external risks to your customer information and assesses the safeguards you have in place. The risk assessment should lay out the criteria you used to identify risks, as well as how you assessed your current systems and how you will mitigate the risks you identified. You should also periodically re-assess the risks and your safeguards to make sure you are focusing on current threats.
Design and implement safeguards to control those risks. Such safeguards include access controls, encryption of customer information at rest and in transit, multifactor authentication for anyone who accesses your information system, and logging and monitoring activity, among other things.
Regularly monitor and test how well your safeguards are working. You should continuously monitor information systems. If you cannot continuously monitor, then you must conduct annual penetration testing and vulnerability assessments at least every six months.
Adopt policies and procedures to ensure your personnel can enact your information security program. This should include security awareness training for everyone and specialized training for staff who actually carry out the information security program.
Oversee your service providers. You should take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information, require them to agree in the contract to implement and maintain those safeguards, and periodically assess them based on the risk they present and the continued adequacy of their safeguards.
Keep your information security program current. Make adjustments and improvements based on the results of your monitoring, penetration testing, and risk and vulnerability assessments. Also consider whether material changes to your business or other circumstances necessitate changes to your program.
Create a written incident response plan. This should be your blueprint for how to respond to and recover from any security incident that affects the confidentiality, integrity, or availability of your customer information. Among other things, the plan should lay out your internal processes for responding to a security event (including the roles, responsibilities, and levels of decision-making authority for your team), identify requirements for remediations of any weaknesses you identify in your information system, and spell out any documentation and reporting procedures.
Require your designated Qualified Individual to report to your Board of Directors or other governing body for your business. The reporting should be in writing, and it should happen regularly (at least annually). It should include the overall status of the program and how you have complied and identify and address any material matters related to the information security program (such as risk assessments, service provider arrangements, and security events).
Notify the Federal Trade Commission about breaches. If you do have a breach that results in the loss or exposure of customer information – which the Safeguards Rule refers to as a “notification event” you may need to notify the FTC about it within 30 days. This is a new requirement in effect as of May 2024, and we discuss it more below.

The Safeguards Rule requires you to secure information systems that contain customer information as well as those that are connected to a system containing customer information. In effect, unless you maintain two separate networks that are not connected, the protections that you need to provide for customer information on your network will also protect other information on your network. The Rule also requires you to implement physical security safeguards, such as locking file cabinets where paper records are stored.

7. How do I know if I have a “notification event”?

The Safeguards Rule requires financial institutions to notify the FTC as soon as possible – and no later than 30 days after discovery – of a security breach involving the unauthorized acquisition of at least 500 consumers’ unencrypted information. This is known as a “notification event” under the Safeguards Rule.
For purposes of the Rule, “unencrypted information” includes unauthorized access to unencrypted information as well as unauthorized acquisition. And if the encryption key was also accessed, it covers encrypted customer information. Unauthorized acquisition will be presumed unless you have reliable evidence to show that there has not been, or could not reasonably have been, unauthorized acquisition of the customer information in question.

Source: FTC; June 2025

If you have questions about your compliance status, please click here to contact your experts.