FTC Safeguards Rule Checklist for Auto Dealers

Auto dealerships are explicitly named as "financial institutions" under the FTC Safeguards Rule because they routinely arrange financing, leasing, and insurance for consumers. Every F&I office in America handles Social Security numbers, credit reports, bank account details, and income verification documents — making dealerships a goldmine for attackers and a priority for FTC enforcement. The 2024 CDK Global attack was a watershed moment. CDK's dealer management system (DMS) serves over 15,000 dealerships, and when ransomware shut it down for weeks, it exposed just how dependent — and how vulnerable — the industry had become. Dealers couldn't process sales, service appointments, or financing. The attack cost the industry an estimated $1 billion and put every dealership's cybersecurity posture under a microscope. Since CDK, the FTC has signaled increased scrutiny of auto dealer compliance. Dealers who cannot demonstrate a functioning information security program face penalties of up to $50,120 per violation per day. This checklist gives you a clear, dealership-specific path to compliance.

Your Dealer Management System is the nerve center of your operation. It holds customer PII, financial records, inventory data, and service histories. Securing your DMS is the single most impactful step you can take for Safeguards Rule compliance. Access control is step one. Every DMS user should have a unique login — no shared accounts in F&I, no generic "service advisor" credentials. Implement role-based access so that a service writer cannot access financing documents and an F&I manager cannot modify accounting records. Review access permissions quarterly and remove terminated employees immediately. Multi-factor authentication must be enabled for every DMS login without exception. The Safeguards Rule specifically requires MFA for systems accessing customer financial information. If your DMS vendor does not support MFA natively, you need a compensating control such as a VPN with MFA in front of it. Encryption matters both at rest and in transit. Verify with your DMS provider that data is encrypted in their databases and that all connections use TLS 1.2 or higher. If you use a locally-hosted DMS, ensure disk-level encryption and encrypted backups. Run a Cyber Defense Agent scan on your dealership's domain to verify your TLS configuration and external security posture.

The Finance & Insurance office is where the most sensitive customer data lives. Every credit application, every deal jacket, every insurance form contains information that, if breached, triggers notification obligations in virtually every state. Physical security still matters. Deal jackets and printed credit applications must be locked in secure storage when not actively in use. Shredding is required for all documents containing PII. The FTC has cited dealerships for leaving customer files in unlocked cabinets and on open desks. Digital F&I workflows introduce new risks. If you use electronic deal jackets, e-contracting platforms, or digital retailing tools, each system must meet Safeguards Rule standards: MFA, encryption, access controls, and audit logging. Maintain a written inventory of every system that touches customer financial data. Third-party lending portals — RouteOne, DealerTrack, and others — are your service providers under the Safeguards Rule. You must have written contracts requiring them to maintain appropriate safeguards, and you must monitor their compliance. This includes verifying their SOC 2 reports and incident notification procedures. Email is a common vulnerability. F&I managers routinely email credit applications, stips, and approval letters. All emails containing customer PII must be encrypted. Implement SPF, DKIM, and DMARC on your dealership domain to prevent spoofing and verify email authentication with a CDA scan.

1. Qualified Individual — Designate your QI in writing. For most dealerships, this is the controller, compliance officer, or a qualified IT/MSP partner. Document their qualifications and reporting structure. 2. Risk assessment — Conduct a written assessment covering DMS, F&I systems, CRM, email, Wi-Fi networks (customer and internal), IoT devices (cameras, service equipment), and physical security. Run a Cyber Defense Agent scan to populate the external risk portion automatically. 3. Safeguards implementation — Enable MFA everywhere. Encrypt data at rest and in transit. Segment your network (customer Wi-Fi must be isolated from DMS and business systems). Deploy endpoint detection on all workstations. 4. Continuous monitoring — Enroll in Cyber Defense Agent for weekly external scans. Implement internal log monitoring for DMS access and F&I system usage. Set up alerts for anomalous login patterns. 5. Training — All employees handling customer data need annual security awareness training. F&I staff need specialized training on data handling, phishing recognition, and incident reporting. Document attendance. 6. Vendor management — Inventory all third-party systems: DMS, CRM, desking tools, lending portals, e-contracting, digital retailing, service scheduling, and marketing platforms. Require security obligations in contracts and review SOC 2 reports annually. 7. Program updates — Review and update your security program whenever you add new technology, change vendors, or experience a security event. At minimum, review annually. 8. Incident response plan — Written plan covering: who to call, how to contain, when to notify customers and the FTC, how to preserve evidence, and how to recover operations. Practice with tabletop exercises. 9. Board/owner reporting — The QI must report to the dealer principal or ownership group at least annually on program status, risks, and recommendations.