Close this search box.

FTC Compliance: The Gramm-Leach-Bliley Revision

Avatar photo
Art Ocain

Amended Safeguards Rule from FTC

On December 9th, 2021, the Federal Trade Commission (FTC) amended the Safeguards Rule, the 1999 Gramm-Leach-Bliley Act, to put more meat on the bones of the previous rule. In this revision, the FTC has made the Safeguards Rule prescriptive by providing a list of actions and controls that are required for compliance. Furthermore, the FTC also gave the rule teeth, giving it monetary penalties of up to $43,792 per violation, per day. This amendment also made cybersecurity for auto dealers more important.

The FTC intends to take this rule seriously, as they perceive that American companies, especially non-bank financial institutions, whom this applies to, are neglecting the protection of customer information. Enforcement of the rule begins on December 9th, 2022, on the anniversary of the passage of the amendment.

Who are non-bank financial institutions?

Mortgage lenders, mortgage brokers, payday lenders, finance companies, check cashers, tax prep firms, financial advisors, credit counselors, collection agencies, and car dealerships. In essence, these companies engage significantly in financial products and have private customer credit data.

One key point to remember is that the FTC exists to protect consumers, so they have crafted this ruling to improve the privacy and security of businesses by making your company responsible for:

  • Ensuring the security and confidentiality of customer information
  • Protecting against threats and hazards to the security and integrity of customer information
  • Protecting against unauthorized access to that information that could result in harm or inconvenience to the customer

auto dealership FTC Compliance

What does this mean for me?

Let’s say you have a car dealership or a local accounting firm. Now, in addition to your other regulations and state laws regarding privacy, you need to comply with the amended FTC Safeguards. Subsequently, your IT and cybersecurity budget will likely have to expand in order to meet this new compliance. The National Automobile Dealers Association (NADA) estimates that even small dealerships will need to pay $220,400 in initial remediation projects and $217,800 in annual costs to become compliant. NADA estimates that midsized dealerships would pay $367,550 in initial remediation projects and $336,050 in annual costs.

Other FTC Requirements

In addition to identifying a qualified individual to own your information security program, the amended rule requires that this program be designed around the risks to the customer data and your organization.  Your organization needs to have data retention policies, encryption, multi-factor authentication, continuous monitoring, user activity logging, access control auditing, vulnerability scanning, 3rd party risk assessment, a change management plan, employee security awareness training, and an incident response plan. Depending on your safeguards, an annual penetration test may be required. At the end of the year, you should have documentation in an annual security report.

Consequently, this is a lot to handle if you don’t have an existing information security program in place, so it is important to pull in experts to help move your organization forward. Remember: you can’t offload all of your risk to an outsourcer.  Even when you bring in a company like Airiam to be your FTC consultant, you and your organization are ultimately the ones responsible to the FTC and your customers. Remember to assign an internal champion to manage your 3rd party consultants.

Execution + Documentation = Compliance

Evidently, when the FTC comes knocking, it is going to be important to be able to present them with evidence of your semi-annual vulnerability assessments, evidence of your security controls, documentation of your information security plan and policies (data retention, change management, incident response). Use a trust-but-verify approach to your policies and controls, building in mechanisms to check whether the safeguards are working in your organization. You’ll need to keep documentation of that controls verification to the FTC as well as the output of your annual security report.


Have more questions? Want Airiam to get you FTC Compliant? Click below!

Contact Us

FTC Cybersecurity Assessment

New Resources In Your Inbox

Get our latest cybersecurity resources, content, tips and trends.

Other resources that might be of interest to you.

The Grinches Who Stole Data

The Grinches Who Stole Data: Guarding Against Holiday Cyber Attacks He’s a mean one, Mr. Grinch. Cyber grinches are on the prowl, looking to steal more than just your holiday joy. As we exchange festive greetings and share goodwill, it’s crucial to be
Vivian Lee
>>Read More

11 Benefits of Incident Response Services for Financial Firms

The high-stakes world of finance has no room for cyber breaches, but that doesn’t stop the threat from growing. Bad actors know it’s a big-money game, and they’ve recently been exposing any vulnerability they can exploit: Central Bank of Lesotho: A cyb
Jesse Sumrak
>>Read More

Airiam and White Knight Labs Partner to Enhance Cyber Resilience

March 22, 2024 – Airiam, a leader in cybersecurity and resilience solutions, is thrilled to announce its strategic alliance with White Knight Labs, a leading provider of cybersecurity solutions. This collaboration is geared towards providing businesses
Vivian Lee
>>Read More