In 2003, the FTC created the Safeguard Rule as part of a directive from the Gramm-Leach-Bliley Act. The Safeguard Rule was created to direct financial institutions, which includes auto dealerships that extend credit and lease terms, to develop and implement a written information security program.

In October of 2021, this rule was updated to include much more detail about the required elements that must be included in an information security program, like addressing access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. In addition, dealers must have a “Qualified Individual” to oversee data security. This can be a difficult standard for most auto dealerships to meet. There are several security controls that auto dealers must have in place to satisfy the Safeguard Rule.

These include: