COMNEXIA
Automotive Dealership IT & FTC Compliance

FTC Safeguards Rule Updates in 2026: What Auto Dealers Need to Know

Auto dealers face stricter FTC Safeguards Rule enforcement in 2026. Learn the IT controls required, common compliance gaps, and how to avoid costly violations.

By COMNEXIA
#FTC Safeguards Rule#auto dealer compliance#dealership cybersecurity#FTC 2026#automotive IT#data security#compliance

If you run a car dealership, the FTC Safeguards Rule isn’t optional reading anymore — it’s the difference between business as usual and a six-figure penalty. With enforcement actions ramping up throughout 2026, dealers who haven’t locked down their IT environments are running out of runway.

Here’s what’s changed, what the FTC is actually looking for, and what you can do about it right now.

What Is the FTC Safeguards Rule?

The Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA). It requires financial institutions — and yes, auto dealerships count as financial institutions because they handle consumer credit applications — to develop, implement, and maintain a comprehensive information security program.

The rule was originally adopted in 2003, but the FTC finalized a major overhaul in 2021 with most requirements taking effect in June 2023. Those updated requirements moved the Safeguards Rule from a vague set of principles to a prescriptive list of technical and organizational controls.

What Changed for 2026?

The core requirements haven’t been rewritten, but 2026 has brought a noticeable shift in enforcement intensity. The FTC has been pursuing more actions against auto dealers specifically, and the penalties reflect a regulator that’s done waiting.

Key developments dealers should be aware of:

  • Increased enforcement actions targeting dealerships that failed to implement required controls after the 2023 deadline
  • Higher scrutiny on incident response — the FTC is examining whether dealers actually test their plans or just have one on paper
  • Multi-factor authentication (MFA) enforcement has become a primary audit focus
  • Vendor management requirements are being examined more closely, particularly around DMS providers and third-party integrations

The message is clear: having a written security policy isn’t enough. The FTC wants to see that you’ve actually built the systems.

The Nine Required Controls Every Dealer Must Have

The amended Safeguards Rule spells out specific technical requirements. Here’s what your dealership needs to have in place:

1. Designate a Qualified Individual

Someone at your organization — or a qualified service provider — must be responsible for overseeing your information security program. This person needs actual authority and expertise, not just a title on an org chart.

2. Conduct a Written Risk Assessment

You need a documented risk assessment that identifies reasonably foreseeable internal and external threats to customer information. This isn’t a one-time exercise — it needs to be updated as your environment changes.

3. Implement Safeguards Based on Your Risk Assessment

The controls you deploy must actually address the risks you identified. Common safeguards include:

  • Access controls limiting who can view customer financial data
  • Encryption of customer information both in transit and at rest
  • Multi-factor authentication for anyone accessing customer information on your systems
  • Network segmentation separating customer-facing systems from internal networks

For dealerships running complex networks with DMS integrations, VoIP systems, and multi-location infrastructure, getting these controls right requires careful planning.

4. Regularly Monitor and Test Safeguards

You need either continuous monitoring or annual penetration testing combined with semi-annual vulnerability assessments. Many dealers default to the testing option, but continuous monitoring through a managed cybersecurity program often provides better protection and simpler compliance evidence.

5. Train Your Staff

Every employee who handles customer data needs security awareness training. This includes F&I staff, service writers with access to customer records, and anyone who uses your DMS.

6. Monitor Your Service Providers

If a third party has access to customer information — your DMS vendor, your CRM provider, your managed IT company — you’re responsible for ensuring they maintain appropriate safeguards too. This means contractual requirements and periodic assessment.

7. Keep Your Information Security Program Current

Your program must evolve as threats change, as you add new systems, and as your business operations shift. Annual reviews at minimum.

8. Create an Incident Response Plan

You need a written plan for responding to security events. It must cover:

  • Who’s responsible for what during an incident
  • How you’ll contain and remediate the threat
  • How you’ll notify affected customers and regulators
  • Documentation and post-incident review procedures

9. Report to Your Board or Governing Body

Your Qualified Individual must provide a written report at least annually to your board of directors or equivalent governing body covering the overall status of your security program and any material incidents.

Where Dealers Are Getting Caught

Based on publicly available enforcement actions and industry patterns, these are the most common compliance gaps:

Unencrypted Customer Data

Dealerships handle Social Security numbers, credit applications, driver’s licenses, and financial records daily. If that data sits unencrypted on a shared drive or gets emailed in plain text between departments, you’re exposed.

No MFA on Critical Systems

The Safeguards Rule explicitly requires multi-factor authentication for accessing customer information. Dealers who still rely on username-and-password-only access to their DMS, CRM, or email are out of compliance on day one of an audit.

Paper-Only Policies

Having a binder on a shelf labeled “Information Security Policy” doesn’t satisfy the FTC. They want evidence that policies are implemented, tested, and followed. If your last penetration test was two years ago or your incident response plan has never been exercised, that’s a finding.

Ignoring Vendor Risk

Your DMS provider probably has access to your most sensitive customer data. Your credit application integrations touch financial records in real time. If you haven’t assessed these vendors’ security practices and documented that assessment, you’re carrying risk you may not realize.

Flat Network Architecture

Many dealerships run everything on one network — customer Wi-Fi, F&I workstations, service department PCs, security cameras, and IoT devices all sharing the same infrastructure. Proper network segmentation is a fundamental requirement and one of the first things an auditor looks for.

Building a Compliance Roadmap

If you’re behind on compliance, here’s a practical sequence for getting current:

  1. Appoint your Qualified Individual — whether internal or through a managed IT partner
  2. Run a risk assessment — identify where customer data lives, who has access, and what controls exist today
  3. Close the critical gaps first — MFA, encryption, and access controls are the highest-priority items
  4. Implement monitoring — deploy endpoint detection, log management, and network monitoring
  5. Document everything — your policies, your controls, your testing results, your training records
  6. Test your incident response plan — run a tabletop exercise at minimum
  7. Schedule ongoing assessments — vulnerability scanning, penetration testing, and policy reviews on a recurring basis

For multi-location dealer groups, this process needs to account for each location’s unique network topology, local systems, and staff.

The Cost of Non-Compliance

FTC enforcement actions against auto dealers have resulted in consent orders requiring comprehensive security overhauls under FTC oversight — essentially putting your IT operations under federal supervision. The reputational damage and operational disruption often exceed the direct financial penalties.

Beyond FTC action, a data breach at a dealership can trigger state notification requirements, class action lawsuits, and loss of lender relationships. The cost of proactive compliance is a fraction of the cost of a breach response.

Frequently Asked Questions

Does the FTC Safeguards Rule apply to all auto dealerships?

Yes. Any dealership that handles consumer credit applications, leasing, or financing is considered a financial institution under the Gramm-Leach-Bliley Act. This includes franchised dealers, independent used car dealers, and buy-here-pay-here operations. If you’re facilitating consumer financing in any form, the rule applies to you.

Can I outsource the Qualified Individual role to my IT provider?

Yes. The amended rule explicitly allows the Qualified Individual to be an employee of a service provider rather than your own staff. However, your dealership retains ultimate responsibility for compliance. You need to ensure the person or firm you designate has the expertise and access to genuinely oversee your security program — not just rubber-stamp it.

How often do I need to conduct penetration testing?

If you opt for periodic testing instead of continuous monitoring, the rule requires annual penetration testing and vulnerability assessments every six months. However, you should also test after significant changes to your network or systems, such as a DMS migration, new location buildout, or major infrastructure upgrade.

What’s the first step if we haven’t started compliance yet?

Start with a gap assessment. Bring in a qualified IT security partner who understands dealership technology environments and can evaluate your current state against the Safeguards Rule requirements. That assessment becomes your roadmap for prioritizing the controls you need to implement. Don’t try to boil the ocean — focus on the highest-risk gaps first and build from there.

Back to Insights

Need Expert Technology Guidance?

Don't navigate complex technology decisions alone. Our consulting team provides the strategic guidance you need to make informed technology investments.

Schedule Consultation
Call (877) 600-6550