Download our FREE whitepaper on data loss prevention best practices. Download Now

A Guide to the Changes Brought by the GLBA Safeguards Rule for Auto Dealerships

In today’s digital era, data security and safeguarding consumers’ nonpublic personal information (NPI) are of utmost importance. Auto dealerships engaged in financial activities, such as providing financing or leasing options, are considered financial institutions and must comply with the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. Compliance with the Safeguards Rule necessitates the establishment and maintenance of a robust information security program to protect customer NPI. In this article, we will explore six key components of the GLBA Safeguards Rule for auto dealerships, emphasizing their significance in ensuring data security, complying with regulations, and enhancing customer trust.

Designation of a Security Program Coordinator

Compliance with the GLBA Safeguards Rule entails the designation of one or more employees as security program coordinators within auto dealerships. These individuals play a pivotal role in overseeing the dealership’s information security program and ensuring compliance with the regulations. They act as a primary point of contact for security-related concerns and coordinate the implementation of security measures.

By designating a security program coordinator, auto dealerships establish a clear chain of responsibility and accountability for information security. The coordinator collaborates closely with other employees, management, and service providers to ensure the implementation of adequate safeguards to protect customer NPI. Additionally, they serve as a liaison with federal agencies, such as the Federal Trade Commission (FTC), to stay updated on any amendments or specific requirements related to data protection in the financial services industry.

Risk Assessment

A comprehensive risk assessment is an essential component of GLBA compliance for auto dealerships. It involves identifying and evaluating potential security risks, both internal and external, to the confidentiality, integrity, and availability of customer NPI.

Auto dealerships must conduct a thorough risk assessment, considering factors such as employee training and management, information systems, and relationships with service providers. This assessment helps identify vulnerabilities and develop effective strategies to mitigate risks.

To stay informed about evolving security risks, auto dealerships should regularly review and update their risk assessments. Technological advancements and emerging threats necessitate proactive identification and mitigation of risks. By conducting periodic risk assessments, auto dealerships can align their information security program with current cybersecurity best practices and regulatory requirements.

Information Security Program

The GLBA Safeguards Rule mandates that auto dealerships develop and implement a written information security program tailored to their specific risks. This program should address the risks identified through the risk assessment and include policies and procedures to safeguard customer NPI.

Auto dealerships must implement a range of security measures within their information security program, considering factors such as employee training, access controls, secure storage practices, encryption methods, and ongoing monitoring of systems. Each dealership should determine which security practices are most appropriate based on its unique circumstances and risks.

Employee Training and Management

Employee training plays a crucial role in an effective information security program. Auto dealerships must provide comprehensive training to employees with access to customer NPI, ensuring their understanding of information security policies and procedures. This training helps establish a culture of data security and empowers employees to fulfill their responsibilities in protecting customer information.

Auto dealerships should also establish an incident response plan as part of their information security program. This plan outlines the steps to be taken in the event of a data breach or other security incident. It includes procedures for containing the incident, notifying affected individuals, and cooperating with federal agencies such as the FTC in compliance with incident reporting requirements.

Regular Evaluation and Adjustments

Auto dealerships must regularly evaluate and adjust their information security program to ensure its effectiveness in light of evolving technology, emerging security threats, and changes in regulations. Regular evaluation allows dealerships to identify any gaps or weaknesses in their security measures and take corrective actions promptly.

Continuous monitoring and testing of security systems, processes, and controls enable auto dealerships to detect vulnerabilities or potential breaches and address them proactively. By staying vigilant and responsive to changes in the threat landscape, dealerships can adapt their security measures and ensure the ongoing protection of customer NPI.

Oversight and Compliance of Service Providers

Auto dealerships must ensure ongoing oversight and compliance with the GLBA Safeguards Rule. This includes regular evaluation and adjustments of the information security program based on changes in technology, security risks, and regulatory requirements.

The board of directors or management should actively participate in overseeing the information security program. They should review the program’s effectiveness, allocate resources appropriately, and address any identified gaps or weaknesses.

Additionally, auto dealerships engaging service providers that have access to customer NPI must exercise proper oversight. This entails evaluating the security practices of service providers, selecting those capable of maintaining appropriate safeguards, and contractually requiring them to do so.

Information sharing and collaboration within the industry are also crucial for enhancing data security. Auto dealerships can benefit from participating in relevant industry forums, sharing best practices, and staying informed about emerging threats and security practices.


Complying with the GLBA Safeguards Rule is essential for auto dealerships engaged in financial activities to protect customer NPI and maintain regulatory compliance. By designating a security program coordinator, conducting comprehensive risk assessments, implementing safeguards, providing employee training, and ensuring ongoing oversight, auto dealerships can establish a robust information security program.

Furthermore, staying informed about amendments, specific requirements, and additional guidance provided by federal agencies like the FTC is critical. By prioritizing data security and diligently adhering to the GLBA Safeguards Rule, auto dealerships can inspire customer trust, safeguard sensitive financial information, and maintain a strong reputation within the industry.

Frequently Asked Questions

What are the key requirements of the GLBA Safeguards Rule?

Designation of a Security Program Coordinator

Risk Assessment

Information Security Program

Employee Training and Management

Regular Evaluation and Adjustments

Oversight of Service Providers:

How does the GLBA Safeguards Rule help protect consumer data?
The GLBA Safeguards Rule helps protect consumer data by establishing requirements and guidelines for financial institutions, including auto dealerships, to develop and maintain comprehensive information security programs. By implementing these programs, financial institutions are better equipped to safeguard customer nonpublic personal information from unauthorized access, use, or disclosure.
What specific steps do financial institutions need to take to comply with the GLBA Safeguards Rule?
They need to designate a Security Program Coordinator to oversee the information security program and conduct a comprehensive risk assessment to identify and evaluate risks. Financial institutions must develop and implement a written data security program that includes policies and procedures to safeguard customer NPI, provide comprehensive employee training, and exercise oversight of employees and service providers. Regular evaluation and adjustments to the program are necessary, along with proper oversight of service providers. By following these steps, financial institutions can establish a robust data security program, protect customer NPI, and demonstrate compliance with the GLBA Safeguards Rule.

Download our free ebook on
GDPR compliance

A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.

In this article:

    Request Demo
    * Your privacy is important to us. Check out our Privacy Policy for more information.