What the FTC Safeguards Rule Actually Requires of Independent Auto Dealers

If you finance or arrange leases on the cars you sell, the federal government already considers your dealership a financial institution. That is not a figure of speech. It is the legal reason the FTC Safeguards Rule applies to you, whether you have heard of the rule or not.

Most independent and used-car lot owners only learn the term when an insurer, a regulator, or a worried CPA brings it up. By then the question is not "does this apply to me," it is "how far behind am I." This is the plain-English version: what the rule is, why a car lot counts, the nine things it requires, and what most small dealers are missing right now.

Why a car lot counts as a financial institution

The Safeguards Rule comes out of the Gramm-Leach-Bliley Act, the same law that governs how banks protect customer data. The FTC has been clear in its guidance for auto dealers: most dealerships that finance or lease vehicles are financial institutions under the rule, because arranging credit is a financial activity.

You do not have to be a bank. You just have to handle the kind of customer information a financing deal generates: Social Security numbers, driver's license details, bank and income information, credit applications. If a customer has ever filled out a credit app on your lot, you are holding exactly the data the rule is written to protect. That is the whole trigger.

Size does not exempt you. A single-rooftop used-car lot is covered the same way a twenty-store group is. The rule does not care how big you are. It cares whether you handle customer financial information. If you arrange financing, you do.

The nine FTC Safeguards Rule elements, in plain English

The FTC requires a written information security program built around nine elements. Here they are without the legal language.

1. Name someone in charge. Designate a qualified individual to run your security program. It can be a staff member or a partner you bring in, but one named person owns it.
2. Do a written risk assessment. Write down where customer data lives, how it could be exposed, and what you are doing about it.
3. Put real safeguards in place. This is the technical core: control who can access data, encrypt sensitive information, use multi-factor authentication, and securely dispose of records you no longer need.
4. Test what you put in place. Monitor your systems continuously, or run regular vulnerability scans and penetration tests. A control you never check is a control you cannot trust.
5. Train your people. Your staff are the front line. They need security awareness training, because most breaches start with a person, not a server.
6. Vet your vendors. The companies that touch your data (your DMS, your CRM, your IT help) have to be held to the same standard, in writing.
7. Keep the program current. Reassess as your business and the threats change. This is not a one-time binder.
8. Have a written incident response plan. Decide in advance who does what when something goes wrong, before it goes wrong.
9. Report to leadership. The person in charge reports regularly to ownership on how the program is performing.

There is one more obligation worth knowing even though it sits alongside the nine: since 2023, covered dealers must notify the FTC within 30 days of discovering a breach that affects 500 or more people. That clock is short, and it starts whether or not you were ready for it.

What most dealers are missing today

In practice, most small lots have pieces, not a program. They have antivirus on the computers and a password on the WiFi, and they assume that covers it. It does not. The gaps we see most often:

• No named owner of security, so nothing is actually supervised.
• No written risk assessment, so there is no document to show a regulator or an insurer.
• Multi-factor authentication missing on email and the DMS, which is the control underwriters ask about first.
• No incident response plan, so a bad morning becomes a bad month.
• Vendors who were never vetted, on contracts that never mention security.

None of these are exotic. They are just nobody's job at a busy dealership where the owner is selling cars, not running IT.

What a compliant program actually looks like

A compliant program is not a product you buy once. It is something that runs every month: someone monitoring your systems, MFA enforced, backups tested, staff trained, the risk assessment kept current, and documentation ready the day an insurer or regulator asks. The written part matters as much as the technical part, because compliance is something you have to be able to prove, not just something you have to do.

For most independent dealers, the realistic path is not building a security team of your own. It is having one. Flynaut becomes your IT and security team: we build the written program, put the controls in place, monitor them, and keep the documentation current, so the rule is handled and you can get back to the lot.

A note on scope: we are not your lawyers, and this is not legal advice. Confirm your specific obligations with counsel. What we do is build and run the program that satisfies them.

One next step

If you are not sure where your dealership stands, find out before an insurer or a regulator tells you.

Book a free FTC Safeguards readiness check. We will walk your current setup against the nine elements and show you exactly what is in place and what is missing, with no obligation.

Sources & notes

FTC, "Automobile Dealers and the FTC's Safeguards Rule: Frequently Asked Questions"; FTC, "FTC Safeguards Rule: What Your Business Needs to Know"; 16 C.F.R. Part 314.

Related reading

Nine Controls Your Dealership Needs to Pass a Cyber Insurance Renewal · What the 2024 CDK Ransomware Attack Taught Every Independent Lot · The Real Cost of Ignoring FTC Safeguards