iPiP Tec Solutions
Book a call →
← All posts
ComplianceMay 26, 2026 · 2 min read

The FTC Safeguards Rule in 2026: What Auto Dealers Are Still Getting Wrong

Three years after the amended rule took effect, dealers are still failing on the same four controls. Here's what enforcement looks like — and what to actually implement.

By iP Tec Solutions Editorial
FTC SafeguardsAuto DealersCompliance

If you sell cars and finance them, the FTC Safeguards Rule applies to you. That part isn't new. What's new is that the FTC is now actively pursuing non-compliance — and the dealers being penalized aren't ignoring the rule. They thought they were compliant.

We've reviewed posture for a dozen dealers in CT, NY, and NJ over the last year. The same four gaps show up every time.

The four gaps we see in every audit

1. The "qualified individual" who isn't. The rule requires you to designate someone responsible for your information security program. Most dealers point to their outsourced IT vendor. That works — if the contract explicitly assigns this role and the vendor produces an annual written report to ownership. If it's a handshake, you don't have a qualified individual. You have a help desk.

2. Risk assessments treated as paperwork. A written risk assessment isn't a one-page PDF that says "we use a firewall." It must identify foreseeable internal and external threats, evaluate likelihood and impact, and explain how each safeguard maps to a specific risk. Most templates floating around don't pass this bar.

3. MFA on the wrong things. The rule requires MFA on any system that accesses customer information. Dealers usually enable MFA on email and call it done. The DMS (Reynolds, CDK, Dealertrack), the credit pull tools, the F&I menu software, the backup admin console — these are in scope. SMS-based MFA also doesn't satisfy the rule's standard for "secure" authentication factors.

warning

The FTC has explicitly stated that SMS and email-based authentication do not meet the rule's MFA requirement. Use an authenticator app, hardware token, or platform authenticator (Windows Hello, Touch ID).

4. No documented incident response plan. Not a generic template. A plan that names the qualified individual, defines what triggers escalation, lists the notification timeline for 500+ affected consumers (30 days to the FTC), and has been tested at least once. If you can't produce a tabletop exercise from the last twelve months, the plan isn't real.

What enforcement looks like now

The FTC's 2024–2025 settlements with non-bank financial institutions made the playbook clear: penalties scale with the number of consumer records and the documented effort the institution made before the incident. Dealers who can show a real, tested program get treated very differently from dealers whose first-time risk assessment was completed the week after the breach.

The minimum viable path

If you're starting from a cold position, prioritize in this order:

  1. Designate the qualified individual in writing — internal or vendor.
  2. Inventory every system that touches non-public personal information.
  3. Enforce phishing-resistant MFA on those systems (not just email).
  4. Document a risk assessment that maps controls to specific threats.
  5. Run one tabletop exercise and write up the gaps it surfaced.

Everything else — encryption-at-rest verification, vendor due diligence, the annual board-level report — slots in once the foundation is real.