FTC Safeguards Rule Compliance

Is Your Dealership Compliant?

The FTC requires every dealership that arranges financing or leasing to maintain a comprehensive information security program with 9 specific elements. Most dealerships are missing 6 or more.

Get Your Free ScanSchedule a Call

56+

Dealerships Scanned

8.3

Avg. Issues Found

92%

Missing Email Auth

4 Weeks

To Full Compliance

The Stakes Are Real

$100K

Per Violation

FTC penalty against the dealership

$10K

Personal Liability

Per violation for officers and directors

30 Days

Breach Reporting

To notify the FTC of a data breach (500+ consumers)

The FTC Safeguards Rule (16 CFR Part 314) was amended in December 2022 with 9 specific, measurable requirements. A breach notification requirement was added in May 2024. Every dealership that arranges financing or leasing is classified as a financial institution under the Gramm-Leach-Bliley Act—and must comply.

The CDK Global ransomware attack in June 2024 took 15,000 dealerships offline for weeks. Cyber insurers are now requiring compliance documentation for policy renewals. FTC enforcement against non-banking financial institutions is increasing.

What We Find in Every Scan

Real findings from recent dealership compliance scans.

Missing Security Headers

HIGH

No Content-Security-Policy, X-Frame-Options, or HSTS headers. Leaves customers vulnerable to clickjacking and man-in-the-middle attacks.

SSL/TLS Failures

CRITICAL

Expired certificates, mixed content, or no HTTPS at all. Customer data transmitted in plain text over public networks.

Missing Email Authentication

HIGH

No SPF, DKIM, or DMARC records. Attackers can send phishing emails impersonating your dealership domain.

No Privacy Policy or Outdated Policy

MEDIUM

Missing GLBA-required disclosures, or privacy policies that haven't been updated since the 2022 Safeguards amendments.

Third-Party Script Exposure

MEDIUM

Chat widgets, analytics, and lead forms loading scripts from 15+ external domains with no Content Security Policy.

Credit Application Vulnerabilities

CRITICAL

Online credit applications processing SSNs and financial data without adequate transport security or form protection.

The 9 FTC Requirements

Miss even one and your dealership is exposed. We handle all nine.

1

Qualified Individual

A designated person responsible for your security program

2

Written Risk Assessment

Formal evaluation identifying and scoring your security risks

3

Documented Safeguards

Access controls, encryption, MFA, data disposal, change management

4

Testing & Monitoring

Annual penetration testing and semi-annual vulnerability assessments

5

Employee Training

Security awareness training for all staff, annually

6

Vendor Oversight

Security assessments and contractual requirements for service providers

7

Evaluate & Adjust

Process to update the program when operations change

8

Incident Response Plan

Written procedures for detecting, responding to, and reporting breaches

9

Annual Board Report

Written report from the QI to the dealer principal or board

Complete Compliance Program

Customized to your dealership, your DMS, and your operations. Not a generic template.

Documentation Package

  • Written Information Security Program (WISP) — 25-35 page master document
  • Risk Assessment Report — 9-domain evaluation with scoring
  • Qualified Individual Charter — formal QI designation
  • 7 Supporting Policies — access control, incident response, vendor management, and more
  • Operational Forms — vendor questionnaire, incident report, employee acknowledgment
  • Annual Board Report Template
  • State-specific compliance supplement

Ongoing Managed Service

  • We serve as your designated Qualified Individual
  • Quarterly compliance monitoring against WISP requirements
  • Annual risk assessment — full 9-domain reassessment
  • Annual board report delivered to the Dealer Principal
  • Policy updates for regulatory and operational changes
  • Employee training coordination and phishing simulations
  • Audit prep support — FTC, insurer, or lender audits
  • Incident response guidance if a security event occurs

How It Works

1

Free Scan

5 minutes

We scan your website for compliance issues, security gaps, and email authentication problems.

2

Discovery Call

45-60 min

We learn your setup — DMS, network, processes, team structure.

3

Customization

2-3 weeks

We build the entire documentation package, customized to your operations.

4

Ongoing Service

Monthly

QI services, quarterly checks, annual assessments, audit prep, support.

Investment

Single Location

One rooftop, complete program

$3,500

one-time setup

+ $750/month

managed service

Year 1: $12,500

Year 2+: $9,000/year

Most Popular

Multi-Location

Multiple rooftops, unified program

$5,500

one-time setup

+ $1,000/month

managed service

Year 1: $17,500

Year 2+: $12,000/year

Documentation Only

Complete package, self-managed

$5,000

one-time

No monthly fee

 

Total: $5,000

QI services not included

All packages include implementation support. Monthly service is month-to-month with 30-day cancellation.

Why FifthSuit

FeatureGeneric SaaSBig ConsultantsFifthSuit
Customized to your operations
Serve as your Qualified Individual
DMS-specific documentation
Ongoing program management
Employee training materials
Incident response support
Right-sized pricing
Typical cost$200–500/mo$15K–50K$3,500 + $750/mo

What a Typical Engagement Looks Like

$180M

Annual Revenue

3

Locations

13

Compliance Issues

Key Findings:

  • 5 missing security headers across all customer-facing properties
  • SSL certificate misconfigured on one subdomain (credit application portal)
  • No DMARC record — domain vulnerable to email spoofing
  • Privacy policy last updated 2019 (pre-Safeguards amendment)
  • 22 third-party scripts loading without Content Security Policy
  • No documented WISP, QI designation, or incident response plan

Outcome: Full compliance program delivered in 3 weeks. All technical findings remediated. WISP, risk assessment, and incident response plan customized to their CDK DMS and 3-location network. Qualified Individual services ongoing.

Free Compliance Scan

See Where You Stand in 30 Seconds

Enter your dealership’s website below. We’ll scan it for FTC compliance issues, email spoofing vulnerabilities, third-party data leaks, and privacy gaps—instantly.

Website Security

SSL/TLS configuration, security headers, third-party script audit, CMS vulnerabilities

Email Authentication

SPF, DKIM, DMARC records—can attackers send emails as your domain?

Data Practices

Privacy policy, cookie consent, GLBA compliance, credit application security

Free scan. No signup required. Results in under 30 seconds.

Tell Us About Your Dealership

Complete a short assessment and we’ll send you a personalized report.

FTC Compliance Intake

Map your current security posture against the FTC Safeguards Rule. Covers tech stack, data handling, staff training, and existing controls.

Start Compliance Assessment

AI Readiness Assessment

Discover where AI and automation can cut costs and eliminate bottlenecks in your operation.

Start AI Assessment

Get Compliant in 4 Weeks

Schedule a call or start with a free scan. We’ll tell you exactly where you stand and what it takes to close the gaps.

Get Your Free ScanSchedule a Call