The Gramm-Leach-Bliley Act (GLBA) requires financial institutions (i.e., companies that offer consumers financial products or services like loans, financial or investment advice, or insurance), to explain their information-sharing practices to their customers and to safeguard sensitive data. This legislation went into effect in 1999 to reform the financial services industry.

In May 2022, a revision was made pertaining directly to automotive dealerships, adding dealerships to the financial institution list.

Auto dealerships are now required to follow the GLBA because they collect personal information from customers when they extend credit to purchase or lease vehicles. The change requires more work for the dealerships but creates more protection for customers, and therefore, more trust in the dealerships. 

The “Safeguards Rule”, a key component of the GLBA, requires relevant companies to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.

Important requirements of the Safeguards Rule include:

• Risk Assessments
• Implement Safeguards
• Written Security Plan
• Regular Monitoring
• Assign Qualified Personnel
• Employee Training 

It is essential that dealerships have plans and programs in place to protect their clients’ data. In addition to losing a client’s trust, a data breach could cost a company up to $46,517 in fines. One major component of GLBA compliance is that if any private information is going to be shared between financial institutions and third parties, customers must receive a notification about it and can also opt out.

To shield customers’ personal data, dealerships are required to:

• Implement a comprehensive information security program and designate an individual to oversee that program
• Encrypt all sensitive information
• Limit, and monitor who can access sensitive customer information
• Implement an incident response plan
• Train security personnel
• Periodically assess the security practices of service providers

Cybersecurity must be top of mind for all businesses, especially those falling under the GLBA  guidelines.  Third Wave Innovations has solutions to ensure organizations are equipped to meet these requirements. Here are some important services that help companies comply with the regulations:

• Multi-Factor Authentication—This involves presenting two or more credentials to boost security and add another layer of protection.
• Email Security & Security Awareness Training – Education is key to ensuring all employees are educated, and consistently working toward the same cybersecurity goals.
• Managed Security Operations – Using external cybersecurity professionals who monitor the company’s IT network, devices, and applications.

Schedule an initial assessment to learn how Third Wave Innovations can ensure that you’re meeting GLBA requirements.