← Back to Compliance Insights

July 5, 2026  ·  Jonah Gobah

What the FTC Safeguards Rule Actually Requires — Plain English for Independent Dealers

Let me be straight with you.

Most of what's been written about the FTC Safeguards Rule was written by lawyers, for lawyers. Long sentences. Footnotes. References to subsections of subsections. By the time you finish the third paragraph, you've forgotten what you were trying to figure out in the first place.

That's not what this is.

This is for the dealer who's got twelve cars on the lot, two salespeople, and a finance manager who's been handling paperwork the same way since 2009. You heard something about an FTC rule. Maybe a buddy mentioned it. Maybe someone at the auction brought it up. You're not sure if it applies to you or what you're supposed to do about it.

It applies to you. And here's what you're supposed to do about it.


First — What Is the FTC Safeguards Rule?

The Gramm-Leach-Bliley Act has been around since 1999. The FTC used it to create rules about how financial institutions handle customer data. For a long time, dealers mostly ignored it. It felt like a big-bank problem.

Then 2023 happened. The FTC updated the rule — significantly — and made it crystal clear that auto dealerships are financial institutions under this law. If you collect a customer's name, address, Social Security number, credit application, income info — and you do — you are subject to the Safeguards Rule. Full stop.

The new requirements went into effect June 9, 2023. There's no grace period left. There's no "we're still figuring it out" window. It's been in effect for over a year.

And the penalties? Up to $50,120 per violation, per day.


So What Does It Actually Require?

Here's where people get lost. The rule is long. But when you strip it down, it really asks you to do nine things.

1. Designate a Qualified Individual

Someone at your dealership needs to be responsible for your information security program. That's it. It doesn't have to be a full-time IT person. It can be you, your office manager, your controller. But somebody has to own it — and you have to document who that person is.

2. Conduct a Risk Assessment

You need to sit down and think — honestly — about where customer data lives in your business. Paper files in the back office? Your DMS? Email? An old spreadsheet somebody built in 2015? You have to identify the risks and write them down.

3. Implement Safeguards

Based on your risk assessment, you implement controls. Encryption where it makes sense. Access controls so not everyone can pull up a customer's full credit file. Password policies. The rule gives you flexibility here — it's based on the size and complexity of your operation — but you have to actually do something.

4. Oversee Your Service Providers

Every vendor who touches customer data — your DMS provider, your F&I software company, your CRM — needs to be vetted. You need contracts that require them to protect the data. You need to know who they are and what they have access to.

5. Keep Your Program Current

This isn't a one-and-done deal. You have to evaluate your program regularly, especially when something changes — new software, new employees in key roles, a security incident, a new regulation.

6. Train Your Employees

Your team needs to know the basics. What's a phishing email? What do you do if you think customer data was compromised? Training doesn't have to be elaborate, but it has to happen and you have to document it.

7. Develop an Incident Response Plan

If something goes wrong — a data breach, a ransomware attack, an employee emailing a credit app to the wrong person — you need a written plan for what happens next. Who do you call? What do you tell affected customers? How do you notify the FTC if required?

8. Monitor and Test

You need to test your safeguards periodically. That might mean checking that your system access logs are working, testing whether your staff can identify a phishing attempt, or reviewing who still has access to data they no longer need.

9. Create a Written Information Security Program (WISP)

This is the one that trips people up most. All of the above — the risk assessment, the controls, the training, the vendors, the incident plan — has to live in a written document. The WISP isn't a form you fill out once. It's a living document that describes how your dealership handles information security.

The FTC wants to see evidence that you have a program. Not good intentions. A program.


What Happens If You Don't Have One?

The honest answer is: nothing might happen for a while. The FTC isn't knocking on every small dealer's door tomorrow.

But here's the thing about regulatory enforcement — it tends to come at the worst possible moment. After a breach. After a customer complaint. After a data incident that's already embarrassing and expensive. At that point, not having a WISP doesn't just mean a fine. It means you had no program, no training, no plan, and now you're explaining that to regulators and potentially to a class action attorney.

Independent dealers are also less likely to have the legal team that helps franchise groups navigate those moments. You're more exposed, not less.


What Should You Do Right Now?

Three things.

Start with the written program. Get a WISP in place. It doesn't have to be 100 pages. It has to be accurate, specific to your dealership, and signed by someone with authority. That document is your foundation.

Document your risk assessment. Walk through where customer data lives. Write it down. Date it. Sign it.

Train your team. Even one 30-minute session, documented with a sign-in sheet, puts you miles ahead of dealers who have done nothing.

If that sounds like a lot to figure out on your own — it is. That's not a knock on you. Most dealers didn't go into business to become compliance officers. You went into business to sell cars.

That's exactly why Sterling Safeguard exists.


Sterling Safeguard Was Built for This

Sterling Safeguard is an FTC Safeguards Rule compliance platform built specifically for independent auto dealerships. Not for franchise groups with legal departments. Not for enterprise dealers with six-figure compliance budgets. For you.

We give you a complete written information security program — generated in minutes, tailored to your dealership. A risk assessment tool. Employee training with tracking. Vendor management. An evidence vault. And the Sterling Safeguard Verified™ seal, so you can show your customers — and regulators — that you take this seriously.

One platform. One law. Done right.


Jonah Gobah is the founder of Sterling Safeguard LLC, an FTC Safeguards Rule compliance platform based in Charlotte, NC. He is a Certified Information Systems Auditor (CISA) and Senior Compliance Analyst with over a decade of experience in GRC, IT audit, and risk management.

Sterling Safeguard

Ready to get your dealership FTC compliant?

Sterling Safeguard gives you everything you need — written security program, risk assessments, employee training, and the Verified™ seal — without hiring a consultant or a law firm.

Get Started →More Articles