FTC Safeguards Rule auto dealership compliance 2025 — what the FTC guidance requires for dealership information security programs in PA, NJ and DE

FTC Safeguards Rule Auto Dealership Compliance: What the 2025 Guidance Actually Requires

by

Where most dealership compliance programs end is where the FTC’s 2025 guidance expects them to begin.

FTC Safeguards Rule auto dealership compliance has been a legal obligation for dealerships arranging or facilitating consumer financing since June 2023. What changed in June 2025 is that the FTC released its first set of Frequently Asked Questions specifically written for auto dealerships – addressing how the rule applies to OEM relationships, third-party vendor access, and consumer data handling in dealership environments. For dealerships operating under the assumption that auto dealership FTC Safeguards Rule 2025 requirements were broadly satisfied by their 2023 compliance program, those FAQs raise questions worth examining carefully.

The central issue the guidance clarifies is one that many dealership compliance programs have not fully addressed: the Safeguards Rule does not require a written information security program that existed at a point in time. It requires one that functions as an accurate description of the controls the dealership actually operates today. Those are two different things – and the gap between them is where most compliance exposure lives.

What the 2025 FTC Guidance on FTC Safeguards Rule Auto Dealership Compliance Added

The FTC’s June 2025 FAQ document for auto dealerships addressed several areas that dealerships had been navigating with limited specific guidance. Three are particularly consequential for how dealerships manage their compliance programs in practice.

First, OEM relationships. The guidance clarified that OEM-mandated platforms and connections are not exempt from the Safeguards Rule’s vendor oversight requirements simply because participation is compelled by the manufacturer. Dealerships are required to assess OEM service providers under the same framework that applies to any third party with access to customer information – which includes understanding what information those providers access, how they protect it, and whether contractual security provisions are in place.

Second, combined databases. Many dealerships maintain unified databases containing both customer information that triggers Safeguards coverage and other contact data that does not. The guidance addressed how those combined data environments should be treated – specifically that the presence of covered customer information in a shared database extends Safeguards requirements to how that database is managed, accessed, and secured, even for portions of the data that would not independently trigger coverage.

Third, service provider access and MFA. The guidance confirmed that the Safeguards Rule’s MFA requirement extends to service providers accessing the dealership’s information systems – not only to internal staff. Where a DMS vendor, OEM connection, or third-party platform accesses dealership systems containing customer information, MFA or an equivalent control is required. This is an area where many dealerships have relied on vendor-side representations rather than independently governing the access pathway.

Why Most Dealership Information Security Programs Do Not Satisfy What They Document

A dealership information security program written to satisfy the 2023 compliance deadline describes an environment that existed, or was intended to exist, at the time it was written. The Safeguards Rule does not require a static document. It requires a program that reflects how the dealership’s actual IT environment operates at any given point in time.

In practice, the gap between the written program and the operational environment tends to open through accumulation rather than intention. Staff change. Systems are added. Vendors rotate. DMS configurations are updated by the vendor without triggering a formal review of the access controls that were configured around the previous version. The access rights documented in the written program no longer match who actually has access to what. The vendor list no longer reflects the third parties who currently interact with customer data. The incident response procedures reference a system that was replaced twelve months ago.

None of this represents deliberate non-compliance. It represents the predictable consequence of treating a dealership information security program as a project that concluded rather than a function that continues. The FTC’s enforcement posture, which has been active since 2023 and was reinforced through the 2025 FAQ release, makes clear that the adequacy of a compliance program is evaluated against the environment that currently exists – not the one that existed when the program was written.

What Operational Compliance Actually Requires

For dealerships that have not revisited their program since the 2023 compliance deadline, operational compliance means maintaining the controls the rule specifies in a condition that reflects the current environment – not periodically confirming that they were once in place.

In practical terms, this means several things that written compliance programs often do not govern consistently.

Access governance that reflects current staff

The Safeguards Rule requires access controls based on the principle of least privilege – meaning staff should only access customer information necessary for their specific role. In a dealership environment with regular staff turnover, that requirement needs to be maintained as a continuous function. Permissions accumulated by staff who have changed roles, transferred to different departments, or left the dealership entirely do not become compliant simply because they were appropriate when originally granted. Access reviews need to happen on a defined cycle, not when a breach prompts a review.

Vendor oversight that covers current relationships

The Safeguards Rule requires dealerships to ensure that service providers with access to customer information maintain appropriate safeguards and that security requirements are reflected in contracts. The vendor landscape at a dealership is not static. DMS support agreements, OEM platform connections, financing portals, and third-party service providers change over time. The vendor oversight program needs to reflect the relationships that currently exist – including the OEM relationships that the 2025 FAQ guidance specifically addressed.

MFA that is actually enforced

Requiring MFA in a written policy and enforcing it consistently across all access pathways to customer information systems are not the same condition. The 2025 FTC guidance confirmed that MFA requirements extend to service provider access, not only internal staff. Where DMS vendor remote access, OEM platform connections, or third-party financing portals access systems containing customer information without MFA or an equivalent control in place, the written policy does not satisfy the regulatory requirement.

Incident response planning that reflects current systems

An incident response plan written around a DMS environment that has since been reconfigured, or around staff roles that have changed, is not a plan that will function under pressure. The Safeguards Rule requires a written incident response plan that is maintained – which means reviewed and updated as the systems and personnel it references change. For dealerships, DMS outage scenarios, F&I data exposure procedures, and consumer notification requirements under the 2024 breach reporting amendment all need to be reflected in current planning documents.

The Connection Between IT Security Practice and FTC Safeguards Rule Auto Dealership Data Security

FTC Safeguards Rule auto dealership data security is not a compliance program that runs parallel to IT operations – it depends on IT operations being structured in a way that makes the required controls function consistently. The access governance the rule requires depends on a managed IT environment that maintains access reviews as an ongoing function. The vendor oversight the rule requires depends on someone being accountable for knowing which vendors currently have access to customer data and on what terms. The incident response the rule requires depends on documentation that reflects the IT environment that currently exists.

This is why the question of whether a dealership satisfies Safeguards Rule requirements is, in most cases, a question about how its IT environment is being managed day to day — not about whether a compliance program was once written. Dealerships that operate under structured, ongoing managed IT security engagements tend to maintain compliance posture more accurately than those that address compliance as a periodic review exercise, because the controls that satisfy the rule are the same controls that a well-managed IT security program maintains as a matter of operational discipline.

For dealerships evaluating whether their current program satisfies the requirements the 2025 guidance reinforced – or for those that have not reviewed their program since the 2023 deadline – an honest assessment of the gap between what the program documents and what the IT environment currently reflects is the appropriate starting point.

A Note on Regional Applicability

The FTC Safeguards Rule applies federally. Dealerships in Pennsylvania, New Jersey, and Delaware operate under the same requirements as dealerships elsewhere in the country. The 2025 FTC FAQ guidance applies equally – there is no regional exemption or variation. State-level data protection requirements in these states may add obligations, but they do not reduce the federal Safeguards Rule requirements that apply to any dealer arranging or facilitating consumer financing.

For dealerships in the region that have not revisited their compliance programs since the 2023 deadline, the 2025 guidance is a practical prompt to do so – with particular attention to OEM vendor relationships, MFA enforcement on all system access pathways, and whether the written program still accurately describes the environment it was written to govern.

Dealerships evaluating the current state of their program, whether against the 2025 FTC guidance or more broadly, will find that the controls the Safeguards Rule requires are not separate from the IT security practices a well-managed dealership environment should maintain regardless of the compliance obligation. A detailed account of how those controls are structured and maintained is available on the IT Security Services for Auto Dealerships page. The full framework of all nine required program elements is documented on the FTC Safeguards Rule Compliance page for organizations that want to work through the requirements systematically. For dealerships whose technology environment has not been examined as a coherent whole recently, IT Support for Auto Dealerships provides the broader operational context in which security and compliance decisions sit.

For organizations that would like to discuss how their current IT environment aligns with what the FTC Safeguards Rule requires in practice, Tera Partners is available for an introductory conversation.