Florence, KY auto dealerships have been operating under the FTC Safeguards Rule's updated requirements since June 2023, yet compliance assessments across the Greater Cincinnati and Northern Kentucky market consistently reveal the same set of gaps. The rule isn't new anymore—but the enforcement exposure is real, and most dealerships are still running IT infrastructure that was designed around convenience rather than compliance.
The Safeguards Rule, enforced by the Federal Trade Commission under the Gramm-Leach-Bliley Act, applies to any financial institution that handles nonpublic personal information (NPI). That includes your F&I office. The moment a customer's credit application touches your DMS—whether you're running CDK Global, Reynolds & Reynolds, or DealerSocket—you're a covered entity. And the 2023 amendments significantly raised the bar.
The Compliance Gaps Most Florence Dealerships Still Carry
The updated Safeguards Rule requires a written information security program with specific technical controls. The areas where dealerships most commonly fall short aren't exotic—they're foundational IT work that simply hasn't been done.
No formal risk assessment on record. The rule requires a documented risk assessment identifying reasonably foreseeable risks to customer information. Many dealerships have never done one. "We have antivirus" isn't a risk assessment. You need a written evaluation of your threat landscape, existing controls, and gaps—reviewed annually.
Multi-factor authentication gaps. MFA is now explicitly required for any system that accesses customer financial data. That means your DMS, your CRM, your F&I software, and your email. We still see Florence-area dealers using single-factor logins on Reynolds & Reynolds portals and CDK administrative panels. That's a direct Safeguards violation, not a gray area.
Encryption in transit and at rest. NPI must be encrypted wherever feasible—both when it's moving across your network and when it's sitting on a server or workstation. Dealerships running unencrypted Wi-Fi in the showroom, or using workstations without BitLocker, are exposing themselves unnecessarily. Properly segmented, encrypted wireless networks and endpoint encryption should be baseline.
No continuous monitoring or SIEM. The rule requires monitoring for unauthorized access and use of customer information. A firewall isn't monitoring—it's a gate. Active monitoring means logging authentication events, DMS access, and network anomalies, then having someone review them. Security Information and Event Management (SIEM) with Managed Detection and Response is the practical way to meet this requirement without hiring a full-time security analyst.
Vendor oversight without documentation. Your DMS vendor, your credit bureau feeds, your dealer add-on software—they all handle NPI. The Safeguards Rule requires written contracts with service providers ensuring they maintain appropriate safeguards. Most dealerships have signed vendor agreements but haven't reviewed whether those agreements actually satisfy the FTC's language. They often don't.
What the F&I Office Exposure Actually Looks Like
The F&I office is the highest-risk area in any dealership from a data security standpoint. Credit applications, SSNs, income documentation, and financing terms flow through it constantly. In Florence, like most of Northern Kentucky, that office is typically running on a mix of DMS-integrated F&I software and standalone credit apps—often on workstations that also browse the internet and receive email.
A phishing email that lands on a finance manager's workstation can give an attacker direct access to the same machine used to pull credit. Endpoint detection and response tools—we deploy SentinelOne EDR alongside Huntress MDR for layered coverage—catch the behavior that traditional antivirus misses. That's not marketing language; it's the operational difference between detecting a credential theft attempt in 20 minutes versus finding out three months later during a breach notification process.
Backup and recovery is another area the Safeguards Rule touches. Customer records must be recoverable. Ransomware hitting a dealership DMS without tested backups means potential regulatory exposure on top of the operational disaster. Immutable, offsite backup with verified recovery testing is the standard—not an optional add-on.
The Qualified Individual Requirement
One provision that consistently catches dealerships off guard: the Safeguards Rule requires designation of a "qualified individual" responsible for overseeing the information security program. Larger dealers may have an IT director who can fill this role. Smaller Florence-area stores often have no one in-house who meets the standard.
A managed IT provider with documented security program experience can serve as the qualified individual or support an internal designee. This isn't a technicality—the FTC has made clear that the responsible individual must actually have the authority and expertise to implement the program, not just be a name on a form.
Physical Security Ties In
The Safeguards Rule covers physical access controls as well. Server rooms, F&I offices, and areas where customer documents are stored need access logging. Key-fob or card-based electronic access control with audit trails is straightforward to implement and gives you the documentation you need if questions ever arise. Video surveillance tied to door access events is a natural complement—particularly for after-hours access to server infrastructure.
Where Florence Dealerships Should Start
If you haven't had a formal Safeguards Rule assessment done, that's the starting point. Not a vendor sales call—an actual gap analysis against the rule's nine requirements, with a prioritized remediation list. From there, the work is mostly execution: MFA rollout, endpoint protection, network segmentation, encrypted Wi-Fi, backup verification, and written policies to document everything.
Most Florence dealerships can reach a defensible compliance posture within 60 to 90 days with the right IT partner. The cost of getting there is substantially less than the cost of an FTC investigation, a civil penalty, or a data breach affecting thousands of customer records.
Titan Tech works with auto dealerships across Florence, Northern Kentucky, and Greater Cincinnati on FTC Safeguards compliance, managed IT, and cybersecurity. If you want a straight assessment of where your dealership stands, reach out here and we'll start with the gaps.