If your Houston-area dealership or finance firm collects customer financial data, the FTC Safeguards Rule almost certainly applies to you. Here is who is covered, the nine required controls, breach-reporting deadlines, and how an MSP delivers compliance.
If you run an auto dealership, a mortgage brokerage, a payday or consumer-finance office anywhere from Houston to The Woodlands, Katy, Sugar Land, or Spring, there is a federal cybersecurity regulation that almost certainly governs your business, and many owners still do not know it exists. The FTC Safeguards Rule for auto dealers Houston operators must follow is not a suggestion or a best practice. It is an enforceable rule under the Gramm-Leach-Bliley Act (GLBA), and after years of deadline extensions the Federal Trade Commission has clearly signaled that 2025 and 2026 are the years of active enforcement.
This post is scoped to the covered-entity vertical: dealers, lenders, and non-bank finance firms. If you are a CPA firm or registered investment adviser, the same rule applies but the framing differs. Here we focus on what a Texas dealership or finance company actually has to do.
Yes. The FTC Safeguards Rule implements GLBA and applies to "financial institutions" under FTC jurisdiction. That definition is far broader than most business owners assume. It explicitly includes most automobile dealers that finance or lease vehicles, along with mortgage brokers and lenders, payday lenders, and other non-bank consumer-finance firms. If you arrange financing, process credit applications, or lease vehicles, you are handling nonpublic personal information about your customers, and that pulls you into the Rule.
This is the heart of non-bank financial institution compliance: you do not have to be a bank to be regulated like one when it comes to protecting customer data. A single dealership finance and insurance (F&I) office collecting Social Security numbers, driver's licenses, bank details, and credit reports is squarely a covered financial institution.
The Rule was significantly amended in 2021 to add prescriptive technical requirements. Those provisions carried a December 9, 2022 compliance deadline that the FTC extended by six months, making the key technical requirements fully enforceable on June 9, 2023. A further 2023 amendment added a data-breach reporting requirement that took effect May 13, 2024. And in June 2025, the FTC updated its Safeguards Rule guidance specifically for auto dealers, reiterating that multi-factor authentication obligations extend to service-provider access, not just internal staff. The direction of travel is unmistakable.
Section 314.4 of the Rule (16 CFR) defines nine required elements of a written information security program. Achieving GLBA compliance for finance companies means implementing all nine:
Underneath these nine elements sit specific technical safeguards the Rule names directly: access controls built on least privilege, encryption of customer information both at rest and in transit, multi-factor authentication for anyone accessing systems that contain customer information, and logging and monitoring of authorized user activity plus detection of unauthorized access. Importantly, the Rule is control-based and technology-neutral. It does not mandate a specific product, encryption algorithm, or MFA app, which gives you room to build a program that fits your operation.
The anchor document is the Written Information Security Program. A WISP for auto dealers and finance firms is not boilerplate you download once and forget. It documents your risk assessment, your chosen safeguards, your incident response plan, and the roles behind them, and it has to reflect what you actually do day to day.
The Qualified Individual oversees this program. That person may be an employee, an affiliate, or an employee of a service provider such as an MSP or MSSP. This is why so many Houston dealers partner with an outside provider: you can borrow the expertise without hiring a full-time security officer. But note the critical caveat. Even when you outsource the Qualified Individual role, your business retains ultimate responsibility for compliance. You cannot contract the accountability away.
If you do not yet have a WISP, our free WISP generator tool is a practical starting point for structuring the document, and our GLBA compliance overview explains how the security and privacy sides fit together.
The FTC Safeguards MFA requirement tends to trip up dealerships first, because F&I systems, dealer management systems, and email all touch customer data and all need MFA. The June 2025 guidance made a point many providers missed: MFA obligations extend to service-provider access. If your DMS vendor or an outside IT contractor can reach systems holding customer information, that access needs MFA too.
Encryption is the second common gap. Customer information must be encrypted both at rest and in transit. That includes the databases inside your DMS, backups, and any file transfers. Strong access controls on a least-privilege basis round out the core: the receptionist does not need access to the F&I credit application archive, and enforcing that boundary is a compliance control, not just good hygiene. Proper privileged access management and modern endpoint security are how these requirements move from policy to reality on the showroom floor.
The 2023 amendment, effective May 13, 2024, added a breach-notification duty that is easy to get wrong. A covered financial institution must notify the FTC as soon as possible, and no later than 30 days after discovery, of a "notification event": a security breach involving the unauthorized acquisition of unencrypted customer information of 500 or more consumers. Reporting is done through the FTC's online form.
Two nuances matter for auto dealership cybersecurity Texas owners. First, "unencrypted" includes encrypted data if the encryption key was also accessed by an unauthorized person, so encryption only helps if the keys stay protected. Second, unauthorized access to unencrypted customer information is treated as unauthorized acquisition unless you have reliable evidence showing otherwise. In plain terms, the burden leans toward reporting.
Do not confuse the two key numbers. The 500-consumer figure triggers FTC breach notification. A separate 5,000-consumer threshold governs a partial exemption discussed below. They are different rules with different purposes.
There is a partial exemption. Businesses that maintain customer information on fewer than 5,000 consumers are not required to complete a written risk assessment, continuous monitoring or the annual-penetration-test-plus-biannual-vulnerability-assessment obligation, a written incident response plan, or the annual written report to the board. Many single-rooftop dealers exceed 5,000 consumer records faster than they expect once you count years of finance applications, so do the math before assuming you qualify.
For firms that are not exempt, the testing obligation is specific: annual penetration testing plus vulnerability assessments at least every six months, or continuous monitoring in lieu of that periodic schedule.
On penalties, be precise, because many vendor blogs get this wrong. The FTC generally does not have authority to seek civil penalties for a first-time violation of the Safeguards Rule itself. Monetary exposure typically arises through violations of a consent order, Section 5 unfair-or-deceptive-practices actions, or once a party is already under order. The FTC Act's inflation-adjusted maximum civil penalty rose to $53,088 per violation in 2025, but that is the general FTC Act cap for order and Section 5 matters, not a direct per-violation Safeguards Rule fine. Real-world enforcement has meant mandated comprehensive security programs and, in large cases such as Equifax, settlements reported in the $575 million to $700 million range as an illustrative backdrop rather than a clean Safeguards-Rule penalty. The takeaway: the risk is consent orders, injunctive relief, mandated programs, and Section 5 exposure, and those are expensive and public.
Hiring an MSP is not a legal requirement, but it is the most practical path to compliance for most dealers and finance offices. A capable provider can serve as or support your Qualified Individual, build and maintain your WISP, deploy MFA and encryption, run the monitoring and testing cadence, manage vendor oversight, and stand up an incident response plan that meets the 30-day clock. Strong dealership data security Houston programs are built on exactly these managed controls.
LayerLogix brings 20+ years of experience and 100% Texas-based support to this work, combining managed cybersecurity services with day-to-day managed IT services so your compliance program and your operations stay in sync. Market pricing for compliance-focused managed security typically runs on a per-user or per-endpoint monthly model, scaled to your rooftop count and the number of systems that touch customer data.
Generally yes. If you take credit applications, pull credit reports, or arrange or facilitate financing or leases, you are handling nonpublic personal information and fall within the definition of a covered financial institution, even when the loan is held by an outside lender.
The Qualified Individual can be an employee, an affiliate, or an employee of a service provider such as an MSP or MSSP. Many Houston-area dealers use their managed security provider for this role, but your business always retains ultimate responsibility for compliance regardless of who fills the seat.
No later than 30 days after discovering a notification event, which is a breach involving unauthorized acquisition of unencrypted customer information of 500 or more consumers. Reporting is done through the FTC's online form, and the burden of proof leans toward reporting.
Yes. The FTC's June 2025 guidance confirmed that the MFA requirement extends to service-provider access, not just internal staff. Any vendor who can reach systems containing customer information should be using multi-factor authentication.
No, only partially. You are relieved of certain elements such as the written risk assessment, continuous monitoring or periodic pen testing, a written incident response plan, and the annual board report. The core duties to safeguard customer information still apply, and the 500-consumer breach-notification rule still applies.
Enforcement is no longer theoretical, and a scramble after a breach is the worst time to build a security program. Whether you operate a single rooftop in Spring or a multi-location group across Greater Houston, our team can assess your gaps, stand up your WISP and controls, and keep you audit-ready. Start with our FTC Safeguards Rule compliance services to see exactly where your business stands and what it takes to close the gap.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.