The Standards for Technology in Automotive Retail (STAR), is an organization whose members represent all aspects of the auto retail technology ecosystem – dealers, vendors, and OEMs. NADA is a long-time member of STAR and supports the organization’s efforts to increase efficiency through the voluntary adoption of auto retail technology standards and the promotion of competition.
As part of their efforts, STAR recently announced a set of uniform risk assessment standards (“STAR Assessment”) to assist dealers and vendors in complying with certain requirements under the FTC’s Amended Safeguards Rule.
As dealers know, the June 9, 2023, deadline for compliance with the FTC’s amended Safeguards Rule is fast approaching and one critical requirement is that dealers must take new and broader steps in overseeing their service providers. Dealers need to ensure that their service providers can adequately safeguard customer data. This issue has created some confusion and difficulty for dealers because of the lack of clarity in the Rule and the varying approaches taken in the marketplace.
STAR’s members worked together to address that issue by issuing the STAR Assessment, which is intended to be completed by dealer service providers to demonstrate their ability to adhere to the amended Safeguards Rule requirements.
Dealers can also proactively send the STAR Assessment to their service providers for completion. Once completed, dealers can use the information in the STAR Assessment in their contracts and in the required “periodic assessments” of their service providers.
NADA has posted a link to this assessment on its Safeguards Rule website at www.nada.org/safeguards where it can be accessed and downloaded. NADA encourages dealers, vendors, and OEMs to review and consider adopting the assessment before the June 9, 2023 compliance deadline.
According to STAR, its approved assessment offers benefits to auto dealers, vendors, and OEMs including:
-
Regulatory Compliance: Vendors use the uniform risk assessment to satisfy regulatory requirements while enabling dealers to continue using their services with confidence in existing security measures.
-
Compatibility with Popular Frameworks: The assessment maps each item to well-known cybersecurity frameworks, such as CIS Controls, PCI DSS, and SOC2, thereby making it easier for vendors to demonstrate compliance across multiple frameworks within one assessment.
-
Level Playing Field: Adoption of uniform standards simplifies the compliance for vendors – enabling them to comply with a single assessment, instead of completing different assessments for individual dealerships. Additionally, it holds vendors to consistent standards across the industry, such as implementing multi-factor authentication for systems containing nonpublic personal information (NPI).
-
Concise and Focused: The approved assessment is concise with a focus on achieving the minimum legal and compliance standards necessary.
Adoption of the questionnaire is voluntary, and every dealer must individually review it with their counsel and make an individual determination whether it is legally sufficient, adequate for their systems, and otherwise meets their specific needs. However, NADA agrees that a standardized approach like that outlined in the STAR Assessment, if adopted, will increase efficiency for dealers, vendors, and OEMs and will help dealers comply with the Safeguards Rule.
The foregoing is offered for informational purposes and is not intended as legal advice.
For more stories like this, bookmark www.NADAheadlines.org as a favorite in the browser of your choice and subscribe to our newsletter here: