The FTC Safeguards Rule refers to the Federal Trade Commission (FTC) revisions to the “Standards for Safeguarding Customer Information” issued under the Gramm-Leach-Bliley Act (GLBA).

The FTC’s Revised Safeguards Rule expands many requirements of the original 2003 GLBA rule and requires dealerships to revise their information security programs and implement new compliance measures by December 9, 2022.

The new Rule is intended to protect consumer information from misuse or a data breach, and ultimately to protect customer data privacy.

The Safeguards Rule applies broadly to all “financial institutions,” including dealerships and other businesses that provide or facilitate financial services.

Even though Foureyes is not a financial institution, we have access to certain sensitive customer data from dealerships, who are now subject to this Rule. Dealerships are required to ensure their service providers follow these Rules, and that makes us subject to the Rule’s requirements.

The following are elements outlined in the FTC Safeguards Rules that service providers should have in place:

As of June 9, 2023 (the effective date of the FTC Safeguards Rule), the Foureyes application will require Multi Factor Authentication and limit data exposed to a user on an individual basis. When deployed, the Foureyes Multi Factor Authentication system will leverage industry standard best practices with AWS Cognito for access to our front end and any client-specific data.

Foureyes utilizes an MDM (Mobile Device Management) system to track all systems used to access data. The system allows IT to track the physical location of each device, and to remotely lock and/or “wipe” systems immediately as necessary.

All data stored for our applications is encrypted using AWS at the Database level and when being transmitted across the wire. Also, access to all underlying databases is limited to devices within our virtual private cloud. No one from outside our VPC can get to our database (employee or non-employee).

As part of our SOC2 compliance we follow a strict change management policy that includes multiple code reviews and a hierarchy of responsibility for code changes. All changes are tracked via our Change Management process and reviewed according to our Change Management process.

Foureyes' approach following the implementation of the FTC Safeguards Rules will be to retain consumer data while providing services to dealers and to permanently dispose of PII data related to an account six months following a termination of the services agreement with the dealer. Foureyes will permanently dispose of PII on a different time cadence upon dealer request.

As part of our SOC2 compliance, we follow a strict change management policy that includes multiple code reviews and a hierarchy of responsibility for code changes. All changes are tracked via our Change Management process and reviewed according to our Change Management process.

Foureyes has extensive logging of all user behavior as part of our AWS infrastructure. We are able to track all direct actions and data accessed on an individual user level through AWS Logging.