Automotive dealerships are no strangers to strict measures surrounding customer data security. They have been complying with the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule for more than 20 years.
But the Federal Trade Commission (FTC) amended the 2003 Safeguards Rule on October 27, 2021, to require additional controls for existing security compliance processes to better combat increased data breaches and online security risks. While the revised rule took effect on January 10, 2022, certain requirements, such as the appointment of a qualified individual and written risk assessments, are set to go into effect on December 9, 2022.
The relatively complex requirements may carry a lofty burden, with the National Automobile Dealers Association (NADA) estimating upward of $200,000 in additional costs each year. Because of the significant time and financial investment necessary to comply with the enhanced rule, it’s recommended all affected auto dealerships begin preparing and implementing the changes as soon as possible.
Basic Overview of Updated FTC Safeguards Rule
The Safeguards Rule was introduced as part of the original 2003 GLBA to help strengthen the security of customer information and financial data, especially for those receiving loans and financing assistance.
The new FTC Safeguards Rule specifically calls on non-banking financial institutions to develop and implement a more robust security system to maintain customer data. Since most auto dealerships offer financing as part of their sales agreements, they automatically fall into the “non-banking financial institution” category and are subject to the FTC’s increased security measures.
In light of several high-profile data breaches, the FTC’s final amendments include a number of intensified obligations surrounding security, including new and expanded procedural, technical, and personnel requirements. While the initial Safeguards Rule had slightly less stringent compliance requirements, the updated rule requires all financial institutions to comply regardless of size, systems, or scope of data they collect.
The following amendments that specifically impact auto dealerships are worth noting:
1. Extra criteria surrounding risk assessment, system access controls, authentication, and encryption on top of existing requirements for developing and implementing a written information security program.
2. The appointment of a “qualified individual” to oversee the effectiveness of the information security program, including employee training and service providers. This individual should also be responsible for providing periodic reports to boards of directors and governing bodies.
3. Ensure all affiliates, service providers, and vendors comply with safety measures and effectively protect customer information. This includes all third parties that might access the customer’s personal information during the loan or financing process, including customer resource management (CRM) tools, marketing agencies, and data management platforms.
Small dealerships collecting information from less than 5,000 consumers may be exempt from the requirement of a written risk assessment, incident response plan, and annual reporting to the board of directors.
Please contact John Comunale via our online contact form for more information.
Councilor, Buchanan & Mitchell (CBM) is a professional services firm delivering tax, accounting and business advisory expertise throughout the Mid-Atlantic region from offices in Bethesda, MD and Washington, DC.