Automotive dealerships have been complying with the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule for more than 20 years to ensure customer data security. In October 2021, the Federal Trade Commission (FTC) amended the 2003 Safeguards Rule requiring additional controls for existing security compliance processes to better combat increased data breaches and online security risks. The revised rule took effect on January 10, 2022, although certain requirements, such as the appointment of a qualified individual and written risk assessments, are set to go into effect on December 9, 2022.
The relatively complex requirements may carry a lofty burden, with the National Automobile Dealers Association (NADA) estimating upward of $200,000 in additional costs each year. Because of the significant time and financial investment necessary to comply with the enhanced rule, it’s recommended all affected auto dealerships begin preparing and implementing the changes as soon as possible.
Basic Overview of Updated FTC Safeguards Rule
The Safeguards Rule was introduced as part of the original 2003 GLBA to help strengthen the security of customer information and financial data, especially for those receiving loans and financing assistance.
The new FTC Safeguards Rule calls on non-banking financial institutions to develop and implement a more robust security system to maintain customer data. Since most auto dealerships offer financing as part of their sales agreements, they automatically fall into the “non-banking financial institution” category and are subject to the FTC’s increased security measures.
In light of several high-profile data breaches, the FTC’s final amendments include a number of intensified obligations surrounding security, including new and expanded procedural, technical, and personnel requirements. The updated rule requires all financial institutions to comply regardless of size, systems, or scope of data they collect.
The following amendments specifically impact auto dealerships:
- Extra criteria surrounding risk assessment, system access controls, authentication, and encryption on top of existing requirements for developing and implementing a written information security program.
- The appointment of a “qualified individual” to oversee the effectiveness of the information security program, including employee training and service providers. This individual should also be responsible for providing periodic reports to boards of directors and governing bodies.
- Ensure all affiliates, service providers, and vendors comply with safety measures and effectively protect customer information. This includes all third parties that might access the customer’s personal information during the loan or financing process, including customer resource management (CRM) tools, marketing agencies, and data management platforms.
Small dealerships collecting information from less than 5,000 consumers may be exempt from the requirement of a written risk assessment, incident response plan, and annual reporting to the board of directors.
While the above represents a basic overview of the increased security measures, auto dealers should consult their financial advisors and legal counsel regarding specific questions and ensure proper compliance with the updated rules.