Revised Safeguards Rule for Automobile Dealerships | What You Need to Know
Flashback to May of 2003 when the original FTC (Federal Trade Commission) Safeguards Rule went into effect for Financial Institutions – including most dealerships. Intended to provide “reasonable” safeguards to protect sensitive customer data, the original rule was subjective, and that not only made it difficult to enforce but also meant adoption across the dealership industry was inconsistent.
Flash forward to today – with cybercrime on a relentless upward trajectory and cybersecurity awareness and practices keeping pace, an updated version of the Safeguards Rule became law on January 10, 2022. This new version is designed to be much more objective, providing specific tasks that must be completed for compliance – and a deadline for making it happen.
The revised rule requires implementation to be completed by December 9, 2022 – allowing nearly a full year to put an adequate program in place. But that doesn’t mean there’s plenty of time – the timeline is due to the complexity of the measures that must be taken.
To be compliant, here’s what dealerships must do (and note – this isn’t an all-inclusive list).
- Designate a “Qualified Individual” to oversee the program. – The individual needs to be qualified to competently oversee that the necessary duties are performed and documented. This can either be in-house or performed by a third party, but the responsibility remains with the designated dealership representative.
- Create a written risk assessment, including a Vulnerability Assessment (“VA”)
- Have a Written Information Security Program (“WISP”) – NADA has a template in their Dealer Guide to the FTC Safeguards Rule
- Implement Multi-Factor Authentication
- Perform continuous network monitoring or annual penetration testing and twice-annual Vulnerability Assessments (“VAs”)
- Ensure oversight of service providers (e.g., banks, credit Unions, F&I providers, etc.)
- Provide an annual written report to senior management/ownership
The list of requirements is more extensively documented in NADA’s Amended Safeguards Rule Preliminary FAQs
The Expected Cost of Compliance – and Non-Compliance
On average, the cost of compliance is expected to be between $1,500 and $6,000 per rooftop per month, depending on the size of the dealership and sales volume.
If dealerships are not in compliance by the December 9 deadline, there’s always the exposure of lawsuits and potential fines down the road. FTC enforcement actions are possible (although unlikely) and can be up to $46K per violation.
More likely issues, though, would be consumer class action lawsuits as the FTC considers a violation to constitute deceptive trade practices. The first class action lawsuit against a dealership group was filed in February 2022 (only one month after the revised rules went into effect).
Going forward, it’s highly recommended dealerships request a copy of each service provider’s WISP to ensure they comply with the Revised Safeguards Rule. If the Service provider is in violation of the new rules, then that’s also a violation by the dealership.
The earlier you implement these changes, the better off your dealership will be. Take action now to get in front of the revised rules – you’ll not only be providing stronger measures to protect your customers’ data, but also protecting your organization against potential violations, fines, and lawsuits down the road. Start now to ensure you and your service providers are in compliance before the December 9, 2022 deadline.
Have a question about implementing the new safeguard or want to talk to a member of our dedicated team of automobile dealership professionals? Contact us today for a free consultation. As always, we’re here to help.