What Dealers Should Know About the Amended FTC Safeguards Rule

Paul R. Norman | 01.11.22

On October 27, 2021, the Federal Trade Commission (“FTC”) announced the final amendments to the Safeguards Rule of the Gramm-Leach-Bliley Act. Although the amendments will not become effective until October 27, 2022, dealers should get it on their radars and into their budgets now because the new burdensome requirements will likely be costly. Understanding how these amendments apply to dealers before signing up with a new data security vendor is also key. This article provides a general overview of the heightened security responsibilities imposed by the FTC Safeguards Rule. Dealers should consult legal counsel with more specific questions regarding proper compliance.

Motor Vehicle Dealers Are ​“Financial Institutions” Subject to FTC Safeguards Rule

Amendments to the FTC Safeguards Rule require non-banking financial institutions to develop, implement, and maintain a comprehensive security system to keep customer information safe. Motor vehicle dealers constitute a ​“non-banking financial institution” for purposes of the Rule. Therefore, dealers have an obligation to comply with the amendments to the FTC Safeguards Rule by protecting sensitive consumer data that they collect on a daily basis. 

Amendments to FTC Safeguards Rule Impose Specific Data Protection Requirements

In general, the amendments to the FTC Safeguards Rule impose more specific requirements on motor vehicle dealers to: (1) address specific topics in risk assessments and produce a written report about those assessments; (2) include particular issues in a safeguarding plan, such as encryption, secure development practices, multi-factor authentication, and information disposal procedures (among others); (3) adopt measures for one qualified individual to oversee the effectiveness of the safeguarding plan, employee training, and services from external providers; and (4) provide periodic reports to certain boards of directors and governing bodies.

The specific requirements under the amended Safeguards Rule aim to strengthen data security efforts across the board. They limit who can access consumer data through the implementation of encryption methods and require financial institutions to explain their information-sharing practices in an effort to reduce widespread data breaches and cyberattacks. In turn, dealers may face less risk of data breach litigation as a result. 

However, the annual costs of compliance can be substantial. According to a study by the National Automobile Dealers Association (“NADA”), on average dealers may incur upwards of $276,000 in costs each year. From keeping an up-to-date inventory of data to maintaining an incident response plan, the budget may grow. Dealers should start planning now and consulting vendors to find the best fit for them in the years ahead.