Consumer data security and privacy are significant concerns now more than ever, prompting regulatory bodies to take action to protect consumers. The Federal Trade Commission (FTC) recently updated its Safeguards Rule to ensure institutions take the necessary measures to protect customer information. This includes car dealerships that offer financial services, like extending credit for someone to lease or finance a car or issuing any other type of payment plan. Even advising a customer on their financing options requires dealers to abide by these rules.

Learn more about the critical details of this update to the FTC Safeguards Rule for auto dealers below. 

FTC Safeguards Rules

The FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA) and applies to financial institutions that handle sensitive customer data¹. Any U.S. auto dealerships that handle nonpublic personal information (NPI) about customers, such as Social Security numbers and financial details as part of a financing or leasing agreement, are considered financial institutions under this law. These dealerships must meet all the standards and requirements of the Safeguards Rule. 

The Safeguards Rule requires financial institutions to adhere to specific data security standards to protect their customer’s sensitive information. Each institution must create and maintain a reasonable security program to protect its customer information. 

In 2021, the FTC updated the Safeguards rule, first implemented in 2003². This update addresses the evolution in technology and data practices over the last two decades. With so many sensitive transactions and interactions occurring online, the FTC needed to implement new guidance to protect modern consumers’ data security and privacy. 

Complying With the Updated FTC Safeguards Rule

After a six-month extension, the deadline for compliance with the new Safeguards requirements was June 9, 2023³. Any dealership not currently in compliance with these requirements risks incurring penalties and other negative consequences. If you are not yet compliant with the updated Safeguards Rule, develop a compliance plan as soon as possible. 

4 Standards Auto Dealers Must Meet Under FTC Safeguards

1. Dedicating a Qualified Individual

The Safeguards Rule requires each dealership to dedicate a Qualified Individual to supervise its information security program. This individual does not need to work for your dealership as an employee; they may be from a service provider you hire or an affiliate. Carefully select this individual as they will ensure your company appropriately protects customer data and adheres to the Safeguards rule. 

2. Assessing Risks to Your Dealership’s Data Security

Your dealership must also complete a risk assessment to determine what threats could compromise your customers’ data. This isn’t a cursory assessment — it must be written and have defined criteria for identifying and evaluating security risks. Make sure to address both internal and external risks. The findings from this risk assessment will form the basis of your information security program. 

3. Implement an Information Security Program

The information security program you design should address all the risks you discovered during your assessment. Fundamentally, this program must prevent unauthorized disclosure, compromise, or alteration of sensitive customer information that your dealership handles. You can adjust your program as you monitor and test it to ensure it is as robust as possible. 

Some points to address in your security program include:

• Identifying what customer data your dealership collects and stores and where you store that data.
• Encrypting customer data in transit.
• Evaluating security on any apps your dealership uses to interact with customers — either your own or third-party apps.
• Implementing and reviewing access controls to ensure no one can access more customer information than necessary.
• Use multi-factor authentication to secure access to customer information.
• When no longer necessary, dispose of customer information securely and within two years of most recent use (unless you must retain this data due to a legal requirement).

4. Regularly Reassess Your Program

The Safeguards Rule also requires dealerships to test the information security program every six months to ensure it works properly. If you continuously monitor your security system through a Security Operations Center or Managed Detection and Response (MDR), the FTC will waive this assessment requirement. 

Consequences of Non-Compliance

To ensure auto dealers meet these requirements, the FTC has imposed significant consequences for non-compliance. A single violation of the requirements may cost dealerships up to $46,517 in fees⁴. Considering it’s easy to stack up violations if you’re not careful, non-compliance with the Safeguards Rule can quickly become very costly for dealerships. FTC compliance for auto dealerships is key. 

There are also other risks associated with non-compliance. If your dealership suffers a data breach, you may face expensive litigation and a severely damaged reputation. These costs are more challenging to put a precise dollar value to, but they’re significant, nonetheless. 

Protect & Grow Your Business 

Protect your business by following FTC Safeguard rules and stock your dealership with quality used inventory from ACV.  ACV is an online car auction exclusively for dealers. Our transparent vehicle condition reports give dealers everything they need to know to bid confidently on inventory. Even better, ACV has no membership fees, it’s free to become a member, all you need is your dealers license to sign up. 

‍

Sources:

1. Gramm-Leach-Bliley Act. The Federal Trade Commission. Retrieved August 15, 2023, from https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act 
2. FTC Safeguards Rule: What Your Business Needs to Know. The Federal Trade Commission. Retrieved August 15, 2023, from https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know 
3. Fair, L. (15 November 2022). Compliance deadline for certain revised FTC Safeguards Rule provisions extended to June 2023. The Federal Trade Commission. Retrieved August 15, 2023, from https://www.ftc.gov/business-guidance/blog/2022/11/compliance-deadline-certain-revised-ftc-safeguards-rule-provisions-extended-june-2023 
4. Cleveland, C. (25 May 2022). A solution for complying with the revised FTC Safeguards Rule. ComplyAuto. Retrieved August 15, 2023,  from https://www.madaonline.com/sites/default/files/MS%20AK%20AL%20TN_%20Solutions%20for%20the%20Revised%20Safeguards%20Rule.pdf