Last week, the National Automobile Dealers Association filed a second set of comments in response to the Federal Trade Commission’s proposed changes to the Gramm-Leach-Bliley Act of 1999’s Safeguards Rule.
According to the FTC, the Safeguards Rule, which took effect in 2003, “requires financial institutions to develop, implement, and maintain a comprehensive information security program.” The FTC’s latest proposed rule change, which has been in development under both the Obama and Trump administrations, would update the rules to be incompliance with the Dodd-Frank Act of 2010 and the FAST Act of 2015, while requiring financial institutions to encrypt customer data, implement additional access controls to prevent security breaches, and require multi-factor authentication to access consumer data.
In the latest response to the rule proposal, NADA expressed support for both the broad goal of enhancing data security, and also for several specifics contained in the proposed rule change. However, the NADA letter did request that the FTC review the proposal and “conduct a thorough cost/benefit analysis” before implementing any changes. According to NADA, the rule change could cost dealers hundreds of thousands of dollars a year in both upfront and recurring costs.
NADA also requested that the FTC more thoroughly clarify what specific consumer data must be protected, and why it is necessary for institutions to do so. They also requested that the rule change expand and clarify the so-called “small business exemption,” which according to NADA only excludes institutions with 5,000 or fewer customer records from some of the proposed rule’s provisions. They also requested at least 12 months of lead time to comply with any rule changes, and at least 24 months for financial institutions to re-work past contracts and technical agreements with their current service providers.
WANADA thanks NADA for their hard work throughout this rulemaking proposal, starting with their first submission of comments back in 2019. According to NADA’s Regulatory Affairs Committee, there is currently no clear deadline for the FTC to act on this proposed rule.
Download Bulletin PDF