This past October, the Federal Trade Commission (“FTC”) announced final amendments to the Safeguards Rule of the Gramm-Leach-Bliley Act. Although the amendments will not become effective until October 27, 2022, the new requirements are likely to be costly and so it is imperative that dealers begin to prepare. Many dealers will want to add services to their existing data security vendor agreements or put such a vendor in place if you do not already have one. It is also important to consult legal counsel for specific guidance regarding proper compliance.
As you are likely aware, motor vehicle dealers are considered “non-banking financial institutions” by the FTC and are therefore subject to the Safeguards Rule. The new amendments to the FTC Safeguards Rule require non-banking financial institutions like dealerships to implement a comprehensive security system to keep customer information safe. Any and all sensitive consumer data that you collect must be protected.
According to attorneys Paul R. Norman and Sarah J. Horner, the amendments to the FTC Safeguards Rule impose more specific requirements on motor vehicle dealers as follows:
- address specific topics in risk assessments and produce a written report about those assessments;
- include particular issues in a safeguarding plan, such as encryption, secure development practices, multi-factor authentication, and information disposal procedures (among others);
- adopt measures for one qualified individual to oversee the effectiveness of the safeguarding plan, employee training, and services from external providers;
- provide periodic reports to certain boards of directors and governing bodies.
The annual costs of compliance may be substantial. According to a study by the National Automobile Dealers Association (NADA), dealerships may incur upwards of $276,000 in additional costs each year. NADA has produced a helpful guide for dealers that members can download here.
Download Bulletin PDF