Data breach after data breach, the FTC enforced its own Safeguards Rule, which took effect in 2003. Witnessing that companies were not living up to expectations, the FTC changed the Rule in October 2021 to remove any doubt as to minimum requirements. The new FTC Safeguards Rule sets forth very specific requirements and processes that must be followed with stiff penalties for non-compliance. The FTC has also made it very clear that “automobile dealerships” must comply, just like lenders, finance companies, and related finance companies.
The Federal Trade Commission today announced it is extending by six months the deadline for companies to comply with some of the amendments to the FTC’s Safeguards Rule. Earlier this year, NADA submitted comments to the FTC seeking an extension of the deadline. The deadline for complying with some of the updated requirements of the Safeguards Rule is now June 9, 2023.
The provisions of the updated rule specifically affected by the six-month extension include requirements that covered financial institutions:
- designate a qualified individual to oversee their information security program,
- develop a written risk assessment,
- limit and monitor who can access sensitive customer information,
- encrypt all sensitive information,
- train security personnel,
- develop an incident response plan,
- periodically assess the security practices of service providers, and
- implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
Dealers are encouraged to continue in their efforts to expeditiously comply with all the new requirements of the Rule but should consult with their attorneys, service providers and IT professionals about the potential impact of this deadline extension.
The new provisions to the FTC Safeguards Rule take effect on December 9, 2022. In summary, the requirements are:
For smaller dealers, there may be a limited exception to certain provisions of the revised Rule. If a dealer maintains customer information concerning fewer than 5,000 consumers, then the dealer will not need to:
Smaller dealers need to be mindful that exceeding the 5,000 figure can easily happen and the burden will be on the dealer to prove the exception. There are many places where customer information may be warehoused, including:
Additionally, there are data and record retention requirements, so data and documents cannot be immediately purged. For example, credit applications are federally required to be maintained for 25 months under the Equal Credit Opportunity Act (ECOA), but your document retention schedule should be at least 5 years to exceed the time-frame for bringing federal claims under the ECOA and the Fair Credit Reporting Act (FCRA). For credit applications alone, it takes only 83.33 applications per month to exceed the 5000 limit if the retention schedule is 5 years.
The FTC has made clear that if you do not have someone capable of implementing, overseeing, and enforcing your information security program, then you should hire someone. Also, if your vendors are not fulfilling their obligations or cooperating with assessments, you will need to find new vendors.
Most dealerships are wondering where to start, and it begins with assembling a team that periodically collaborates to identify risks, and designates roles and responsibilities for mitigating those risks, developing the program, and adjusting the program. This team should be comprised of the dealership’s qualified individual, a compliance expert, and an IT expert to ensure you are compliant and let you get back to what you do best – selling and servicing vehicles.