OFFICIAL PUBLICATION OF THE GEORGIA AUTOMOBILE DEALERS ASSOCIATION

Pub. 1 2022 Issue 1

headlights-on-the-law-feature-GettyImages-921871456

Headlights On The Law: Updated Safeguards rule – Dealers Must Comply by December 9, 2022

Franchise dealers face a variety of challenges in the current automobile market – the transition to electrification, supply chain constraints on vehicles and parts, inflation, rising interest rates, digital retailing, workforce development and an increase in catalytic converter theft – just to name a few.

As if those challenges are not enough, another requires immediate attention by GADA members: compliance with the FTC’s Updated Safeguards Rule.

The Safeguards Rule has been in effect for nearly 20 years. A federal data security rule requires financial institutions, including dealers, to have measures in place (“safeguards”) to keep customer information secure. The original rule
currently requires dealers to develop a system for safeguarding customer data but allows dealers flexibility in determining the size and scope of that system based on a dealer’s individual circumstances.

However, the new rule puts several additional requirements on businesses.

Why did the FTC update the Safeguards Rule?

There have been several high-profile data breaches in recent years. The updated Safeguards Rule puts the bonus on businesses to do more to prevent future breaches. prevent future breaches.

When does the updated Safeguards Rule take effect?
While some parts of the Safeguards Rule have already taken effect, many of the requirements take effect on Dec. 9, 2022. Dealers must be in compliance by then.

What does the updated Safeguards Rule require?

A comprehensive analysis of the Rule’s many requirements is beyond the scope of this bulletin (and the author’s expertise). By way of a brief synopsis, the updates Rule requires dealers to:

  • Designate a qualified individual or service provider to oversee and implement an information security program;
  • Perform a data systems inventory – essentially an assessment of all systems, including not just DMS and CRM but also websites, computers, cell phones and vehicles in inventory;
  • Prepare a Written Risk Assessment periodically that categorizes security risks, assesses the adequacy of existing
    controls on information systems considering those risks, and details how the dealership will manage and mitigate those risks;
  • Develop a Written Information Security Plan that must ensure the security and confidentiality of customer information, protect against anticipated threats or hazards to the security or integrity of the system, and protect against unauthorized access to or use of customer information;
  • Prepare a Written Incident Response Plan to enable the company to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity or availability of customer information; and
  • Submit Written Reports to the Board of Directors or Senior Leadership of the dealership regarding the information security program and compliance.

In addition, dealers must implement technical requirements such as encryption, multi-factor authentication, system monitoring, penetration testing and vulnerability testing. Dealers must also develop procedures for monitoring access to
and controls of customer information for secure utilization of software programs, disposing of old customer information; and maintaining system integrity through personnel changes. And dealers are further required to train their employees on these new responsibilities and monitor service providers who can access dealership systems to ensure their compliance.

If that all sounds daunting and expensive, it likely will be. But an ounce of prevention is worth more than a pound of the cure, as the old saying goes. The potential costs of not complying include fines of over $46,000 per violation; a loss of cyber insurance; civil liability; harm to the business operations; and reputation.

What Should You Do to Prepare?

Several resources are available to assist dealers with compliance. GADA Services recently partnered with ComplyAuto to help dealers implement these requirements. ComplyAuto conducted a webinar in August and GADA members were encouraged to attend. ComplyAuto’s website is located at https://complyauto.com.

In addition, NADA has developed materials and resources to help dealers understand their new obligations, including webinars, a set of FAQs, an Overview and Update and a Dealer Guide to the Updated FTC Safeguards Rule. These resources contain very useful information, and they are available to NADA members on NADA’s website at nada.org.

This article is for informational purposes only and is not intended to be legal advice. Dealers are advised to seek advice from dealership legal counsel or other competent professionals concerning individual dealership operations. The presentation of this article is not intended to encourage concerted action among competitors or any other action on the part of dealers that would in any manner fix or stabilize the price or any element of the price of any good or service.