With a deadline of June 9, 2023 to comply with amendments to the FTC Safeguards Rule, now is the time to get crystal clear on what’s required. Unfortunately, though, automotive dealerships seem to lack clarity on these requirements. One recent survey found that only 35% of dealerships fully comprehend the new rules, while just 50% have made adequate preparations to comply.
Changes to existing data privacy rules or the introduction of new laws almost always cause a degree of misunderstanding among those who need to comply. Whether it’s navigating complex legal terms to understand what’s actually expected, implementing big changes that you’re not sure how to best go about or not being totally sure if the law applies to you, this article aims to reduce confusion, refresh you on the Safeguards Rule’s key points and point you toward some more resources on the topic.
The Safeguards Rule is part of the Gramm Leach Bliley Act (GLBA), which came into law in 1999. GLBA reformed the U.S. financial services sector by, among other things, implementing stricter governance over the collection and disclosure of customers’ personal financial information by non-banking financial institutions.
The Safeguards Rule, which came into law in 2003, made it mandatory for such institutions to design, implement and maintain information security safeguards. The mandated safeguards were fairly non-specific, and they included creating an information security program, designating responsibility for that program and conducting a risk assessment, followed by implementing appropriate mitigation measures.
Some examples of non-banking financial institutions are:
Since banks, federal credit unions and savings/loan institutions are all outside the jurisdiction of the FTC, the Safeguards Rule doesn’t apply to them. As for auto dealerships specifically, you must comply if your dealership extends credit to someone in connection with the purchase of a car, arranges for someone to finance or lease a car or provides financial advice to an individual.
Interestingly, despite a vastly changing cyber threat landscape, the Safeguards Rule remained unchanged for almost 20 years until the FTC issued a set of amendments in December 2021. This set of amendments addresses the higher risks to customers’ personal information in an increasingly digital world that sees more cyberattacks than ever against financial institutions.
The changes also overcome some of the shortfalls of the original Safeguards Rule, particularly in terms of its lack of specificity in some important details about information security program requirements.
Termed the Final Rule, the new set of amendments to the FTC Safeguards Rule becomes effective on June 9, 2023. Here is a reminder of the key changes that you must prioritize, with an emphasis on the protections deemed essential by the FTC as part of a modern information security program that best protects customer information.
While this list acts as a refresher on the crux of required, there are other important rule changes. For a more comprehensive breakdown including a full checklist for getting compliant with the new rules, check out our FTC Safeguards Rule Dealership Guide.
The consequences of non-compliance with regulations are often hefty, ranging across monetary and legal. There are also reputational impacts to consider, especially when 59% of auto shoppers now choose a dealer based on reputation. Non-compliance with the Safeguards Rule is highly likely to draw negative media publicity and damage a company’s reputation.
But for now, let’s look at the monetary costs of non-compliance. While each case is viewed uniquely, the maximum fine is $11,000 per day for each rule breach occurrence. There can be additional penalties added on top of this depending on the negligence involved.
Compliance with any sweeping new legislative change is understandably a stressful experience that also comes with high stakes and high costs! If you’re an automotive dealer, navigating these complex changes alone is not your only option.
Nuspire’s managed security services include an FTC Safeguards Package. This package gives you access to security and compliance experts who can help implement the assessments, policies and procedures templates, training and mandatory services you need to comply with the updated rules.