The repercussions of identity theft are disruptive and costly, which is why the Federal Trade Commission (FTC) implemented the Safeguards Rule in 2003. The rule requires “financial institutions” - including automobile dealers under the FTC's definition - to develop, implement and maintain a comprehensive information security program (ISP) to keep their customers' information safe.
The FTC reported a 73% year-over-year increase in identity thefts from 2019 to 2020.* With rocketing statistics and major data breaches - including one involving Equifax that impacted approximately 147 million Americans - the FTC launched an initiative to reassess the Safeguards Rule. In 2019, the Commission sought public comment on proposed changes and held a workshop on those proposals during the summer of 2020.
After two years of public consideration, in a controversial 3-2 vote with Commissioners Noah Joshua Phillips and Cristine S. Wilson dissenting, the FTC announced significant changes to the Safeguards Rule that every dealer needs to know. The FTC's Oct. 27, 2021, official notice with the updated Safeguards Rule is 145 pages long, but I'll summarize the major changes that may impact your dealership.
Most of them involve specific criteria that you must incorporate into your ISP. Dealers have always been required to develop their program based on a risk assessment that identifies potential improper access points to consumer information, but now the risk assessment must be in writing and include the following:
The updated Safeguards Rule also requires financial institutions to implement specific safeguards into their ISPs, including:
The changes to the Safeguards Rule will also require your dealership to:
If there's a silver lining, the FTC included a “small business exemption” for financial institutions that maintain customer information concerning fewer than 5,000 consumers. However, it only applies to certain requirements. If your dealership qualifies for the exemption, you won't have to complete a written risk assessment, prepare incident response plans or complete the annual reporting requirements.
The new rules create additional layers of compliance which of course will cost money, a point I made to the FTC in official comments and conversations with FTC officials. Most of the new Safeguards Rule requirements go into effect Oct. 27, 2022. In the interim, dealers should conduct a thorough assessment of their existing information security programs.
What do you need to do to comply with the changes? You may need assistance from an IT professional. However, that expense may be cheaper than the hefty fines the FTC will levy for noncompliance - or worse, what a class action attorney may get in damages if there's a data breach associated with your dealership.
Shaun Petersen is the Executive Vice President and Chief Legal Officer at Buckeye Dealership Consulting. He can be reached at 330-726-9030.