Regulatory Update: Amendments to FTC Safeguards Rule

Impacts to Auto Dealerships

Special Topics

Over the last month, the Mercer Capital Auto Team attended several October meetings with the Tennessee Automotive Association.  The featured presentation by ComplyAuto discussed the features of the Federal Trade Commission’s (“FTC”) Safeguard Rule (“Safeguards Rule” or “Rule”) and the amendments with which must be complied by early December 2022.  In previous posts, we have discussed advancements in auto retailing and vehicles and how added technology brings added risks to cybersecurity and the protection of customer information. This post discusses the FTC Safeguards Rule and what auto dealers and their advisors need to know.

What Is the FTC’s Safeguards Rule?

The official title of the Safeguards Rule is “Standards for Safeguarding Customer Information.”  The original Rule took effect in 2003 and was intended to ensure that entities covered under the Rule maintained safeguards to protect the security of customer information.  Few changes were made to the Rule since 2003 until the FTC’s proposed amendments in December 2021.  These amendments sought to make changes to the original Rule to keep up with advancements and changes in technology.  More importantly, qualified businesses must comply with the FTC’s Safeguards Rule by December 9, 2022.

Why Does the FTC Safeguards Rule Impact Auto Dealerships?

The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction that are not subject to the enforcement of a separate authority or regulator under Section 505 of the Graham-Leach-Bliley Act.  Further, the Rule defines a financial institution as “any institution of business of which is engaging in an activity that is financial in nature or incidental to such financial activities.”  While on the face, this appears to be speaking primarily about banks or other similar financial institutions, Section 314.2(h) explicitly cites auto dealerships as an example of a financial institution given the nature of its leased and purchased transactions and participation in the financing activities of the transactions.

NADA estimates that auto dealerships could face up-front costs of up to $294,000 per rooftop to comply with the Safeguards Rule

NADA estimates that auto dealerships could face up-front costs of up to $294,000 per rooftop to comply with the Safeguards Rule, with additional ongoing costs in the neighborhood of $277,000 annually.  These numbers may seem staggering at first, but what are the costs of not complying?  The NADA estimates the average fine for a violation under the Rule is $47,000.  While this number appears steep, it is also unclear how the FTC would view a security breach.  In other words, if a security breach compromised the personal/financial information of multiple consumers, would that be one violation, or would each consumer breached be a separate violation?  If the latter occurs, fines could quickly escalate into the high six digits for a more significant volume breach.  This ambiguity makes it more impactful for dealerships that might otherwise “risk” the possibility of a $47,000 fine compared to annual costs of $277,000, not to mention the upfront costs.

The Safeguards Rule is meant to work in tandem with consumer privacy rights and policies enforced by state attorneys general and the FTC.  All 50 states have enacted some state cybersecurity requirements to protect data breach laws, with some instituting specific cybersecurity laws.

What Are the Guidelines Under the FTC Safeguards Rule?

Rule 1 – Four Written Policies

Auto dealers are required to adopt, maintain, and adhere to four written policies:  data retention plan, incident response plan, information security plan, and IT change management procedures.  These policies must be written and the appropriate size as it relates to the complexity of your auto dealership business, the nature and scope of your business activities, and the sensitivity of the information in issue.  These written policies should aim to ensure the security and confidentiality of customer information, protect against anticipated threats or hazards to the security and integrity of that information, and protect against unauthorized access to information that could lead to substantial harm or inconvenience to any customer.  To comply with the information security plan, auto dealerships should have a designated/qualified individual to implement and supervise the company’s information security program.

Rule 2 – Annual Risk Assessment 

On an annual basis, auto dealerships must complete a formal risk assessment to determine foreseeable risks and threats – both internally and externally – to protect customers’ information security, confidentiality, and integrity.  Compliant assessments will also document attempts to mitigate these threats and any updates to the four written policies in Rule #1 resulting from items discovered during the annual risk assessment.

Rule 3 – Annual Employee Security Awareness Training

An auto dealership’s security program is only as effective as its least vigilant staff member.  All employees must be trained on overall awareness as well as the specific components of your information security program, policies, procedures, and safeguards.  Further, the Rule insists on specialized training for those employees, affiliates, and providers with hands-on responsibility for carrying out your dealership’s information security program.

Rule 4 – Phishing and Social Engineering Simulations

As part of the new amendments, the FTC Rule requires dealerships to test their employee’s susceptibility to social engineering and phishing scams.  In other words, how likely are your employees to fall for these phishing scams?  Would regular testing and simulations give the dealer principal an idea of how easily or frequently these threats could become reality?  Hopefully, regular simulations would also raise employees’ awareness that such threats exist daily.

Rule 5 – Service Provider Contracts

During a lease or purchase transaction, auto dealerships may require service providers that access non-public personal information (“NPI”) to sign a specific contract whereby they also promise to adopt and adhere to reasonable safeguards.  Dealers will want to establish or work with pre-vetted contracts signed by their vendors and must be mindful of built-in e-sign functionality to increase efficiency with vendors.

Rule 6 – Annual Service Provider and Risk Assessments

Dealers must select service providers with the skills and experience to maintain appropriate safeguards.  Under the Rule, dealers are actually required to assess and monitor their service providers for continued adequacy of safeguards, even when that can often be accomplished through a security questionnaire or checklist.  Dealers should consider periodic reassessments of their service providers to ensure safeguards are maintained.

Rule 7 – Annual Penetration Test and Bi-Annual Vulnerability Scans

Dealers are required to perform annual internal penetration testing of their networks to simulate internal and external hacking.  To comply with the Rule, they must also perform biannual vulnerability assessments for known exploits.  As part of the total ongoing costs estimated earlier in this blog, NADA estimates that the average cost of an annual penetration test is $23,000.  This cost could be increased by the number of individual rooftops that a particular dealer owns, which could rise significantly for bigger private auto groups.  In addition, dealers should test whenever there are material changes to their operations or business arrangements or when they know circumstances may have occurred that could have a material impact on their information security system.

Rule 8 – Device, Data & Systems Inventory

Dealers are required to perform a regular inventory of their data and systems.  Inventory procedures would include identifying all data in their possession, tracking where the data is collected and by which vendor and system, and understanding how the data is stored and transmitted.  Has your dealership added a new server?  Because systems, networks, and operations like this constantly change, an auto dealer’s safeguards cannot remain static.

Rule 9 – Annual Report to the Board of Directors

Auto dealers must submit a regular written report to the Board of Directors or governing body.  If your dealership does not have a Board of Directors, the report must go to a senior officer responsible for the information security program.  Ideally, the report would be written and delivered by the qualified individual established to run your information security program in Rule #1.  The report should include the overall assessment of your dealership’s compliance with its information security program and would discuss test results and responses to threats, including any amendments or changes to the dealership’s written policies.

What Additional Guidelines Does the Rule Require Concerning Advanced Cybersecurity and Device Protection?

Rule 10 – Intrusion and Attack Detection

FTC Safeguards Rule, along with most OEMs and cybersecurity insurance carriers, will require that dealers have an established system to detect intrusions and attacks on your network.

Rule 11 – User and Employee Monitoring and Logging

Dealers must have a security system that restricts how users and employees log into and use their information security system.  Dealers must be able to detect who is on the system at all times while detecting and preventing unauthorized access, sharing, use of, and tampering with customer information.

Rule 12 – Device Encryption

Throughout auto dealerships’ operations, employees utilize devices such as laptops, tablets, and mobile devices–all of which contain customer information.  The Rule requires that the hard drives of each of these devices be encrypted.  However, compliance with these terms can become complicated with the increase of remote employees and remotely-enabled devices.

Rule 13 – Multi-Factor Authentication (“MFAs”)

Dealers must implement multi-factor authentication on any system used to access customer information, including device-level MFAs.  Specifically, the Rule requires at least two of these authentication factors:  a knowledge factor (such as a password) and an inherence factor (such as biometric characteristics like a fingerprint, facial features, face recognition, etc.).

Conclusions

The clock is ticking for auto dealers unaware of the FTC’s new amendments to the Safeguards Rule and the compliance deadline of December 9, 2022.  With changes to existing and emerging technology, protecting private/confidential consumer information becomes more critical.  Cybersecurity and hacking threats seem to multiply every day.  Could your dealership be next?  Have you taken the necessary steps to bolster your information security programs?  If your auto dealership is not compliant with the FTC’s Safeguards Rule, seek a professional vendor to assist you in this area.

Mercer Capital provides business valuation and financial advisory services, and our auto team helps dealers, their partners, and family members understand the value of their business.  Contact a member of the Mercer Capital auto dealer team today to learn more about the value of your dealership.