Attention car dealerships: If your business handles sensitive customer information, it's crucial to understand the new requirements under the FTC’s Gramm-Leach Bliley Safeguards Rule. As of May 13, 2024, an amendment mandates reporting certain data breaches and security events to the FTC. Here's what you need to know to stay compliant and protect your customers.

Understanding the Safeguards Rule:

The Safeguards Rule is designed to ensure businesses protect the security and confidentiality of nonpublic personal information. The FTC has updated this rule to keep pace with technological advancements and current security challenges. For car dealerships, this means new obligations to report data breaches affecting customer information.

Who Needs to Comply?

Car dealerships fall under the category of financial institutions subject to the FTC’s jurisdiction. This broad definition includes any business handling customer financing details, loan applications, or other personal financial information. Your dealership is likely covered if you deal with this type of data.

For more information, refer to FTC Safeguards Rule: What Your Business Needs to Know.

New Safeguards Rule Notification Requirements:

As of Monday, May 13, 2024 car dealerships must comply with the Safeguards Rule notification requirement. Dealers must report to the FTC within 30 days of discovering a security breach affecting 500 or more consumers. A breach is defined as unauthorized access to unencrypted customer information, or when an unauthorized person obtains the encryption key. Read more about the notification requirements going into effect here.

How to Report:

The FTC has made the reporting process straightforward. Use their new online form, which clearly outlines the information required:

• Name of the affected dealership

• Contact person details

• Start and end dates of the breach

• Number of consumers affected

• Types of information involved

• Summary of the breach event

• Law enforcement delay requests (if applicable)

Access the form here.

Ensuring Compliance:

While the Safeguards Rule is essential, it’s not a substitute for other federal and state regulations. Make sure your dealership meets all relevant legal obligations to protect consumer information effectively. Regularly review your data protection policies and update them as needed to stay compliant and secure.

Staying ahead of regulatory changes is critical for car dealerships. By understanding and complying with these rules, you can help ensure your dealership's continued success.

Today's topic: the latest update to the Safeguards Rule - Self Reporting. Dealerships must now self-report data breaches or unauthorized disclosures to the FTC.

Today’s topic is the latest revision to the revised Safeguards Rule - Self Reporting.

The Latest Update to the Safeguards Rule - Self-Reporting

As you recall, in December of 2021 the Federal Trade Commission published its revised and expanded Safeguards Rule. It went into effect on January 10th, 2022, but, owing to its complexity, the FTC delayed enforcement of its provisions until December 10th, 2022. Then, in November of ‘22, the FTC delayed enforcement of about half of the Rule’s requirements until June 9th of 2023. By now, all aspects of the revised Safeguards Rule are enforceable, but that’s not the big news.

The big news is that the FTC revised the revisions in late 2023; those changes will go into effect in 2024. The change we’re talking about is the new requirement for companies covered by the Rule – and that includes most dealers – to self-report certain data breaches or unauthorized disclosures of customer information to the FTC.

What is a Notification Event?

The data losses that must be reported are called “notification events.” A notification event is the “unauthorized acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” This is broader than a data breach by professional hackers, though that is, obviously, covered. The key is not who obtained the customer information, but that the customer did not authorize the disclosure.

So, if a dealership intentionally shares customer data with a third party without the customer’s authorization, that is a “notification event,” and the dealership must report that to the FTC. That list of data-leaking dealerships will be publicly available, which, it is  reasonably feared, will be regularly reviewed by the plaintiff’s bar. Some people are therefore calling it the “Sue Me” list.

Note that “customer information” includes, but is broader than, “non-public personal information,” or “NPI.” Just the fact a person is a customer of the dealership would be covered, as well as any information collected from the dealership’s website through the use of cookies.

When must I self-report?

Self-reporting must happen within 30 days of discovery of the notification event, and there are no exceptions to this rule. A law enforcement agency, however – not the dealership - may request the FTC to not publish a particular breach if it would negatively impact an investigation. That delay is limited to 30 days, although there is the possibility of extending that delay for an additional 60 days.

The requirement of self-reporting is limited to notification events involving 500 or more customers. Also, note that it only covers data that has not been encrypted. Because the revised Safeguards Rule requires all customer information to be encrypted in transit and at rest, you have little to worry about with respect to data breaches if you’re already complying with the Rule. And if you’re not already completely complying with the Safeguards Rule, get with the program. This new wrinkle makes it easier to sue noncompliant dealerships, and probably increases the odds of punitive damages.

If your dealership is already complying with the Safeguards Rule, your greatest exposure may be from voluntarily sharing data for which you lack express authorization. Now might be a good time to review your Privacy Policy Notice and website cookie policy.

As always, consult your local counsel – this is an important change.

What lies ahead for retail automotive compliance?

At the NADA Show 2024, Demetrios Lahiri had the opportunity to sit down with compliance experts James Ganther, Scott Clay, and Gil Van Over III to delve into the latest compliance trends shaping the automotive landscape. Here's a glimpse into the insightful discussions and key takeaways.

Regulatory Reboots

The conversation kicked off with a discussion on regulatory reboots, particularly focusing on the FTC's CARS Rule. Despite its current status on hold, dealerships are advised to stay vigilant and prepare for potential changes in advertising, training, and contractual practices. Scott Clay emphasized the Rule's intentions, aiming to provide a level playing field for dealers to market their offerings while mitigating issues caused by non-compliant practices among a few "bad apples" in the industry.

Tech Takes the Wheel

Another significant trend highlighted by the experts is the increasing role of technology in reshaping retail automotive compliance. The industry is experiencing rapid digitization, with traditional paper-based processes being phased out in favor of advanced digital systems. Gil Van Over pointed out that the presence of pen and paper in dealership operations often signals underlying compliance issues. Leveraging digital solutions not only enhances transparency and efficiency but also streamlines compliance efforts, ensuring adherence to regulatory requirements in an increasingly complex landscape.

Trends in Retail Automotive Compliance

As the automotive industry continues to evolve, staying abreast of these emerging compliance trends is paramount for dealerships striving to uphold ethical standards, foster consumer trust, and navigate regulatory complexities effectively. By embracing technological advancements and remaining proactive in anticipating regulatory changes, industry players can position themselves for success in an ever-changing marketplace.

Are you looking for a partner in your dealership's compliance journey? Click below to learn more about all that Mosaic Compliance Services has to offer.