On Tuesday, November 15th, the FTC postponed enforcement of some, but not all, of the requirements of the revised Safeguards Rule. While you may be tempted to pause your compliance efforts, this extension is based on dealers who have already been working on compliance for 12 months, not those who have yet to begin the process. As a result, we urge all dealers to take action now, and here’s why:

1. Many of the rules’ most critical requirements are still due on December 9th. Cybersecurity measures such as continuous monitoring, security awareness training, and an information security program must be in place. Failing to implement these foundational elements will leave your dealership exposed to cyber-attacks and in violation of the law – leading to potential class action lawsuits should the noncompliance be discovered.

2. The key requirements that were postponed (MFA, Encryption, and Service Provider oversight) may take the most time to implement. Having breathing room is nice, but collecting service provider agreements and migrating email platforms to enable MFA and encryption take months, not days.

3. Finally – these safeguards protect you, the dealer, and your clients. There is no upside to your network being hacked or firing employees for clicking that phishing email that led to a breach. As CDK outlined in its annual report, the cost of a ransomware payout increased 17x in 2021, averaging $220,298 per incident and 16 days of downtime.

For these reasons and the fact that it’s the law, we urge every dealer to comply now. Reduce your risk of breaches, lawsuits, and financial loss, and let’s get back to selling cars.

For help with any of the Safeguards requirements:

What you need at a minimum to comply by December 9th:

• Security Awareness Training for Employees

• Continuous Monitoring

• Unauthorized Activity Monitoring

• Systems Monitoring and Logging

• Data and Systems Inventory

• Written Information Security Program

• Secure Development Practices

• Secure Disposal Practices

• Change Management Procedures

• Annual Report

Download a printable version of this memo:

Many dealerships have diligently worked to update their Information Security Programs in 2022 to come into compliance with the revised Safeguards Rule by the December 9th deadline. On November 15, 2022, the FTC announced that the compliance deadline would be extended until June 9th, 2023 for certain provisions of the revised rule.

Provisions Included in the Extension

The following requirements of the revised Rule now do not need to be in place until June 9, 2023.

• Designate a Qualified Individual

• Creation of a Written Risk Assessment

• Implement Access Controls for Sensitive Customer Information

• Encryption for Sensitive Customer Information

• Training for Security Personnel

• Creation of an Incident Response Plan

• Service Provider Oversight

• Implementation of Multifactor Authentication

Provisions Still Required by the December 9th Deadline

• Continuous Vulnerability Scanning

• Data and Systems Inventory

• Systems Monitoring and Logging

• Continuous Monitoring

• Unauthorized Activity Monitoring

• All-Employee Security Awareness Training

• Secure Development Practices

• Safe Data Disposal Practices

• Change Management Procedures

• Written Information Security Program (WISP)

• Written Annual Report

Dealerships should understand that although they now have more time to come into compliance with the revised Rule, implementation of a full Safeguards Solution can take a month or more. Dealerships who have already begun the process should continue to roll out their programs. Dealerships who have not started the process should not delay.

Mosaic Cyber Security offers complete compliance with the revised FTC Safeguards Rule and has provided retail automotive compliance solutions for over 15 years. You can receive a tailored quote by filling out our Safeguards Status Questionnaire. In addition to satisfying all of the Rule’s requirements, Mosaic’s solution also allows you to pick and choose services a la carte. Our dedicated team will walk you through your custom roadmap, help set up your services, provide live support, and keep you on track so that you will achieve complete compliance on time!

Originally published in August 2021.

Today we’re going to talk about the Canary in the Mineshaft. Spoiler alert: it looks like that canary is dead.

Discriminatory Pricing

Today’s topic is prompted by an email message we received from an F&I agent in New England. He alerted us to the recent action by the Attorney General of Massachusetts, who delivered letters to at least two dealers in that state alleging that the dealers are “charging discriminatory, higher prices to Black and Latinx customers for goods and services sold” by the dealers, “as measured by the statistically significant higher markups Dealer charges Black and Latinx customers compared to white customers.”

This is interesting for several reasons. First of all, we’ve seen this movie before. This is exactly the language the CFPB used during the Obama Administration to justify its negative attitude towards finance reserve. Later in that administration, the CFPB used similar logic to indicate its interest in restricting discretionary pricing of F&I products.

Things have been quiet for about four years on that front, but this state-level enforcement action, essentially following the CFPB playbook, can be considered an indicator of things to come – a canary in the mineshaft, as it were.

Like the CFPB, the Massachusetts Attorney General’s office does not suggest any actual proof of discrimination. As you recall, credit applications do not – cannot – indicate an applicant’s race. Race is not a legal consideration for making credit determinations, and shouldn’t be. But this means the Massachusetts AG is assuming what an applicant’s race is based on assumptions related to surname or address. In other words, Big Brother is guessing.

Discretionary Pricing

Discretionary pricing, whether in finance reserve or aftermarket products, is a fact of life in the retail automotive industry. Higher mark-ups above buy rate may be counterbalanced by trade allowance or F&I product purchases. A deal with a higher than average price for a vehicle service contract may have a higher trade allowance and thus a lower total cost and monthly payment. Facing potential liability because one variable is higher than the norm should give a prudent dealer pause. So what’s a dealer to do?

Model Policies

The National Automobile Dealers Association has crafted two model policy documents, one addressing mark-ups over buy rate in the finance arena, and the other dealing with voluntary protection products, or what we used to call F&I products. These policies are conservative and should provide a dealer with an excellent line of defense.

If your dealership has a higher risk tolerance, policies that permit an acceptable range of mark-up on rate, or profit on product, may be the way to go. Consult your local attorney and dealers association to see what options are out there.

But here’s the takeaway: When the canary in the mineshaft dies, it means there is a danger for the miners. The recent action of the Massachusetts Attorney General suggests the gloves are off in that state, and this may reasonably be assumed to be spreading to other states and at the federal level. If you don’t have policies and training in place that address discretionary pricing and its limits, now is the time to do so. The canary is already dead.