Today's topic: the latest update to the Safeguards Rule - Self Reporting. Dealerships must now self-report data breaches or unauthorized disclosures to the FTC.
Today’s topic is the latest revision to the revised Safeguards Rule - Self Reporting.
The Latest Update to the Safeguards Rule - Self-Reporting
As you recall, in December of 2021 the Federal Trade Commission published its revised and expanded Safeguards Rule. It went into effect on January 10th, 2022, but, owing to its complexity, the FTC delayed enforcement of its provisions until December 10th, 2022. Then, in November of ‘22, the FTC delayed enforcement of about half of the Rule’s requirements until June 9th of 2023. By now, all aspects of the revised Safeguards Rule are enforceable, but that’s not the big news.
The big news is that the FTC revised the revisions in late 2023; those changes will go into effect in 2024. The change we’re talking about is the new requirement for companies covered by the Rule – and that includes most dealers – to self-report certain data breaches or unauthorized disclosures of customer information to the FTC.
What is a Notification Event?
The data losses that must be reported are called “notification events.” A notification event is the “unauthorized acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” This is broader than a data breach by professional hackers, though that is, obviously, covered. The key is not who obtained the customer information, but that the customer did not authorize the disclosure.
So, if a dealership intentionally shares customer data with a third party without the customer’s authorization, that is a “notification event,” and the dealership must report that to the FTC. That list of data-leaking dealerships will be publicly available, which, it is reasonably feared, will be regularly reviewed by the plaintiff’s bar. Some people are therefore calling it the “Sue Me” list.
Note that “customer information” includes, but is broader than, “non-public personal information,” or “NPI.” Just the fact a person is a customer of the dealership would be covered, as well as any information collected from the dealership’s website through the use of cookies.
When must I self-report?
Self-reporting must happen within 30 days of discovery of the notification event, and there are no exceptions to this rule. A law enforcement agency, however – not the dealership - may request the FTC to not publish a particular breach if it would negatively impact an investigation. That delay is limited to 30 days, although there is the possibility of extending that delay for an additional 60 days.
The requirement of self-reporting is limited to notification events involving 500 or more customers. Also, note that it only covers data that has not been encrypted. Because the revised Safeguards Rule requires all customer information to be encrypted in transit and at rest, you have little to worry about with respect to data breaches if you’re already complying with the Rule. And if you’re not already completely complying with the Safeguards Rule, get with the program. This new wrinkle makes it easier to sue noncompliant dealerships, and probably increases the odds of punitive damages.
If your dealership is already complying with the Safeguards Rule, your greatest exposure may be from voluntarily sharing data for which you lack express authorization. Now might be a good time to review your Privacy Policy Notice and website cookie policy.
As always, consult your local counsel – this is an important change.