MYTH #1: FTC ENFORCEMENT IS MORE LENIENT TODAY When we compared full-term FTC enforcement activity in the auto industry between the current administration’s first term and the past administration, we found nearly identical numbers: • Current Administration: 19 enforcement cases involving the auto industry. • Past Administration: 20 cases. The same pattern holds when we zoom out to FTC enforcement across all industries: • Current Administration: 925 total FTC enforcement actions. • Past Administration: 926 actions. This shows no meaningful difference in enforcement volume or intensity between administrations. Regardless of changes in leadership, the FTC has remained active in pursuing consumer protection violations — including those tied to cybersecurity and data handling. MYTH #2: A SECOND TRUMP TERM WILL BRING IMMEDIATE DEREGULATION Some in the industry believed that a second Trump term would quickly reduce or delay enforcement of the Safeguards Rule. But enforcement patterns during the first 100 days of each term suggest otherwise. • In the first 100 days of Trump’s second term (2025): 2 enforcement actions in the auto industry. • Biden’s first term (2021): 0 actions in the auto industry. • Across all industries: » Current Administration: 49 FTC enforcement actions. » Past Administration: 51 FTC enforcement actions. Again, the numbers are virtually identical. The FTC has proven to be a nonpartisan enforcement body — continuing its oversight work no matter the political landscape. THE REAL ENFORCEMENT MECHANISM: BREACH REPORTING One reason some dealerships downplayed the risk of FTC enforcement is that, historically, few enforcement actions have directly cited the Safeguards Rule. However, that changed in May 2024, when a new FTC breach notification requirement took effect. This rule mandates that covered entities — including auto dealerships — must notify the FTC within 30 days of discovering certain security breaches involving customer information. This change created a built-in enforcement mechanism. If a dealership suffers a qualifying breach and fails to report it, they are now subject to regulatory scrutiny, not based on a random audit, but due to a failure to comply with a mandatory disclosure requirement. Insult on top of injury for a breached dealership. THE FAQ THAT RAISED EYEBROWS In May 2025, the FTC published a new FAQ addressing common questions about the Safeguards Rule, including which businesses are covered, how to meet encryption standards, and what a written information security program should include. While the agency hasn’t published any formal cases against auto dealerships under the Safeguards Rule, the timing of this FAQ was notable given that we saw several dealerships fall victim to ransomware attacks within the past year. It came almost exactly one year after the CDK Global ransomware attack, which disrupted operations at over 15,000 dealerships nationwide. Though the FTC has not stated that the FAQ was issued in response to events like these, it’s reasonable to interpret the publication as a proactive reminder: Dealerships are still very much subject to the Safeguards Rule, and enforcement may simply be a matter of time. STATE LAWS: THE HIDDEN THREAT TO NONCOMPLIANT DEALERS Even if federal enforcement seemed to pause — again, the data doesn’t support that — it wouldn’t mean dealers are in the clear. As of July 2025, 19 U.S. states have passed comprehensive data privacy or cybersecurity protection laws, with most others having some sort of basic protection laws for residents, and many industry-specific ones at the state level. More states are introducing bills every year, and these laws increasingly apply to businesses that collect consumer or employee data. Just weeks ago, Oregon proposed an amendment targeting cybersecurity and data protection responsibilities within the auto industry, starting with manufacturers but potentially extending accountability to dealers. This is a trend worth watching, especially as many of these state laws carry private right of action provisions, enabling consumers to file lawsuits independently of government enforcement. LITIGATION RISK: CLASS ACTIONS AND RANSOMWARE FALLOUT In several high-profile ransomware cases affecting dealerships over the past year, we’ve seen a sharp rise in class action lawsuits filed not only by consumers but also dealership employees whose personal information (including Social Security numbers) was exposed. Even when regulators don’t act, civil litigation can be financially devastating. Cybercriminals are increasingly aware of Safeguards Rule requirements and use them to their advantage. In some cases, attackers have threatened to report noncompliant victims to authorities if ransom demands aren’t met. While this tactic hasn’t been widely seen in auto retail yet, it’s a known trend in other industries and further underscores the importance of timely breach reporting. A PRACTICAL PATH FORWARD Fortunately, there is good news. Most federal and state data protection rules overlap significantly. The FTC Safeguards Rule, state privacy laws and even consumer litigation risk 23
RkJQdWJsaXNoZXIy MTg3NDExNQ==